Include Secure Setting Names and Keystore Modified Time in Reload API Response#138052
Include Secure Setting Names and Keystore Modified Time in Reload API Response#138052ebarlas merged 10 commits intoelastic:mainfrom
Conversation
…d-secure-settings API response
ebarlas
added
>enhancement
:Security/Security
|
Hi @ebarlas, I've created a changelog YAML for you. |
|
Pinging @elastic/es-security (Team:Security) |
jfreden
left a comment
jfreden
left a comment
There was a problem hiding this comment.
The PR looks great and the code is solid as always! I have a couple of comments.
At a higher level, it was discussed in the issue if the absolute path to the keystore should be included or not. My understanding from the discussion is that you landed on including it but it's not part of the change?
| return ElasticsearchException.readException(this); | ||
| } | ||
|
|
||
| /** |
| try { | ||
| return Files.readAttributes(path, BasicFileAttributes.class).lastModifiedTime().toMillis(); | ||
| } catch (IOException e) { | ||
| return null; // fallback to null if we can't read the time |
There was a problem hiding this comment.
I think we should log a warning here since it's unexpected. We just refreshed the keystore and now we can't get the modified timestamp.
docs/changelog/138052.yaml
Outdated
| summary: Include Secure Setting Names and Keystore Modified Time in Reload API Response | ||
| area: Security | ||
| type: enhancement | ||
| issues: [] |
| @@ -412,6 +413,8 @@ public void onResponse(NodesReloadSecureSettingsResponse nodesReloadResponse) { | |||
| assertThat(nodesMap.size(), equalTo(cluster().size())); | |||
There was a problem hiding this comment.
I don't think it matters but this test is disabled when running in fips mode. Since we're reading properties on the keystore we might want to make sure it works in fips mode too?
There was a problem hiding this comment.
The current approach seems adequate. I see that ReloadSecureSettingsWithPasswordProtectedKeystoreRestIT has a group of tests with a keystore password.
| public static class NodeResponse extends BaseNodeResponse { | ||
|
|
||
| private Exception reloadException = null; | ||
| private static final TransportVersion KEYSTORE_DETAILS = TransportVersion.fromName("keystore_details_in_reload_response"); |
There was a problem hiding this comment.
nit: might want to use more specific naming since we might want to add more details in the future.
| import java.util.List; | ||
| import java.util.Optional; | ||
|
|
||
| public class NodesReloadSecureSettingsResponseTests extends ESTestCase { |
There was a problem hiding this comment.
There is actually an abstract class that does testing like this AbstractBWCSerializationTestCase that's used throughout the code base. You might want to consider extending that for more test coverage.
There was a problem hiding this comment.
This turned out to be a poor match since AbstractBWCSerializationTestCase expects both wire serialization and XContent serialization. The NodesReloadSecureSettingsResponse source code is not currently arranged that way.
|
I think someone jumped ahead of you in terms of transport version, but otherwise LGTM to me! |
...va/org/elasticsearch/action/admin/cluster/node/reload/NodesReloadSecureSettingsResponse.java
Outdated
Show resolved
Hide resolved
...va/org/elasticsearch/action/admin/cluster/node/reload/NodesReloadSecureSettingsResponse.java
Outdated
Show resolved
Hide resolved
…de/reload/NodesReloadSecureSettingsResponse.java Co-authored-by: Slobodan Adamović <slobodanadamovic@users.noreply.github.com>
…de/reload/NodesReloadSecureSettingsResponse.java Co-authored-by: Slobodan Adamović <slobodanadamovic@users.noreply.github.com>
| assertNotNull(readNr.reloadException()); | ||
| assertEquals(nr.reloadException().getMessage(), readNr.reloadException().getMessage()); | ||
| } | ||
| if (version.equals(TransportVersion.current())) { |
There was a problem hiding this comment.
This would cause a failure as soon as somebody introduce a new transport version.
Should this be version.supports(NodesReloadSecureSettingsResponse.NodeResponse.KEYSTORE_DETAILS) instead?
Include keystore details in reload-secure-settings API response: - Secure setting names - Keystore file path - Keystore SHA-256 checksum - Keystore last modified time
6 participants
This change augments the reload_secure_settings API response with the following properties for each node object:
secure_setting_names: JSON array of secure setting names from ES keystorekeystore_path: JSON string with file system path to keystore filekeystore_digest: JSON string with hex-encoded SHA-256 hash of keystore file raw byteskeystore_last_modified_time: JSON string with ES keystore last-modified date-timeThis change is a response to recurring ES admin confusion about which securing settings are being reloaded from which keystore. See issue #112268.
Curl call to
reload_secure_settingstargeting local ES distribution: