github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-23 17:28:26 -04:00
Code Issues Projects Releases Packages Wiki Activity

Use unencrypted P12 keystore for ES (#123650)

Browse source
This commit is contained in:
Joe Portner 2022-01-24 16:37:27 -05:00 committed by GitHub
parent 39e6b74958
commit f2e2add9ae
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 7 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

7
packages/kbn-es/src/cluster.js
View file

@ -18,7 +18,7 @@ const { createCliError } = require('./errors');
const { promisify } = require('util');
const treeKillAsync = promisify(require('tree-kill'));
const { parseSettings, SettingsFilter } = require('./settings');
const { CA_CERT_PATH, ES_P12_PATH, ES_P12_PASSWORD, extract } = require('@kbn/dev-utils');
const { CA_CERT_PATH, ES_NOPASSWORD_P12_PATH, extract } = require('@kbn/dev-utils');
const readFile = util.promisify(fs.readFile);
// listen to data on stream until map returns anything but undefined
@ -260,9 +260,10 @@ exports.Cluster = class Cluster {
// Include default keystore settings only if keystore isn't configured.
if (!esArgs.some((arg) => arg.startsWith('xpack.security.http.ssl.keystore'))) {
esArgs.push(`xpack.security.http.ssl.keystore.path=${ES_P12_PATH}`);
esArgs.push(`xpack.security.http.ssl.keystore.path=${ES_NOPASSWORD_P12_PATH}`);
esArgs.push(`xpack.security.http.ssl.keystore.type=PKCS12`);
esArgs.push(`xpack.security.http.ssl.keystore.password=${ES_P12_PASSWORD}`);
// We are explicitly using ES_NOPASSWORD_P12_PATH instead of ES_P12_PATH + ES_P12_PASSWORD. The reasoning for this is that setting
// the keystore password using environment variables causes Elasticsearch to emit deprecation warnings.
}
}

9
packages/kbn-es/src/integration_tests/cluster.test.js
View file

@ -9,8 +9,7 @@
const {
ToolingLog,
ToolingLogCollectingWriter,
ES_P12_PATH,
ES_P12_PASSWORD,
ES_NOPASSWORD_P12_PATH,
createAnyInstanceSerializer,
createStripAnsiSerializer,
} = require('@kbn/dev-utils');
@ -292,9 +291,8 @@ describe('#start(installPath)', () => {
const config = extractConfigFiles.mock.calls[0][0];
expect(config).toContain('xpack.security.http.ssl.enabled=true');
expect(config).toContain(`xpack.security.http.ssl.keystore.path=${ES_P12_PATH}`);
expect(config).toContain(`xpack.security.http.ssl.keystore.path=${ES_NOPASSWORD_P12_PATH}`);
expect(config).toContain(`xpack.security.http.ssl.keystore.type=PKCS12`);
expect(config).toContain(`xpack.security.http.ssl.keystore.password=${ES_P12_PASSWORD}`);
});
it(`doesn't setup SSL when disabled`, async () => {
@ -371,9 +369,8 @@ describe('#run()', () => {
const config = extractConfigFiles.mock.calls[0][0];
expect(config).toContain('xpack.security.http.ssl.enabled=true');
expect(config).toContain(`xpack.security.http.ssl.keystore.path=${ES_P12_PATH}`);
expect(config).toContain(`xpack.security.http.ssl.keystore.path=${ES_NOPASSWORD_P12_PATH}`);
expect(config).toContain(`xpack.security.http.ssl.keystore.type=PKCS12`);
expect(config).toContain(`xpack.security.http.ssl.keystore.password=${ES_P12_PASSWORD}`);
});
it(`doesn't setup SSL when disabled`, async () => {