Skip to content

Auto-configure the elastic user password #78306

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
albertzaharovits merged 20 commits into from
Oct 5, 2021
Merged

Auto-configure the elastic user password #78306

albertzaharovits merged 20 commits into from
Oct 5, 2021

Conversation

@albertzaharovits
Copy link
Contributor

@albertzaharovits albertzaharovits commented Sep 27, 2021
edited
Loading

This adds a new way to specify the initial password for the elastic superuser.

This makes use of the new autoconfiguration.password_hash secure setting.
This setting contains the elastic user's password hash, which is used to validate
the elastic's credentials, as long as there are no other alternatives in the
.security index (either if the index does not exist, or if it does not contain
the document for the elastic user).
Still, the interesting thing, which sets this new setting apart from the bootstrap.password
existing one, is that upon a successful validation the hash is written back on the .security index.
Importantly, if the write fails, it results in a 500 or 503 error to the client, rather than a 401.
This has the result that all the other nodes will use the same elastic password from the index
from that point on.

This whole mechanism facilitates fixing the elastic user password, for a cluster, before its
nodes are started.

Replaces #77036
Co-Authored-By: Lyudmila Fokina [email protected]

@albertzaharovits albertzaharovits self-assigned this Sep 27, 2021
@BigPandaToo BigPandaToo self-requested a review September 27, 2021 09:40
@albertzaharovits
Copy link
Contributor Author

albertzaharovits commented Sep 28, 2021

@elasticmachine run elasticsearch-ci/part-2

albertzaharovits
albertzaharovits commented Sep 30, 2021
View reviewed changes
...in/java/org/elasticsearch/xpack/core/security/authc/DefaultAuthenticationFailureHandler.java
if (e instanceof ElasticsearchAuthenticationProcessingError) {
return (ElasticsearchAuthenticationProcessingError) e;
}
return createAuthenticationError("error attempting to authenticate request", e, (Object[]) null);
Copy link
Contributor Author

@albertzaharovits albertzaharovits Sep 30, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only raising exceptions with a specific type (ElasticsearchAuthenticationProcessingError) AND while invoking the request processing error handler (and not any other handler), results in 500 or 503; anything else goes to 401 .

albertzaharovits
albertzaharovits commented Sep 30, 2021
View reviewed changes
...security/src/internalClusterTest/java/org/elasticsearch/test/SecuritySingleNodeTestCase.java
protected SecureString getBootstrapPassword() {
return TEST_PASSWORD_SECURE_STRING;
}

Copy link
Contributor Author

@albertzaharovits albertzaharovits Sep 30, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I need this in order to override to not set the bootstrap password.

albertzaharovits
albertzaharovits commented Sep 30, 2021
View reviewed changes
...in/security/src/main/java/org/elasticsearch/xpack/security/authc/esnative/ReservedRealm.java

public ReservedRealm(Environment env, Settings settings, NativeUsersStore nativeUsersStore, AnonymousUser anonymousUser,
SecurityIndexManager securityIndex, ThreadPool threadPool) {
ThreadPool threadPool) {
Copy link
Contributor Author

@albertzaharovits albertzaharovits Sep 30, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Accounting for if the security index exists is redundant because the native users store does it already.

@albertzaharovits albertzaharovits added >enhancement :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) labels Sep 30, 2021
@albertzaharovits albertzaharovits marked this pull request as ready for review September 30, 2021 16:52
@elasticmachine elasticmachine added the Team:Security Meta label for security team label Sep 30, 2021
@elasticmachine
Copy link
Collaborator

elasticmachine commented Sep 30, 2021

Pinging @elastic/es-security (Team:Security)

jkakavas
jkakavas approved these changes Sep 30, 2021
View reviewed changes
Copy link
Contributor

@jkakavas jkakavas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is superb Albert. I like how clean ReservedRealm#doAuthenticate is and the diligence you put into testing. I verified manually too that this does work as advertised ( happy path ) and the test coverage for error cases makes me confident to merge. I'll wait for Lyudmila to share any thoughts are she has spent time on this too and has context from the previous PR, but LGTM from my side

jkakavas
jkakavas approved these changes Oct 2, 2021
View reviewed changes
Copy link
Contributor

@jkakavas jkakavas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

some testing nits

@albertzaharovits albertzaharovits added the :Security/FIPS Running ES in FIPS 140-2 mode label Oct 5, 2021
@albertzaharovits
Copy link
Contributor Author

albertzaharovits commented Oct 5, 2021

@elasticmachine test this please

@albertzaharovits albertzaharovits merged commit cfadab4 into elastic:master Oct 5, 2021
@albertzaharovits albertzaharovits deleted the set-auto-conf-password branch October 5, 2021 08:45
@albertzaharovits albertzaharovits mentioned this pull request Oct 5, 2021
Closed
This was referenced Oct 14, 2021
Merged
Closed
jkakavas added a commit that referenced this pull request Oct 15, 2021
@jkakavas
Security auto-configuration for packaged installations (#75144)
e3353c3 
This commit ensures that for packaged installations
we will run the auto-configuration code on installation (but not upgrade) time. 
This is needed because we expect elasticsearch to be run as a service. 
By the time the service runs, the configuration directory is not writable by the
user that runs elasticsearch so we can't  persist configuration and key/certificate
material on runtime. Running auto-configuration on installation time
allows us to print information to the user that they have better chance of seeing 
(barring unattended installations). We don't have the option to show output to the
user when starting the service with systemctl. 

During installation we:
- Generate TLS material, enable security and TLS and persist on disk
- Generate a password for the elastic user and store a hash of this 
in the elasticsearch.keystore. This will be picked up by the node
starting and will be "promoted" to be the cluster wide elastic
password on first startup. (see #78306 )
- We notify the user in the output of the package installation about
whether we succeed and what the password of the elastic user is.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jkakavas jkakavas jkakavas approved these changes

@BigPandaToo BigPandaToo Awaiting requested review from BigPandaToo

Assignees

@albertzaharovits albertzaharovits

Labels

>enhancement :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) :Security/FIPS Running ES in FIPS 140-2 mode Team:Security Meta label for security team v8.0.0-beta1

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@albertzaharovits @elasticmachine @jkakavas @jakelandis @elasticsearchmachine