Integrate secret store with Logstash core (part 4)

[jakelandis]

This change introduces the command line tooling and hooks needed to allow Logstash to use the secret store. This change hooks into the same logic that the does the environment variable substitution. The command line mirrors the Elasticsearch command line, and is implemented primarily in Java.

Part of #8353

Documentation and full workflow integration tests are still coming ...but this should be the final change set to implement the secret store.

Once this review passes, I will squash this feature branch and create PR, ensure all tests pass, allow for one final review and merge this master. (doc and itests can come independently)

[jakelandis]

To manually test follow the instructions at https://www.elastic.co/guide/en/elasticsearch/reference/current/secure-settings.html , just replace bin/elasticsearch-keystore with bin/logstash-keystore

To use the secret use ${key} in either the configuration or settings (logstash.yml)

[jordansissel]

Jenkins doesn't run on this feature branch, so here's the rake artifact:tar failure I get (javadoc):

/home/jls/projects/logstash/logstash-core/src/main/java/org/logstash/secret/store/SecretStoreFactory.java:42: error: unexpected text
     * @throws {@link SecretStoreException} if errors occur while loading, or if store already exists
       ^
/home/jls/projects/logstash/logstash-core/src/main/java/org/logstash/secret/store/SecretStoreFactory.java:52: error: unexpected text
     * @throws {@link SecretStoreException} if errors occur
       ^
/home/jls/projects/logstash/logstash-core/src/main/java/org/logstash/secret/store/SecretStoreFactory.java:63: error: unexpected text
     * @throws {@link SecretStoreException} if errors occur while loading, or if store does not exist
       ^
/home/jls/projects/logstash/logstash-core/src/main/java/org/logstash/secret/store/SecureConfig.java:8: error: bad use of '>'
 * A String -> char[] container that holds a referenced char[] obfuscated in memory and allows for easy clearing all values from memory.
             ^

[jakelandis]

@jordansissel - The artifact:tar build is now fixed.

[jordansissel]

A fresh keystore contains one key. This may be confusing to users?

% bin/logstash-keystore list

keystore.seed

---

• ✔️ Adding an entry
• ✔️ Using the ${foo} syntax in the config.

For my test, I added an entry fancypants and used it like this:

% bin/logstash -e 'input { generator { count => 1 message => "${fancypants}"  } }'
{
  "message"    => "hello world",
...

[jordansissel]

WARNING: The keystore password is not set. Please set the environment variable LOGSTASH_KEYSTORE_PASS. Failure to do so will result in reduced security. Continue anyway ? [y/N]

It's unclear what behavior the user should expect by pressing y here. Maybe "Continue without password protection on the keystore?"

[jakelandis]

Continue without password protection on the keystore?

+ 1 , will update

I struggled a bit on the wording of this.

[jordansissel]

I didn't remember what the precedence order is, and testing it shows that the keystore has priority over environment variables. Noting this so when we write the docs, this order is documented.

---

Testing what happens when an invalid entry is given (no env, no keystore entry):

"Cannot evaluate ${env}. Replacement variable env is not defined in a Logstash secret store or as an Environment entry and there is no default value given."

👍

[jordansissel]

Testing both env and keystore:

# fancypants comes from keystore.
% env="foo" bin/logstash -e 'input { generator { count => 1 message => "${fancypants} ${env}"  } }'
...
  "message"    => "hello world foo"

[jakelandis]

re : keystore.seed

This mirrors Elasticsearch's keystore in both name and function.

[jordansissel]

Feels weird modifying the value of a constant (ARGV) here. No change necessarily required, but something to think on.

[jordansissel]

This flag would benefit from users being able to discover it. I didn't see it listed in the --help output:

% bin/logstash-keystore --help


Commands
--------
create - Creates a new Logstash keystore
list   - List entries in the keystore
add    - Add a value to the keystore
remove - Remove a value from the keystore

And doing --help on a subcommand results in possibly confusing behavior:

% bin/logstash-keystore add --help

Enter value for --help: 

[jakelandis]

I'll add --help as a sub command

[jordansissel]

The Elasticsearch docs say:

To create the elasticsearch.keystore, use the create command: ...
The file elasticsearch.keystore will be created alongside elasticsearch.yml.

However, bin/logstash-keystore create creates this file in the path.data directory:

% bin/logstash-keystore create
...
Created Logstash keystore at /home/jls/projects/logstash/data/logstash.keystore

Should this be path.config instead? (It's user-configuration, so my vote is config, not data directory)

[jakelandis]

Will update.

[jakelandis]

Updated to path.settings (next to logstash.yml), not path.config (next to my_input.conf) ...seems like a better fit, and assume that is what you meant.

ls config
jvm.options       log4j2.properties logstash.keystore logstash.yml      pipelines.yml     startup.options

[jordansissel]

This mirrors Elasticsearch's keystore in both name and function.

