-
Notifications
You must be signed in to change notification settings - Fork 93
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FEATURE] Update password settings to utilize secure variants #334
Comments
@chriswhite199, it seems like for the I would suggest making a PR against common-utils main branch for the change to work with the new PR from security. Also is that security PR going to be backported to 2.x? If so, we will need to do the same for common-utils. |
@lezzago I can do that but there is a greater conversation around how we handle existing clusters and the use of insecure settings. Originally the PR over in security marked all the It was discussed that maybe we should log.WARN insecure usages rather than throw an exception, but there hasn't been much further discussion about that approach. The security PR has it's own InsecureStringSetting implementation to do the above, so that code would need to be copied here if that was the approach decided on. I'm happy to make whatever changes are suggested, but need some guidance on how to approach the issue of handling existing cluster setups that will be using 'insecure' passwords. One idea i'd like to float is a change to the opensearch base project, to update InsecureStringSetting to allow a flag to be passed at construction to log warn usage rather than throwing the exception. That way legacy settings can be log warned as deprecated for a release cycle and then eventually reverted back to throwing the exception when used in a later release cycle. Thoughts? |
security plugin PR opensearch-project/security#2296 added secure variants of the keystore and pemfile passwords resolves opensearch-project#334 Signed-off-by: Chris White <chriswhite199@gmail.com>
Related to changes being proposed in security-plugin PR:
The
src/main/java/org/opensearch/commons/rest/SecureRestClientBuilder.java
file assumes the HTTP Keystore password will be pulled from an insecure setting, as well as some Integration tests that set the insecure property.This ticket is intended for discussion on how to best proceed in common-utils, esp updating
SecureRestClientBuilder.java
if the previously mentioned PR were to be merged.Given a plugin that utilizes SecureRestClientBuilder, running on a cluster that uses the 'secure' variant of the
plugins.security.ssl.http.keystore_password_secure
setting, the password would not be correctly extracted from the settingsThe text was updated successfully, but these errors were encountered: