logstash-keystore create does not have an option to force keystore creation without password

[fxdgear]

• Version: 6.2.4
• Operating System: Docker
• Steps to Reproduce: bin/logstash-keystore create will prompt the user to accept not using a password.

I would like to be able to script creation of the keystore, and I don't want passwords in the ENV.

Even by turning off history setting the env and then turning on the history, the password is still in plaintext when anyone with access to the system types env. Also, the keystore password could be leaked via any other service running on the machine that might be reporting ENV Vars.

I'm not suggesting to remove this feature. But instead add a flag that allows a user to proceed without being prompted.

something like:

bin/logstash-keystore create --force

[fxdgear]

turns out a workaround would be

echo "y" | bin/logstash-keystore create

[andrewvc]

@jakelandis would be curious as to your thoughts on adding this as a feature.

[jakelandis]

I would like to be able to script creation of the keystore

+1 to better allow scripting with usage against the keystore. However, given the interactive nature as-is, I am not sure a --force flag is sufficient.

Perhaps this scope should be expanded to use a kev/value temp file. Perhaps:

bin/logstash-keystore create --from /tmp/kv.tmp
and/or
bin/logstash-keystore add --from /tmp/kv.tmp

Where the password would be one of the key/value pairs. It would require temporary storage of secrets in plain text, this could be done on an admin's laptop, or part of a secure config management that handles the security of the tmp file.

[jakommo]

+1 on the --force or something similar.

When trying to none-interactively overwriting an existing value, the workaround from #9608 (comment) doesn't work.
I.e.

$ echo 123 | bin/logstash-keystore add test_key

test_key already exists. Overwrite ? [y/N] %  

The only way I got this working was by removing the old entry first:

$ bin/logstash-keystore remove test_key
Removed 'test_key' from the Logstash keystore.

$ echo 123 | bin/logstash-keystore add test_key
Enter value for test_key: Added 'test_key' to the Logstash keystore.

this is where the --force would become in handy.

[dgmorrisjr]

+1 on the --force option... but further, passing secrets on the command line is a bad practice... so defiantly would like an option to be able to pass in the secret from a temp file.

Very frustrating how Elastic has implemented the approach to keystores so differently from one component to the next. Would like to see more consistency.

[skmizuho]

ES, Kibana, Logstash keystores work really differently - will be nice to standardise them. Our DEV team has generic scripts for adding to the keystore and we need to keep 3 copies of them as they all have slight variations...

[mileskelsey]

+1 on the standarize keystore usage and configuration across the Elastic Stack. It's akward that the Elastic products don't have similar keystore configurations.

The elasticsearch keystore has the -f "force" option.

https://www.elastic.co/guide/en/elasticsearch/reference/current/elasticsearch-keystore.html

[dnx-aiven]

+1 on wanting a force option.