Skip to content

Commit 4f55a07

Browse files
rjernstrjernst
authored
Tribe: Add error with secure settings copied to tribe (#32298)
This commit adds a clear error message when tribe setup attempts to copy a secure setting into tribe settings. This behavior has never worked, but the previous error message was very confusing, complaining about a source key not being found later when trying to read the setting. closes #32117
1 parent 4ace732 commit 4f55a07

File tree

2 files changed

+31
-3
lines changed

2 files changed

+31
-3
lines changed

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java

Lines changed: 15 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,7 @@
3434
import org.elasticsearch.common.regex.Regex;
3535
import org.elasticsearch.common.settings.ClusterSettings;
3636
import org.elasticsearch.common.settings.IndexScopedSettings;
37+
import org.elasticsearch.common.settings.SecureSettings;
3738
import org.elasticsearch.common.settings.Setting;
3839
import org.elasticsearch.common.settings.Setting.Property;
3940
import org.elasticsearch.common.settings.Settings;
@@ -811,11 +812,22 @@ private static void addTribeSettings(Settings settings, Settings.Builder setting
811812
}
812813

813814
// we passed all the checks now we need to copy in all of the x-pack security settings
814-
settings.keySet().forEach(k -> {
815+
SecureSettings secureSettings = Settings.builder().put(settings).getSecureSettings(); // hack to get at secure settings...
816+
Set<String> secureSettingKeys = secureSettings == null ? Collections.emptySet() : secureSettings.getSettingNames();
817+
List<String> invalidSettings = new ArrayList<>();
818+
for (String k : settings.keySet()) {
815819
if (k.startsWith("xpack.security.")) {
816-
settingsBuilder.copy(tribePrefix + k, k, settings);
820+
if (secureSettingKeys.contains(k)) {
821+
invalidSettings.add(k);
822+
} else {
823+
settingsBuilder.copy(tribePrefix + k, k, settings);
824+
}
817825
}
818-
});
826+
}
827+
if (invalidSettings.isEmpty() == false) {
828+
throw new IllegalArgumentException("Secure settings " + invalidSettings.toString() +
829+
" cannot be used with tribe client node");
830+
}
819831
}
820832

821833
Map<String, Settings> realmsSettings = settings.getGroups(SecurityField.setting("authc.realms"), true);

x-pack/qa/tribe-tests-with-security/src/test/java/org/elasticsearch/xpack/security/SecurityTribeTests.java

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -556,6 +556,22 @@ public void testTribeSettingNames() throws Exception {
556556
s, anyOf(startsWith("tribe.blocks"), startsWith("tribe.name"), startsWith("tribe.on_conflict"))));
557557
}
558558

559+
public void testNoTribeSecureSettings() throws Exception {
560+
MockSecureSettings secureSettings = new MockSecureSettings();
561+
Path home = createTempDir();
562+
secureSettings.setString("xpack.security.http.ssl.keystore.secure_password", "dummypass");
563+
secureSettings.setString("xpack.security.authc.token.passphrase", "dummypass");
564+
Settings settings = Settings.builder().setSecureSettings(secureSettings)
565+
.put("path.home", home)
566+
.put("tribe.t1.cluster.name", "foo")
567+
.put("xpack.security.enabled", true).build();
568+
Security security = new Security(settings, home.resolve("config"));
569+
IllegalArgumentException e = expectThrows(IllegalArgumentException.class, security::additionalSettings);
570+
// can't rely on order of the strings printed in the exception message
571+
assertThat(e.getMessage(), containsString("xpack.security.http.ssl.keystore.secure_password"));
572+
assertThat(e.getMessage(), containsString("xpack.security.authc.token.passphrase"));
573+
}
574+
559575
private void assertTribeNodeHasAllIndices() throws Exception {
560576
assertBusy(() -> {
561577
Set<String> indices = new HashSet<>();

0 commit comments

Comments
 (0)