% bin/elasticsearch-keystore remove keystore.seed
% bin/elasticsearch-keystore list
<no output>

It's unclear what purpose keystore.seed has for users. I grepped around the Elasticsearch code and it's not obvious from the source code. You can remove it (shown above) and neither elasticsearch-keystore nor elasticsearch seem to notice (no warnings/errors).

The two questions I have are: Will a user ever set this manually? Will a user ever need to reference it in their logstash configuration? I think both answers are no, right? If it's not a thing users need to interact with, we should not show it to them.

[jakelandis]

Will a user ever set this manually?

No.

Will a user ever need to reference it in their logstash configuration?

No

I think both answers are no, right?

You clearly said you two questions and this is three, so I can't answer this one.

If it's not a thing users need to interact with, we should not show it to them.

Will update to no longer show it. I only added as visible to match ES and some minor testing benefits.

[jordansissel]

I only added as visible to match ES and some minor testing benefits.

Noted! Consistency is a good approach. Maybe we can convince ES to remove this from their listing also.

[jakelandis]

@jordansissel - Could you take another look ? All changes have been made as requested (with just tiny bit extra) on 6600bb0

The command line help is quite a bit more verbose now, please let me know if you think we should trim it down any.

Ninja Edit: updated diff hash link

[jordansissel]

I like the new help output.

% bin/logstash-keystore --path.settings /tmp create
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults

WARNING: The keystore password is not set. Please set the environment variable `LOGSTASH_KEYSTORE_PASS`. Failure to do so will result in reduced security. Continue without password protection on the keystore? [y/N] y
Created Logstash keystore at /tmp/logstash.keystore

The first warning warning doesn't seem to have enough information to take action. I believe I get this warning because I specify path.settings of /tmp and there is no /tmp/logstash.yml ?

[jakelandis]

The first warning warning doesn't seem to have enough information to take action

That warning is actually not new, and comes from the core code that checks for this. I agree is kinda of confusing. Can we consider that one outside the scope of this review ?

[jakelandis]

Maybe call this 'argument' or 'parameter' ?

Agreed, will change. I think i like argument slightly better.

[jakelandis]

Where is LS_SETTINGS_DIR referenced ?

[jordansissel]

I ran the tests via gradle and many failures:

% ./gradlew test
    Finished in 4 minutes 55.9 seconds (files took 8.88 seconds to load)
    3161 examples, 33 failures, 4 pending

    Failed examples:

