-
Notifications
You must be signed in to change notification settings - Fork 285
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding capability to hot reload ssl certificates #238
Adding capability to hot reload ssl certificates #238
Conversation
src/main/java/com/amazon/opendistroforelasticsearch/security/OpenDistroSecurityPlugin.java
Outdated
Show resolved
Hide resolved
src/main/java/com/amazon/opendistroforelasticsearch/security/ssl/rest/NodeCertInfoAction.java
Outdated
Show resolved
Hide resolved
src/main/java/com/amazon/opendistroforelasticsearch/security/ssl/rest/NodeCertInfoAction.java
Outdated
Show resolved
Hide resolved
src/main/java/com/amazon/opendistroforelasticsearch/security/ssl/rest/NodeCertInfoAction.java
Outdated
Show resolved
Hide resolved
src/main/java/com/amazon/opendistroforelasticsearch/security/ssl/rest/NodeCertInfoAction.java
Outdated
Show resolved
Hide resolved
src/main/java/com/amazon/opendistroforelasticsearch/security/ssl/rest/SSLCertReloadAction.java
Outdated
Show resolved
Hide resolved
src/main/java/com/amazon/opendistroforelasticsearch/security/ssl/rest/SSLCertReloadAction.java
Outdated
Show resolved
Hide resolved
src/main/java/com/amazon/opendistroforelasticsearch/security/ssl/util/SSLCertificateHelper.java
Outdated
Show resolved
Hide resolved
...va/com/amazon/opendistroforelasticsearch/security/ssl/DefaultOpenDistroSecurityKeyStore.java
Outdated
Show resolved
Hide resolved
9b26676
to
954e428
Compare
Tests failed due to flakes -
|
954e428
to
e92e65d
Compare
src/main/java/com/amazon/opendistroforelasticsearch/security/OpenDistroSecurityPlugin.java
Outdated
Show resolved
Hide resolved
src/main/java/com/amazon/opendistroforelasticsearch/security/OpenDistroSecurityPlugin.java
Outdated
Show resolved
Hide resolved
src/main/java/com/amazon/opendistroforelasticsearch/security/OpenDistroSecurityPlugin.java
Outdated
Show resolved
Hide resolved
src/main/java/com/amazon/opendistroforelasticsearch/security/OpenDistroSecurityPlugin.java
Outdated
Show resolved
Hide resolved
src/main/java/com/amazon/opendistroforelasticsearch/security/OpenDistroSecurityPlugin.java
Outdated
Show resolved
Hide resolved
src/main/java/com/amazon/opendistroforelasticsearch/security/ssl/rest/SSLCertReloadAction.java
Outdated
Show resolved
Hide resolved
src/main/java/com/amazon/opendistroforelasticsearch/security/support/ConfigConstants.java
Outdated
Show resolved
Hide resolved
...va/com/amazon/opendistroforelasticsearch/security/ssl/DefaultOpenDistroSecurityKeyStore.java
Outdated
Show resolved
Hide resolved
...va/com/amazon/opendistroforelasticsearch/security/ssl/DefaultOpenDistroSecurityKeyStore.java
Outdated
Show resolved
Hide resolved
e92e65d
to
0c0d6c7
Compare
Todo:
|
src/main/java/com/amazon/opendistroforelasticsearch/security/ssl/rest/NodeCertInfoAction.java
Outdated
Show resolved
Hide resolved
src/main/java/com/amazon/opendistroforelasticsearch/security/ssl/rest/SSLCertReloadAction.java
Outdated
Show resolved
Hide resolved
...va/com/amazon/opendistroforelasticsearch/security/ssl/DefaultOpenDistroSecurityKeyStore.java
Outdated
Show resolved
Hide resolved
final X509Certificate[] transportKeystoreCerts = new X509Certificate[]{ PemKeyReader.loadCertificateFromFile(pemCertFilePath) }; | ||
|
||
validateNewTransportCerts(transportKeystoreCerts); | ||
setTransportSSLCerts(transportKeystoreCerts); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Needs review
...va/com/amazon/opendistroforelasticsearch/security/ssl/DefaultOpenDistroSecurityKeyStore.java
Outdated
Show resolved
Hide resolved
...amazon/opendistroforelasticsearch/security/ssl/rest/OpenDistroSecuritySSLCertInfoAction.java
Outdated
Show resolved
