DataNode: Client Cert Generation

[janheise]

Description

Generate Client Certs for 3rd party connection to OpenSearch

{
"principal" : "user1",
"role" : "all_access",
"password" : "12test34"
}

Exporting the certs from the JSON and calling
curl --cacert ca.pem --cert cert.pem --key key.pem https://localhost:9200/_aliases
works.

Grafana works if you only configure TLS client auth and disable SSL key checking. Otherwise it complains about the ca cert.

Motivation and Context

How Has This Been Tested?

Screenshots (if appropriate):

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Refactoring (non-breaking change)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• My code follows the code style of this project.
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have read the CONTRIBUTING document.
• I have added tests to cover my changes.

[kroepke]

If principal has multiple role values associated, those would collide, and we would remove the certificate for all of them.

I think it's safer to base the file name on the hash of role + principal and use the resulting string everywhere in this class, including when create the private key store.
I'm not sure how the UI is going to represent the client certificates that exist, so we might need to store the role, principal pair somewhere else, or get it from the role mapping. But I think that is an independent question from this PR.

[kroepke]

In general: how would using the file system work if you have multiple nodes, especially if those nodes might not be online at the same time?
I might be missing something but if this is a concern, the data needs to live somewhere else, probably in the database.

[janheise]

This is the first draft - to make it right, I think we have to figure out where we're heading with the CA stuff:

• If it's a one time, throw away cert, we don't have to save the PK anywhere because we might not want to reuse it at all
• we could let the user create their own CSR, no need to generate a PK then
• roles etc. could be more than one, we should save that state to MongoDB - but again: I'd like to give it at least a little thought before I'm creating sth. that needs a migration in the future

[kroepke]

Ok, that makes sense. In that case, we should consider a follow-on PR that doesn't store the certificate at all (maybe post-beta, so we don't hold this up too much).
If we never read it again, it doesn't make much of a difference whether it lives on a single node.

[kroepke]

lgtm, I've created a follow-on issue #18587 were we can see about the file system requirement for generated certs.
Thanks!

[moesterheld]

works as expected. lgtm.
thank you for adding this