-
Notifications
You must be signed in to change notification settings - Fork 274
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can we use encrypted password in opensearch.yml for plugins.security.ssl.transport.keystore_password #1549
Comments
I've asked something similar on the forums (no answers as of yet) To me it seems a trivial change to mark all the password settings in https://github.com/opensearch-project/security/blob/main/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java#L319 as being I'm happy to push a PR for this, but not sure of the wider ramifications in doing to (it would be a breaking change for any upgrades for example - but an alternative setting set could be introduced and the current ones logged as deprecated in the short term. |
@chriswhite199 We'd love a pull request and could have discussion around a draft pull request of the change if you'd like. Your concern is justified, we wouldn't want to break existing customers on an upgrade. Adding a new secure setting that is used if available would be a good alternative |
@peternied - I've started something but check the following approach so i don't go too far off course: // make current setting deprecated and enforce if secure config flag is set
final Setting<SecureString> deprecatedSslHttpKeystorePasswordSetting =
SecureSetting.insecureString(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_PASSWORD);
// new secure config, that can fallback to the legacy setting, assuming that the 'opensearch.allow_insecure_settings' property is set to true (this would still be a somewhat breaking change as it defaults to false)
// SECURITY_SSL_HTTP_KEYSTORE_PASSWORD_SECURE = "plugins.security.ssl.http.keystore_password_secure"
settings.add(SecureSetting.secureString(
SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_PASSWORD_SECURE,
deprecatedSslHttpKeystorePasswordSetting));
Then just need to update all references to SECURITY_SSL_HTTP_KEYSTORE_PASSWORD to use SECURITY_SSL_HTTP_KEYSTORE_PASSWORD_SECURE instead. |
That looks like a good start |
* plugins.security.ssl.http.pemkey_password_secure * plugins.security.ssl.http.keystore_password_secure * plugins.security.ssl.http.keystore_keypassword_secure * plugins.security.ssl.http.truststore_password_secure * plugins.security.ssl.transport.pemkey_password_secure * plugins.security.ssl.transport.server.pemkey_password_secure * plugins.security.ssl.transport.client.pemkey_password_secure * plugins.security.ssl.transport.keystore_password_secure * plugins.security.ssl.transport.keystore_keypassword_secure * plugins.security.ssl.transport.server.keystore_keypassword_secure * plugins.security.ssl.transport.client.keystore_keypassword_secure * plugins.security.ssl.transport.truststore_password_secure resolves opensearch-project#1549
* plugins.security.ssl.http.pemkey_password_secure * plugins.security.ssl.http.keystore_password_secure * plugins.security.ssl.http.keystore_keypassword_secure * plugins.security.ssl.http.truststore_password_secure * plugins.security.ssl.transport.pemkey_password_secure * plugins.security.ssl.transport.server.pemkey_password_secure * plugins.security.ssl.transport.client.pemkey_password_secure * plugins.security.ssl.transport.keystore_password_secure * plugins.security.ssl.transport.keystore_keypassword_secure * plugins.security.ssl.transport.server.keystore_keypassword_secure * plugins.security.ssl.transport.client.keystore_keypassword_secure * plugins.security.ssl.transport.truststore_password_secure resolves opensearch-project#1549 Signed-off-by: Chris White <chriswhite199@gmail.com>
* plugins.security.ssl.http.pemkey_password_secure * plugins.security.ssl.http.keystore_password_secure * plugins.security.ssl.http.keystore_keypassword_secure * plugins.security.ssl.http.truststore_password_secure * plugins.security.ssl.transport.pemkey_password_secure * plugins.security.ssl.transport.server.pemkey_password_secure * plugins.security.ssl.transport.client.pemkey_password_secure * plugins.security.ssl.transport.keystore_password_secure * plugins.security.ssl.transport.keystore_keypassword_secure * plugins.security.ssl.transport.server.keystore_keypassword_secure * plugins.security.ssl.transport.client.keystore_keypassword_secure * plugins.security.ssl.transport.truststore_password_secure resolves opensearch-project#1549 Signed-off-by: Chris White <chriswhite199@gmail.com>
* plugins.security.ssl.http.pemkey_password_secure * plugins.security.ssl.http.keystore_password_secure * plugins.security.ssl.http.keystore_keypassword_secure * plugins.security.ssl.http.truststore_password_secure * plugins.security.ssl.transport.pemkey_password_secure * plugins.security.ssl.transport.server.pemkey_password_secure * plugins.security.ssl.transport.client.pemkey_password_secure * plugins.security.ssl.transport.keystore_password_secure * plugins.security.ssl.transport.keystore_keypassword_secure * plugins.security.ssl.transport.server.keystore_keypassword_secure * plugins.security.ssl.transport.client.keystore_keypassword_secure * plugins.security.ssl.transport.truststore_password_secure resolves opensearch-project#1549 Signed-off-by: Chris White <chriswhite199@gmail.com>
* plugins.security.ssl.http.pemkey_password_secure * plugins.security.ssl.http.keystore_password_secure * plugins.security.ssl.http.keystore_keypassword_secure * plugins.security.ssl.http.truststore_password_secure * plugins.security.ssl.transport.pemkey_password_secure * plugins.security.ssl.transport.server.pemkey_password_secure * plugins.security.ssl.transport.client.pemkey_password_secure * plugins.security.ssl.transport.keystore_password_secure * plugins.security.ssl.transport.keystore_keypassword_secure * plugins.security.ssl.transport.server.keystore_keypassword_secure * plugins.security.ssl.transport.client.keystore_keypassword_secure * plugins.security.ssl.transport.truststore_password_secure resolves opensearch-project#1549 Signed-off-by: Chris White <chriswhite199@gmail.com>
Which version currently implements this feature? |
Looks like this has been added, but not documented, created an issue [1] for adding the documentation. |
I am using Keystore and truststore files to configure security plug-in. But while configuring it we have to provided the keystore and truststore password in plain text format like below. Can we use these password in encrypted format ?
I want to use encripted value of password "changeit"
plugins.security.ssl.transport.enabled: true
plugins.security.ssl.transport.keystore_type: pkcs12
plugins.security.ssl.transport.keystore_filepath: …/config/certs/my-keystore.p12
plugins.security.ssl.transport.keystore_password: changeit
plugins.security.ssl.transport.truststore_type: pkcs12
plugins.security.ssl.transport.truststore_filepath: …/config/certs/my-truststore.p12
plugins.security.ssl.transport.truststore_password: changeit
The text was updated successfully, but these errors were encountered: