New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create enrollment token #73573
Create enrollment token #73573
Conversation
Method to be called by the startup process while elasticsearch is in the enrollment mode to obtain an enrollment token used to enroll a new node to the cluster. Resolve: elastic#71438 Related: elastic#72129
Pinging @elastic/es-security (Team:Security) |
enrollment mode to obtain an enrollment token used to enroll a new node to the cluster. Resolve: elastic#71438 Related: elastic#72129
@elasticmachine update branch |
...nt/rest-high-level/src/main/java/org/elasticsearch/client/security/user/privileges/Role.java
Outdated
Show resolved
Hide resolved
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/XPackSettings.java
Show resolved
Hide resolved
...ain/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilegeResolver.java
Outdated
Show resolved
Hide resolved
...rc/main/java/org/elasticsearch/xpack/security/authc/esnative/tool/CommandLineHttpClient.java
Show resolved
Hide resolved
...ecurity/src/main/java/org/elasticsearch/xpack/security/enrollment/CreateEnrollmentToken.java
Outdated
Show resolved
Hide resolved
...ecurity/src/main/java/org/elasticsearch/xpack/security/enrollment/CreateEnrollmentToken.java
Outdated
Show resolved
Hide resolved
...ecurity/src/main/java/org/elasticsearch/xpack/security/enrollment/CreateEnrollmentToken.java
Outdated
Show resolved
Hide resolved
@elasticmachine update branch |
@elasticmachine update branch |
...ecurity/src/main/java/org/elasticsearch/xpack/security/enrollment/CreateEnrollmentToken.java
Show resolved
Hide resolved
...ecurity/src/main/java/org/elasticsearch/xpack/security/enrollment/CreateEnrollmentToken.java
Outdated
Show resolved
Hide resolved
...ecurity/src/main/java/org/elasticsearch/xpack/security/enrollment/CreateEnrollmentToken.java
Outdated
Show resolved
Hide resolved
...ecurity/src/main/java/org/elasticsearch/xpack/security/enrollment/CreateEnrollmentToken.java
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please address my comments, then I think it's good to merge.
Worth noting that the token, as proposed herein, includes addresses for all the cluster nodes.
In practice connection information for the node that generated the token ought be enough, and we're trying to keep the token short. CC @jkakavas you might have opinions, I'm fine either way.
That's not true. Address for the first node returned by /_nodes/http API is only incuded. We can be more selective and filter local only or master only node... |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please address my comments, then I think it's good to merge.
Worth noting that the token, as proposed herein, includes addresses for all the cluster nodes.
In practice connection information for the node that generated the token ought be enough, and we're trying to keep the token short. CC @jkakavas you might have opinions, I'm fine either way.That's not true. Address for the first node returned by /_nodes/http API is only incuded. We can be more selective and filter local only or master only node...
Yes, we only want to return local info. The idea is that you get a token from the node that you want to talk to in the enrollment process. I don't think we should depend on the local node being the first in the response. We should limit the response by passing _local
in the request
...ecurity/src/main/java/org/elasticsearch/xpack/security/enrollment/CreateEnrollmentToken.java
Outdated
Show resolved
Hide resolved
...ecurity/src/main/java/org/elasticsearch/xpack/security/enrollment/CreateEnrollmentToken.java
Outdated
Show resolved
Hide resolved
|
||
if (httpCode != HttpURLConnection.HTTP_OK) { | ||
logger.error("Error " + httpCode + "when calling GET " + url + ". ResponseBody: " + | ||
(httpResponseApiKey == null ? "" : httpResponseApiKey.getResponseBody())); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
httpResponseApiKey
can't be null, can it?
...ecurity/src/main/java/org/elasticsearch/xpack/security/enrollment/CreateEnrollmentToken.java
Outdated
Show resolved
Hide resolved
...ty/src/test/java/org/elasticsearch/xpack/security/enrollment/CreateEnrollmentTokenTests.java
Outdated
Show resolved
Hide resolved
...ecurity/src/main/java/org/elasticsearch/xpack/security/enrollment/CreateEnrollmentToken.java
Show resolved
Hide resolved
...ty/src/test/java/org/elasticsearch/xpack/security/enrollment/CreateEnrollmentTokenTests.java
Show resolved
Hide resolved
...ty/src/test/java/org/elasticsearch/xpack/security/enrollment/CreateEnrollmentTokenTests.java
Show resolved
Hide resolved
@elasticmachine update branch |
assertThat(ex.getMessage(), Matchers.containsString("Unexpected response code [400] from calling GET ")); | ||
} | ||
|
||
public void testFailedRetrieveHttpInfoNoCaInKeystore() throws Exception { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
these do not have to do with failing to retrieve http info right and are not similar to testFailedRetrieveHttpInfo. Can we rename this and the following methods?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, please change the test method names and we're good to merge, thanks for the iterations!
if (Strings.isNullOrEmpty(apiKey) || Strings.isNullOrEmpty(apiId)) { | ||
throw new IllegalStateException("Could not create an api key."); | ||
} | ||
return Base64.getEncoder().encodeToString((apiId + ":" + apiKey).getBytes(StandardCharsets.UTF_8)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Missed that in the review @BigPandaToo . I don;t think there is need to base64 encode the API key before we put it as a value in the token, as the token itself will be Base64 encoded.
I think the length gains are more significant than the additiional effort the consumers of the token need to make to base64 the string before using it in the Authorization header and this behavior is also consistent with the create api key API .
Can you please tackle this change in a short follow up PR ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right, forgot that it won't be used directly
No need for base64 encode the API key before we put it as a value in the token, as the token itself will be Base64 encoded A follow up PR for: elastic#73573
A follow up PR for: elastic#73573
No need for base64 encode the API key before we put it as a value in the token, as the token itself will be Base64 encoded A follow up PR for: #73573
* Create enrollment token Method to be called by the startup process while elasticsearch is in the enrollment mode to obtain an enrollment token used to enroll a new node to the cluster. Resolve: elastic#71438 Related: elastic#72129
No need for base64 encode the API key before we put it as a value in the token, as the token itself will be Base64 encoded A follow up PR for: elastic#73573
* Calculate SHA256 fingerprint for enrollment token A follow up PR for: elastic#73573 * Adding a test fix Resolves: elastic#74525
Method to be called by the startup process while elasticsearch is in the
enrollment mode to obtain an
enrollment token used to enroll a new node to the cluster or an enrollment
token to configure Kibana to communicate with a secured elasticsearch
cluster
Resolve: #71438
Related: #72129