Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create enrollment token #73573

Merged
merged 25 commits into from Jun 23, 2021
Merged

Create enrollment token #73573

merged 25 commits into from Jun 23, 2021

Conversation

BigPandaToo
Copy link
Contributor

@BigPandaToo BigPandaToo commented May 31, 2021
edited

Method to be called by the startup process while elasticsearch is in the
enrollment mode to obtain an
enrollment token used to enroll a new node to the cluster or an enrollment
token to configure Kibana to communicate with a secured elasticsearch
cluster

Resolve: #71438
Related: #72129

@BigPandaToo
Create enrollment token
314b8a3 
Method to be called by the startup process while elasticsearch is in the
 enrollment mode to obtain an
enrollment token used to enroll a new node to the cluster.

Resolve: elastic#71438
Related: elastic#72129
@BigPandaToo BigPandaToo added :Security/Security Security issues without another label v8.0.0 labels May 31, 2021
@elasticmachine elasticmachine added the Team:Security Meta label for security team label May 31, 2021
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

@BigPandaToo BigPandaToo marked this pull request as draft May 31, 2021 20:40
@BigPandaToo BigPandaToo marked this pull request as ready for review June 1, 2021 08:04
@BigPandaToo BigPandaToo mentioned this pull request Jun 1, 2021
Closed
@BigPandaToo BigPandaToo marked this pull request as draft June 1, 2021 18:59
@BigPandaToo
Method to be called by the startup process while elasticsearch is in the
913d679 
enrollment mode to obtain an
enrollment token used to enroll a new node to the cluster.

Resolve: elastic#71438
Related: elastic#72129
@BigPandaToo BigPandaToo marked this pull request as ready for review June 3, 2021 17:08
@BigPandaToo
Copy link
Contributor Author

@elasticmachine update branch

@jkakavas jkakavas self-requested a review June 8, 2021 20:28
@BigPandaToo
Copy link
Contributor Author

@elasticmachine update branch

@BigPandaToo
Copy link
Contributor Author

@elasticmachine update branch

albertzaharovits
albertzaharovits approved these changes Jun 18, 2021
View reviewed changes
Copy link
Contributor

@albertzaharovits albertzaharovits left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please address my comments, then I think it's good to merge.

Worth noting that the token, as proposed herein, includes addresses for all the cluster nodes.
In practice connection information for the node that generated the token ought be enough, and we're trying to keep the token short. CC @jkakavas you might have opinions, I'm fine either way.

@BigPandaToo
Copy link
Contributor Author

Please address my comments, then I think it's good to merge.

Worth noting that the token, as proposed herein, includes addresses for all the cluster nodes.
In practice connection information for the node that generated the token ought be enough, and we're trying to keep the token short. CC @jkakavas you might have opinions, I'm fine either way.

That's not true. Address for the first node returned by /_nodes/http API is only incuded. We can be more selective and filter local only or master only node...

jkakavas
jkakavas reviewed Jun 22, 2021
View reviewed changes
Copy link
Member

@jkakavas jkakavas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please address my comments, then I think it's good to merge.
Worth noting that the token, as proposed herein, includes addresses for all the cluster nodes.
In practice connection information for the node that generated the token ought be enough, and we're trying to keep the token short. CC @jkakavas you might have opinions, I'm fine either way.

That's not true. Address for the first node returned by /_nodes/http API is only incuded. We can be more selective and filter local only or master only node...

Yes, we only want to return local info. The idea is that you get a token from the node that you want to talk to in the enrollment process. I don't think we should depend on the local node being the first in the response. We should limit the response by passing _local in the request

...ecurity/src/main/java/org/elasticsearch/xpack/security/enrollment/CreateEnrollmentToken.java Outdated Show resolved Hide resolved
...ecurity/src/main/java/org/elasticsearch/xpack/security/enrollment/CreateEnrollmentToken.java Outdated Show resolved Hide resolved
...ecurity/src/main/java/org/elasticsearch/xpack/security/enrollment/CreateEnrollmentToken.java Outdated

if (httpCode != HttpURLConnection.HTTP_OK) {
logger.error("Error " + httpCode + "when calling GET " + url + ". ResponseBody: " +
(httpResponseApiKey == null ? "" : httpResponseApiKey.getResponseBody()));
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

httpResponseApiKey can't be null, can it?