    rspec ./logstash-core/spec/logstash/config/mixin_spec.rb:421 # LogStash::Config::Mixin environment variable evaluation when an environment variable is set should use the value in the variable
    rspec ./logstash-core/spec/logstash/config/mixin_spec.rb:431 # LogStash::Config::Mixin environment variable evaluation when an environment variable is set should validate settings after interpolating ENV variables
    rspec ./logstash-core/spec/logstash/config/mixin_spec.rb:465 # LogStash::Config::Mixin environment variable evaluation should support $ in values should not support $ in environment variable name
    rspec ./logstash-core/spec/logstash/config/mixin_spec.rb:461 # LogStash::Config::Mixin environment variable evaluation should support $ in values should support $ in values
    rspec ./logstash-core/spec/logstash/config/mixin_spec.rb:387 # LogStash::Config::Mixin environment variable evaluation when an environment variable is not set and a default is given should use the default
    rspec ./logstash-core/spec/logstash/config/mixin_spec.rb:370 # LogStash::Config::Mixin environment variable evaluation when an environment variable is not set and no default is given should raise a configuration error
    rspec ./logstash-core/spec/logstash/runner_spec.rb:296 # LogStash::Runner pipeline settings config.debug should set 'config.debug' to false by default
    rspec ./logstash-core/spec/logstash/runner_spec.rb:159 # LogStash::Runner pipeline settings when :path.data is defined by the user should set data paths
    rspec ./logstash-core/spec/logstash/runner_spec.rb:191 # LogStash::Runner pipeline settings when :path.data is defined by the user and path.dead_letter_queue is manually set should set data paths
    rspec ./logstash-core/spec/logstash/runner_spec.rb:173 # LogStash::Runner pipeline settings when :path.data is defined by the user and path.queue is manually set should set data paths
    rspec ./logstash-core/spec/logstash/runner_spec.rb:206 # LogStash::Runner pipeline settings when :http.host is defined by the user should pass the value to the webserver
    rspec ./logstash-core/spec/logstash/runner_spec.rb:252 # LogStash::Runner pipeline settings when no :http.port is not defined by the user should use the default settings
    rspec ./logstash-core/spec/logstash/runner_spec.rb:218 # LogStash::Runner pipeline settings when :http.host is not defined by the user should pass the value to the webserver
    rspec ./logstash-core/spec/logstash/runner_spec.rb:281 # LogStash::Runner pipeline settings when :pipeline_workers is defined by the user should pass the value to the pipeline
    rspec ./logstash-core/spec/logstash/runner_spec.rb:264 # LogStash::Runner pipeline settings when :pipeline_workers is not defined by the user should not pass the value to the pipeline
    rspec ./logstash-core/spec/logstash/runner_spec.rb:240 # LogStash::Runner pipeline settings when :http.port is defined by the user should pass a range value to the webserver
    rspec ./logstash-core/spec/logstash/runner_spec.rb:230 # LogStash::Runner pipeline settings when :http.port is defined by the user should pass a single value to the webserver
    rspec ./logstash-core/spec/logstash/runner_spec.rb:398 # LogStash::Runner logstash modules --modules with an available module specified and a mocked connection to elasticsearch should not terminate logstash
    rspec ./logstash-core/spec/logstash/runner_spec.rb:358 # LogStash::Runner logstash modules --modules with an available module specified but no connection to elasticsearch should log fatally and return a bad exit code
    rspec ./logstash-core/spec/logstash/runner_spec.rb:417 # LogStash::Runner logstash modules --modules with an unavailable module specified should log fatally and return a bad exit code
    rspec ./logstash-core/spec/logstash/runner_spec.rb:326 # LogStash::Runner logstash modules --config.test_and_exit with a good configuration should exit successfully
    rspec ./logstash-core/spec/logstash/runner_spec.rb:443 # LogStash::Runner --log.level when setting to verbose should set log level to info
    rspec ./logstash-core/spec/logstash/runner_spec.rb:436 # LogStash::Runner --log.level when setting to debug should set log level to debug
    rspec ./logstash-core/spec/logstash/runner_spec.rb:429 # LogStash::Runner --log.level when not set should set log level to warn
    rspec ./logstash-core/spec/logstash/runner_spec.rb:450 # LogStash::Runner --log.level when setting to quiet should set log level to error
    rspec ./logstash-core/spec/logstash/runner_spec.rb:478 # LogStash::Runner --log.level deprecated flags when using --debug should still set the log level accordingly
    rspec ./logstash-core/spec/logstash/runner_spec.rb:491 # LogStash::Runner --log.level deprecated flags when using --verbose should still set the log level accordingly
    rspec ./logstash-core/spec/logstash/runner_spec.rb:465 # LogStash::Runner --log.level deprecated flags when using --quiet should still set the log level accordingly
    rspec ./logstash-core/spec/logstash/runner_spec.rb:505 # LogStash::Runner path.settings if does not exist should not terminate logstash
    rspec ./logstash-core/spec/logstash/runner_spec.rb:76 # LogStash::Runner argument parsing when -e is given should execute the agent
    rspec ./logstash-core/spec/logstash/runner_spec.rb:114 # LogStash::Runner --auto-reload when -e is given should exit immediately
    rspec ./logstash-core/spec/logstash/runner_spec.rb:55 # LogStash::Runner argument precedence favors the last occurence of an option
    rspec ./logstash-core/spec/logstash/runner_spec.rb:128 # LogStash::Runner --config.test_and_exit with a good configuration should exit successfully

Most (all? I haven't evaluated) of the failures are basically this:

          # ArgumentError:
          #   Setting "keystore.file" has already been registered as #<LogStash::Setting::String:0x602b9f2e @possible_strings=[], @name="keystore.file", @value=nil, @value_is_set=false, @klass=String, @strict=true, @default="/home/jls/projects/logstash/config/logstash.keystore", @validator_proc=nil>
          #   ./logstash-core/lib/logstash/settings.rb:25:in `register'

[jordansissel]

This is where LS_SETTINGS_DIR is referenced.

[jordansissel]

Can we consider that one outside the scope of this review ?

I'm ok with this, but I'm certain the first customers who experience this will file an issue which will be escalated to us. I'd prefer to avoid that human cost.

It's likely a user providing --path.settings is probably rare, do you think? If expected to be rare, we can defer to another improvement of the message to another PR.

[jordansissel]

this is looking very good!

I'm not sure why the (ruby) test suite fails for me. Does it pass for you?

[jordansissel]

@jakelandis let me know what else you need.

Conditional LGTM if:

1. the tests pass
2. the LS_SETTINGS_DIR mention is removed from --help
3. the Could not find logstash.yml message concern is resolved (which can be resolved as defer-until-future-pr, at your option)

If all 3 above are resolved, this is good to merge.

[jakelandis]

@jordansissel - Changes : 135819a

the tests pass

• Had a minor bug in error handling of mis-configuration (only possible via tests)
• Had issues with the global state of the SETTINGS object bleeding global state between tests when run in a certain order.
• I have them passing locally, but will let Jenkins be the authoritative source with a PR to master.

the LS_SETTINGS_DIR mention is removed from --help

done.

the Could not find logstash.yml message concern is resolved (which can be resolved as defer-until-future-pr, at your option)

Logged #8934 to address

[jakelandis]

merging to feature branch.

[jakelandis]

grr.... just found another issue with the global state/registration settings mess...

[jakelandis]

GH won't let me add more commits here... so I pushed directly to feature branch 8bb47d9

I will have one last PR before this hits master, so if changes are requested I can make them there.