Configure security for the initial node cli #74868
Conversation
albertzaharovits
added
>enhancement
:Security/Security
|
I was under the impression as-per our dicussion that we didn't want to go down the path of modifying user provided config files. I'm still of the opinion this is not something we want to do. |
mark-vieira
added
the
:Delivery/Packaging
|
For posterity here are my main concerns regarding having Elasticsearch potentially modify configuration files that are intended to be provided by users:
IMO these are not esoteric uses cases. Folks will encounter this scenario. What is our fallback if the config file isn't writable? How do we handle cases where the changes are overwritten? |
|
Thanks for your comments Mark!
If you are referring to a discussion in slack a couple of weeks back, there was no decision made during that brief discussion. The concerns that were raised were further discussed within the project and while we acknowledge them, we decided to move forward with the original approach as we think that we can mitigate the concerns and there was no alternative raised that was considered equivalent or better in order to satisfy the project goals and requirements. There was an action item in this discussion to go back to the folks that raised concerns, explain our reasoning and decision, along with the mitigations we think of. We failed to assign an owner for this and it fell through the cracks, apologies for this. This would probably be me, so allow me to address the ones you bring up here, happy to continue the discussion in another medium/forum if this is more helpful.
We would write to the elasticsearch.yml only the first time a new node starts, and iff the node is not configured already. If
see above.
We will not modify elasticsearch.yml in this case. We expect that anyone deploying elasticsearch via CM, will be responsible to configure security themselves and not depend on us auto-configuring security for them. Even if that would be the case, our auto-configuration would only kick in the first time a node is brought up, so subsequent edits to the yml file by CM would persist and there would be no "round and round"
ECK, ECE, ESS, and anything that has orchestration is out of scope for the security on by default project. We will not be attempting to auto-confiure security in these cases, there are better ways ( said orchestration ) to achieve that. |
No worries, that's what pull request reviews are for 😉
How will we determine this? We can't really reliable know how ES is being deployed other than the packaging type. In the case where folks don't configure security for whatever reason I suppose it'll just be as you say, where we update the file on the first go, and then it'll get subsequently overwritten. I still contend that's a bit of an awkward behavior, as if I'm creating a new ES deployment and naively don't setup security, it'll come up iniitally with security enabled and then later be disbled again.
I wasn't referring to our own orchestration solutions, just more generally, anyone deploying ES on k8s themselves. I suppose this is just another extension of the read-only case where we simply press on w/o enabling security? |
|
FYI, I've added @pugnascotia as a reviewer for this since it touches startup scripts we'll want packaging tests for the scenarios described above (config is read-only, config is subsequently overwritten, etc). |
We can work on our heuristics on what doesn't trigger the auto-configuration but I assume we can never be 100% sure there is no (ab)use case we did not cover. There is
My answer still applies, for other orchestration solutions. We press on without auto-configuring TLS and creating an |
jkakavas
left a comment
jkakavas
left a comment
There was a problem hiding this comment.
LGTM. I added some comments for consideration but I'm happy for this to be merged as a CLI tool to get folks try it out in alpha and do subsequent review rounds when we introduce the changes to make this part of the startup of the node
| private static final int HTTP_CERTIFICATE_DAYS = 2 * 365; | ||
| private static final int HTTP_KEY_SIZE = 4096; | ||
|
|
||
| private final OptionSpec<Void> strictOption = parser.accepts("strict", "Error if auto config cannot be performed for any reason"); |
There was a problem hiding this comment.
I'm torn on whether we need this. I think the user base we're targeting with this change will not know/want to set it, but the change is minimal and with no added complexity so +1 to keep it. Did you think of other cases where this would be helpful too?
...lugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/ConfigInitialNode.java
Outdated
Show resolved
Hide resolved
| return "Enter password for the elasticsearch keystore : "; | ||
| } | ||
|
|
||
| Terminal.Verbosity expectedNoopVerbosityLevel() { |
There was a problem hiding this comment.
why do we need this two, especially when the both return NORMAL ?
| throw new UserException(ExitCodes.CONFIG, null); | ||
| } | ||
| // If the node's yml configuration is not readable, most probably auto-configuration isn't run under the suitable user | ||
| if (false == Files.isReadable(ymlPath)) { |
There was a problem hiding this comment.
Why do we do this as an extra check and not as and additional or clause above ?
There was a problem hiding this comment.
Different exit codes, but maybe the distinction is not important here.
| // but clients (configured manually, outside of the enrollment process) might indeed need it and | ||
| // it is impossible to use the keystore because it is password protected because it contains the key | ||
| try { | ||
| fullyWriteFile(instantAutoConfigDir, HTTP_AUTOGENERATED_CA_NAME + ".crt", false, stream -> { |
There was a problem hiding this comment.
It probably makes sense to make this world readable as it might be used by any process (that isn't necessarily run by the same user that runs elatsticsearch )
| // the HTTP CA PEM file is provided "just in case", the node configuration doesn't use it | ||
| // but clients (configured manually, outside of the enrollment process) might indeed need it and | ||
| // it is impossible to use the keystore because it is password protected because it contains the key | ||
| try { |
There was a problem hiding this comment.
nit: Can we move writing all files under the same block ?
...lugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/ConfigInitialNode.java
Show resolved
Hide resolved
|
@elasticmachine update branch |
elasticmachine
added
Team:Delivery
|
Pinging @elastic/es-delivery (Team:Delivery) |
|
Pinging @elastic/es-security (Team:Security) |
albertzaharovits
changed the title
albertzaharovits
changed the title
…ck/security/cli/ConfigInitialNode.java Co-authored-by: Ioannis Kakavas <[email protected]>
| bw.write(String.format(Locale.ROOT, "# %-79s #", autoConfigDate)); | ||
| // TODO add link to docs | ||
| bw.newLine(); | ||
| bw.write("###################################################################################"); |
There was a problem hiding this comment.
Don't we want to put an instruction here on how to recover (remove this section and enroll the node) if a new cluster was mistakenly configured instead of joining an existing one?
BigPandaToo
left a comment
BigPandaToo
left a comment
There was a problem hiding this comment.
I added a comment about adding more information/recovery documentation into the yml, but it can be added later I think
|
@pugnascotia @mark-vieira we decided to repurposed this PR so instead of hooking security auto configuration into the node startup it is now a separate cmd line tool. We still want to have it hooked at node startup (and package installation), but I was unable to test it properly (packaging tests are no joke) in time for the 8 alpha release. |
|
Do we not plan to add any unit tests for |
This introduces a new cmd line tool that generates the security configuration for a new node in a new cluster (as opposed to joining an existing cluster). The security configuration consists of TLS key and certificates, which are stored in a directory inside the config path, as well as settings appended to the elasticsearch.yml referencing the aforementioned certs.
7 participants
When a new cluster node is started up for the first time, in v8, the startup script auto configures the node (mostly Security), by appending to its default yml file.
@jkakavas @BigPandaToo This PR does everything that we discussed.
We need to sync up with the broader team, then dovetail the other pieces (eg displaying the enrollment token).