java.lang.Object
org.elasticsearch.common.settings.KeyStoreWrapper
- All Implemented Interfaces:
Closeable,AutoCloseable,Writeable,SecureSettings
A disk based container for sensitive settings in Elasticsearch.
Loading a keystore has 2 phases. First, call
load(Path). Then call
decrypt(char[]) with the keystore password, or an empty char array if
hasPassword() is false. Loading and decrypting should happen
in a single thread. Once decrypted, settings may be read in multiple threads.-
Nested Class Summary
Nested classes/interfaces inherited from interface org.elasticsearch.common.io.stream.Writeable
Writeable.Reader<V>, Writeable.Writer<V> -
Field Summary
FieldsModifier and TypeFieldDescriptionstatic final intstatic final intstatic final intstatic final StringThe name of the keystore file to read and write.static final intThe version where lucene directory API changed from BE to LE.static final Stringstatic final Setting<SecureString> static final intstatic final int -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionstatic voidaddBootstrapSeed(KeyStoreWrapper wrapper) Add the bootstrap seed setting, which may be used as a unique, secure, random value by the nodestatic KeyStoreWrapperbootstrap(Path configDir, CheckedSupplier<SecureString, Exception> passwordSupplier) voidclose()static KeyStoreWrappercreate()Constructs a new keystore with the given password.voiddecrypt(char[] password) Decrypts the underlying keystore data.Return a file setting.intGet the metadata format version for the keystoreIt is possible to retrieve the setting names even if the keystore is closed.byte[]getSHA256Digest(String setting) Returns the SHA256 digest for the setting's value, even after#close()has been called.Return a string setting.booleanReturn true iff callingdecrypt(char[])requires a non-empty password.booleanisLoaded()Returns true iff the settings are loaded and retrievable.static PathkeystorePath(Path configDir) Returns a path representing the ES keystore in the given config dir.static KeyStoreWrapperLoads information about the Elasticsearch keystore from the provided config directory.voidRemove the given setting from the keystore.voidWrite the keystore to the given config directory.voidvoidSet a file setting.voidSet a string setting.static voidupgrade(KeyStoreWrapper wrapper, Path configDir, char[] password) Upgrades the format of the keystore, if necessary.static voidvalidateSettingName(String setting) Ensure the given setting name is allowed.voidwriteTo(StreamOutput out) Write this into the StreamOutput.
-
Field Details
-
PROMPT
- See Also:
-
SEED_SETTING
-
KEYSTORE_FILENAME
The name of the keystore file to read and write.- See Also:
-
V3_VERSION
public static final int V3_VERSION- See Also:
-
V4_VERSION
public static final int V4_VERSION- See Also:
-
LE_VERSION
public static final int LE_VERSIONThe version where lucene directory API changed from BE to LE.- See Also:
-
HIGHER_KDF_ITERATION_COUNT_VERSION
public static final int HIGHER_KDF_ITERATION_COUNT_VERSION- See Also:
-
CIPHER_KEY_BITS_256_VERSION
public static final int CIPHER_KEY_BITS_256_VERSION- See Also:
-
CURRENT_VERSION
public static final int CURRENT_VERSION- See Also:
-
-
Constructor Details
-
KeyStoreWrapper
- Throws:
IOException
-
-
Method Details
-
getFormatVersion
public int getFormatVersion()Get the metadata format version for the keystore -
keystorePath
Returns a path representing the ES keystore in the given config dir. -
create
Constructs a new keystore with the given password. -
addBootstrapSeed
Add the bootstrap seed setting, which may be used as a unique, secure, random value by the node -
bootstrap
public static KeyStoreWrapper bootstrap(Path configDir, CheckedSupplier<SecureString, Exception> passwordSupplier) throws Exception- Throws:
Exception
-
load
Loads information about the Elasticsearch keystore from the provided config directory.decrypt(char[])must be called before reading or writing any entries. Returnsnullif no keystore exists.- Throws:
IOException
-
upgrade
public static void upgrade(KeyStoreWrapper wrapper, Path configDir, char[] password) throws Exception Upgrades the format of the keystore, if necessary.- Throws:
Exception
-
isLoaded
public boolean isLoaded()Description copied from interface:SecureSettingsReturns true iff the settings are loaded and retrievable.- Specified by:
isLoadedin interfaceSecureSettings
-
hasPassword
public boolean hasPassword()Return true iff callingdecrypt(char[])requires a non-empty password. -
decrypt
Decrypts the underlying keystore data. This may only be called once.- Throws:
GeneralSecurityExceptionIOException
-
save
Write the keystore to the given config directory.- Throws:
Exception
-
save
- Throws:
Exception
-
getSettingNames
It is possible to retrieve the setting names even if the keystore is closed. This allowsSecureSettingto correctly determine that a entry exists even though it cannot be read. Thus attempting to read a secure setting after the keystore is closed will generate a "keystore is closed" exception rather than using the fallback setting.- Specified by:
getSettingNamesin interfaceSecureSettings
-
getString
Description copied from interface:SecureSettingsReturn a string setting. TheSecureStringshould be closed once it is used.- Specified by:
getStringin interfaceSecureSettings
-
getFile
Description copied from interface:SecureSettingsReturn a file setting. TheInputStreamshould be closed once it is used.- Specified by:
getFilein interfaceSecureSettings
-
getSHA256Digest
Returns the SHA256 digest for the setting's value, even after#close()has been called. The setting must exist. The digest is used to check for value changes without actually storing the value.- Specified by:
getSHA256Digestin interfaceSecureSettings
-
validateSettingName
Ensure the given setting name is allowed.- Throws:
IllegalArgumentException- if the setting name is not valid
-
setString
Set a string setting. -
setFile
Set a file setting. -
remove
Remove the given setting from the keystore. -
close
public void close()- Specified by:
closein interfaceAutoCloseable- Specified by:
closein interfaceCloseable- Specified by:
closein interfaceSecureSettings
-
writeTo
Description copied from interface:WriteableWrite this into the StreamOutput.- Specified by:
writeToin interfaceWriteable- Throws:
IOException
-