...ecurity/src/main/java/org/elasticsearch/xpack/security/enrollment/CreateEnrollmentToken.java Outdated Show resolved Hide resolved
...ty/src/test/java/org/elasticsearch/xpack/security/enrollment/CreateEnrollmentTokenTests.java Outdated Show resolved Hide resolved
...ecurity/src/main/java/org/elasticsearch/xpack/security/enrollment/CreateEnrollmentToken.java Show resolved Hide resolved
...ty/src/test/java/org/elasticsearch/xpack/security/enrollment/CreateEnrollmentTokenTests.java Show resolved Hide resolved
...ty/src/test/java/org/elasticsearch/xpack/security/enrollment/CreateEnrollmentTokenTests.java Show resolved Hide resolved
@BigPandaToo
Copy link
Contributor Author

@elasticmachine update branch

jkakavas
jkakavas reviewed Jun 22, 2021
View reviewed changes
...ty/src/test/java/org/elasticsearch/xpack/security/enrollment/CreateEnrollmentTokenTests.java Outdated
assertThat(ex.getMessage(), Matchers.containsString("Unexpected response code [400] from calling GET "));
}

public void testFailedRetrieveHttpInfoNoCaInKeystore() throws Exception {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

these do not have to do with failing to retrieve http info right and are not similar to testFailedRetrieveHttpInfo. Can we rename this and the following methods?

jkakavas
jkakavas approved these changes Jun 22, 2021
View reviewed changes
Copy link
Member

@jkakavas jkakavas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, please change the test method names and we're good to merge, thanks for the iterations!

@BigPandaToo BigPandaToo merged commit b706e8a into elastic:master Jun 23, 2021
Security On by Default Implementation Tracking automation moved this from Implementation Milestone 1 ( June 18th ) to Completed Jun 23, 2021
jkakavas
jkakavas reviewed Jun 23, 2021
View reviewed changes
...ecurity/src/main/java/org/elasticsearch/xpack/security/enrollment/CreateEnrollmentToken.java
if (Strings.isNullOrEmpty(apiKey) || Strings.isNullOrEmpty(apiId)) {
throw new IllegalStateException("Could not create an api key.");
}
return Base64.getEncoder().encodeToString((apiId + ":" + apiKey).getBytes(StandardCharsets.UTF_8));
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missed that in the review @BigPandaToo . I don;t think there is need to base64 encode the API key before we put it as a value in the token, as the token itself will be Base64 encoded.

I think the length gains are more significant than the additiional effort the consumers of the token need to make to base64 the string before using it in the Authorization header and this behavior is also consistent with the create api key API .

Can you please tackle this change in a short follow up PR ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right, forgot that it won't be used directly

BigPandaToo added a commit to BigPandaToo/elasticsearch that referenced this pull request Jun 23, 2021
@BigPandaToo
Not encoding the Api Key in Enrollment token
1d5e473 
No need for base64 encode the API key before we put it as a value in the
 token, as the token itself will be Base64 encoded

A follow up PR for:
elastic#73573
@BigPandaToo BigPandaToo mentioned this pull request Jun 23, 2021
Merged
BigPandaToo added a commit to BigPandaToo/elasticsearch that referenced this pull request Jun 23, 2021
@BigPandaToo
Calculate SHA256 fingerprint for enrollment token
60f7af6 
A follow up PR for:
elastic#73573
@BigPandaToo BigPandaToo mentioned this pull request Jun 23, 2021
Merged
BigPandaToo added a commit that referenced this pull request Jun 23, 2021
@BigPandaToo
Not encoding the Api Key in Enrollment token (#74510)
00a1ae1 
No need for base64 encode the API key before we put it as a value in the
 token, as the token itself will be Base64 encoded

A follow up PR for:
#73573
BigPandaToo added a commit that referenced this pull request Jun 24, 2021
@BigPandaToo
Calculate SHA256 fingerprint for enrollment token (#74511)
c37f9f1 
* Calculate SHA256 fingerprint for enrollment token

A follow up PR for:
#73573

* Adding a test fix

Resolves: #74525
csoulios pushed a commit to csoulios/elasticsearch that referenced this pull request Jun 24, 2021
@BigPandaToo @csoulios
Create enrollment token (elastic#73573)
fdcf598 
* Create enrollment token

Method to be called by the startup process while elasticsearch is in the
 enrollment mode to obtain an
enrollment token used to enroll a new node to the cluster.

Resolve: elastic#71438
Related: elastic#72129
csoulios pushed a commit to csoulios/elasticsearch that referenced this pull request Jun 24, 2021
@BigPandaToo @csoulios
Not encoding the Api Key in Enrollment token (elastic#74510)
3045095 
No need for base64 encode the API key before we put it as a value in the
 token, as the token itself will be Base64 encoded

A follow up PR for:
elastic#73573
csoulios pushed a commit to csoulios/elasticsearch that referenced this pull request Jun 24, 2021
@BigPandaToo @csoulios
Calculate SHA256 fingerprint for enrollment token (elastic#74511)
919c609 
* Calculate SHA256 fingerprint for enrollment token

A follow up PR for:
elastic#73573

* Adding a test fix

Resolves: elastic#74525
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jkakavas jkakavas jkakavas approved these changes

@albertzaharovits albertzaharovits albertzaharovits approved these changes

Assignees
No one assigned
Labels
>enhancement :Security/Security Security issues without another label Team:Security Meta label for security team v8.0.0-alpha1
Projects
Security On by Default Implementation...
Completed
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Implement create enrollment token API
5 participants
@BigPandaToo @elasticmachine @jkakavas @albertzaharovits @jakelandis