Hide resolved
...azon/opendistroforelasticsearch/security/ssl/rest/OpenDistroSecuritySSLReloadCertAction.java
Outdated
Show resolved
Hide resolved
} catch (final Exception e1) { | ||
builder = channel.newBuilder(); | ||
builder.startObject(); | ||
builder.field("error", e1.toString()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we test some exceptions to see what information are we exposing ? (Similar for the other action)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The following test cases return the exception if an Invalid DN is set and if the reload property is not there in the elasticsearch.yml config (https://github.com/opendistro-for-elasticsearch/security/pull/238/files#diff-714682d00b2af7282796d8efc9812f56R173-R198). I'll add one more in there in case the reloaded certificate has an invalid expiry date.
Let me know if there is any specific test that comes to your mind.
...va/com/amazon/opendistroforelasticsearch/security/ssl/DefaultOpenDistroSecurityKeyStore.java
Show resolved
Hide resolved
...va/com/amazon/opendistroforelasticsearch/security/ssl/DefaultOpenDistroSecurityKeyStore.java
Outdated
Show resolved
Hide resolved
...va/com/amazon/opendistroforelasticsearch/security/ssl/DefaultOpenDistroSecurityKeyStore.java
Show resolved
Hide resolved
...amazon/opendistroforelasticsearch/security/ssl/rest/OpenDistroSecuritySSLCertInfoAction.java
Outdated
Show resolved
Hide resolved
@@ -633,7 +633,7 @@ public void testNodeClientSSL() throws Exception { | |||
|
|||
@Test | |||
public void testTransportClientSSLFail() throws Exception { | |||
thrown.expect(NoNodeAvailableException.class); | |||
thrown.expect(IllegalStateException.class); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Earlier we were allowing transport client creation with an empty truststore file. I added a stronger validation for truststore validation so right now we will prevent transport client and OpenDistroPlugin will not load, hence cause this IllegalStateException
...va/com/amazon/opendistroforelasticsearch/security/ssl/DefaultOpenDistroSecurityKeyStore.java
Outdated
Show resolved
Hide resolved
...mazon/opendistroforelasticsearch/security/ssl/rest/OpenDistroSecuritySSLCertsInfoAction.java
Outdated
Show resolved
Hide resolved
* Added api PUT /_opendistro/_security/ssl/{certType}/reloadcerts which reinitializes http or transport keystore * Added api GET /_opendistro/_security/ssl/certs which returns public key details for http and transport certificates * Updated DefaultODSKeyStore to update, set and get http and transport layer certificates * Added unit tests
Description:
This feature allows super admin users to "hot reload" their expired SSL certificates without restarting their clusters. This API is very sensitive so currently it only allows users to replace their expired certificates with valid certificates issued with the same Issuer/Subject DN and SAN.
This API assumes that new certificates are in the same location specified by the security configurations in elasticsearch.yml (https://opendistro.github.io/for-elasticsearch-docs/docs/security-configuration/tls/) and the same TLS configuration values hold for the new certificates.
To enable this feature add the following property to your elasticsearch.yml file -
This property is disabled by default.
API Reference:
PUT /_opendistro/_security/api/ssl/{certType}/reloadcerts
Description: This API updates SSL transport and http certificate information and is accessible by super admins only.
Request:
Response:
GET /_opendistro/_security/api/ssl/certs
Description: This API returns SSL transport and http certificate information and is accessible by super admins only.
Request:
Response: