Set elastic password and generate enrollment token

[BigPandaToo]

This change implements a class which can be invoked
as a CLI tool and generate an elastic user password
(if bootstrap.password doesn't exist) and Kibana
enrollment token for initial node.
If bootstrap.password presents, no attempts to
auto-config the elastic password or to "promote"
this password value automatically to the security index
is made.
The process output password, Kibana enrollment token
and fingerprint of the CA certificate that ES is configured
to use for the HTTP layer to standard output.
This functionality is intended for the archive installation.

Resolves #75310

[elasticmachine]

Pinging @elastic/es-security (Team:Security)

[albertzaharovits]

I did a first pass.

In addition to the things mentioned, I think you need to consider that the node's keystore is not open, prompt for password etc.

Let's discuss sync.

[BigPandaToo]

@elasticmachine update branch

[albertzaharovits]

We've considered whether this tool is redundant wrt the other tools we've got for resetting the elastic user's password and generating enrollment tokens.
It is not, because:

• the others expect the node to be running, whereas this one has to wait for the node to come up
• this one has to operate only once during node bootstrap
• because it both sets the password and generates enrollment tokens it takes away from the bash code that would otherwise have to call two other cmd line tools; internally this already reuses code from CreateEnrollmentToken, and it is always preferable to have java glue code to bash glue code.

[albertzaharovits]

WRT to having a cmd line tool that does one thing (generates enrollment tokens) but which also "sometimes" does another thing (resets the elastic password unless bootstrap.password is set), we're acknowledging this is unfortunate, but this code is going to be invoked by scripts in exactly this configuration every time. No one is going to call this to only generate enrollment tokens or only to reset the passwords.
To minimize surprising anyone, we're going to rename this to something more vague but more illustrative of the context this is invoked in, ie something containing "Bootstrap" , eg "BootstrapCredentialsInitialNodeTool".

[BigPandaToo]

@elasticmachine update branch

[albertzaharovits]

I did a through review.
It is close.
Please ping me when you've addressed it all and I'll approve.

[albertzaharovits]

this error handling is now redundant.

[albertzaharovits]

bound_address -> boundAddresses

[albertzaharovits]

nit: redundant

[albertzaharovits]

I don't think the parameter name is suitable.

We know that we're only going to set this parameter when the auto configuration runs in docker.
But this might change in the future, because what it does has actually nothing to do with docker. It's better to name it for what it does.

I suggest the name of "node-enrollment-token" or "include-node-enrollment-token".

[albertzaharovits]

This doesn't really work.

The problem is that the env.settings() object doesn't contain the settings from the keystore.
If you look at the BaseRunAsSuperuserCommand#execute preamble code (

elasticsearch/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/tool/BaseRunAsSuperuserCommand.java

Line 92 in 72ba4cd

newEnv = new Environment(settings, env.configFile());

), the decoded keystore is used to build an environment which then gets passed around.

Instead, you've chosen to build the environment every time you want to read the Secure Setting and then throw it out (the readBootstrapPassword method).

[albertzaharovits]

This is the first time I'm bringing this up.
It would be better if we collate all the individual lines into a big String that is then passed to terminal#print.

This way the tool shows output when everything is completely done, and no output if one of the calls fails part way. It's still technically possible to show parts of it but much less likely, especially to the human eye.

It also helps with reordering of the information, without reordering of the endpoint calls (ie keep the elastic password reset last).

[albertzaharovits]

This doesn't work now, because checkClusterHealthWithRetriesWaitingForCluster wraps exception in IllegalStateExceptions.

I'm starting to regret my suggestion to have a common approach for the cluster health polling.
My suggestion now is to do whatever works that follows the following requirements:

For BaseRunAsSuperUserCommand:

• fail on connection exception (node is down)
• retry on HTTP_UNAUTHORIZED and HTTP_FORBIDDEN

For BootstrapPasswordAndEnrollmentTokenForInitialNode:

• retry on connection exception
• fail on any Exception

I think it's better that these methods be at the CommandLineHttpClient level, to aid with discoverability, and that they reuse code, but I'm not going to gripe about it.

[BigPandaToo]

checkClusterHealthWithRetriesWaitingForCluster is in CommandLineHttpClient
checkClusterHealthWithRetries is in BaseRunAsSuperuserCommand because it is superuser aware command

checkClusterHealthWithRetriesWaitingForCluster throws ElasticsearchStatusException in case of HTTP_UNAUTHORIZED and HTTP_FORBIDDEN and pass the specific http error code to checkClusterHealthWithRetries so it can retry in this case

[jkakavas]

I'm starting to regret my suggestion to have a common approach for the cluster health polling.

++ :/ I think we gave it a try and it doesn't work ( I don't like exception type based flow control ) . I'd suggest we leave the BaseRunAsSuperUserCommand check health method as it was and implement something for BootstrapPasswordAndEnrollmentTokenForInitialNode that makes sense for it since these two have slightly different requirements. I'd leave the first in the BaseRunAsSuperUserCommand as it is very specific to it, but I don't have strong opinions on where to place the second checkclusterhealth method.

WDYT Lyudmila ?

[BigPandaToo]

I tend to agree with both of you. I think the current implementation would work, but it doesn't look intuitive and overall fragil.
I would leave the one waiting for cluster in CommandLineHttpClient as I think it is generic enough to be used by other commands

[BigPandaToo]

@elasticmachine update branch

[jkakavas]

Suggested change

	* @param boundAddress IP Addresses and port numbers for the interface where the Elasticsearch node is listening on
	* @param boundAddress IP Addresses and port numbers for the interfaces where the Elasticsearch node is listening on

[jkakavas]

nit suggestion : getEnoded()

[jkakavas]

let's remove docker references from here. For the same reasons you changed it to include-node-enrollment-token

[jkakavas]

I'm starting to regret my suggestion to have a common approach for the cluster health polling.

++ :/ I think we gave it a try and it doesn't work ( I don't like exception type based flow control ) . I'd suggest we leave the BaseRunAsSuperUserCommand check health method as it was and implement something for BootstrapPasswordAndEnrollmentTokenForInitialNode that makes sense for it since these two have slightly different requirements. I'd leave the first in the BaseRunAsSuperUserCommand as it is very specific to it, but I don't have strong opinions on where to place the second checkclusterhealth method.

WDYT Lyudmila ?

[jkakavas]

Looking good Lyudmila, I added a couple of comments and a few nit suggestions. Happy to approve once comments are resolved

[jkakavas]

nit: let's call this something rebuildEnvironment or similar now it returns an Environment ? Or even better return settings here because this is all we need? In BaseRunAsSuperuserCommand we build a new Environment but there we are actually using it. So maybe loadSecureSettings and return Settings ? Just throwing ideas around

[jkakavas]

I don't think force flag makes sense in this method. If a user of the CommandLineHttpClient doesn't care about cluster health and would force execution eitherway, they can simply not call checkClusterHealthWithRetriesWaitingForCluster at all

[BigPandaToo]

Makes sense

[jkakavas]

can you move this to the try catch block above ? setElasticUserPassword() throws too

[albertzaharovits]

\n -> System.lineSeparator()

[albertzaharovits]

Two more issues on the cluster health retry logic. Please address.
Besides that LGTM.

Thanks for the effort.

[albertzaharovits]

You want a return here, otherwise it will throw npe further down.

[albertzaharovits]

FYI the cluster health API has a bunch of "wait for conditions" in order to avoid this sort of client side polling.

We can improve on this later.

[BigPandaToo]

I like this! I have changed to wait for yellow for default 30s instead of reiterating here.

[BigPandaToo]

Reiterating only waiting for connection

[albertzaharovits]

Technically I would say that 503 is also a condition (in addition to connection problems) that should be retryable.
Cluster health can return it when there's no master (it does some retrying, it's unlikely, but possible).

[albertzaharovits]

5 seconds for a node to come up is a bit on the low side. I would put it closer to 15.

[jkakavas]

This needs to return an Environment (which will contain the secure settings from the keystore ) and you need to pass this Environment to

final CommandLineHttpClient client = clientFunction.apply(env);
final EnrollmentTokenGenerator enrollmentTokenGenerator = createEnrollmentTokenFunction.apply(env);

so that these classes can read key material from the TLS keystores ( that are password protected and their passwords are stored in the secure settings ).

Apologies I missed it yesterday when I made the comment that this can return Settings instead, we weren't using the returned environment below and it didn't ring any bells

[jkakavas]

You can't pass a SecureString as the value in field(), you need to use the char array here and wrap it in a SecureString later or call toString() on the SecureString you already have

[jkakavas]

let's not have two variables of different type with almost the same name if we don't need to. You can simply have

final SecureString keystorePassword; 
try {
    keystorePassword = new SecureString(terminal.readSecret(""));
} catch (Exception e) {
    throw new UserException(ExitCodes.USAGE, null);
}

[jkakavas]

LGTM provided you address Albert's and my final comments before merging. Thanks for the iterations Lyudmila!

p.s. Lack of QA testing is biting us, both the issues I commented on in my last review could not be found with unit testing. We need to discuss relevant priorities and find a useful balance between feature mvp and useful/necessary testing.

[BigPandaToo]

@elasticmachine update branch