Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Settings migration to Opensearch #1176

Closed
wants to merge 17 commits into from
Closed

Settings migration to Opensearch #1176

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
e224dec
Add settings class and legacy settings class
May 19, 2021
ed017c8
Add SSL settings class
May 20, 2021
218c7de
Change opendistro_security. to plugins.security.
May 20, 2021
3a8bce9
Change opendistro_security to plugins.security in test/resources yml …
May 20, 2021
398f826
Replace opendistro_security_config with security_config
May 20, 2021
b1fa99a
Fix LegacyOpenDistroSSLSecuritySettings
May 21, 2021
480a6b6
Delete comments
May 21, 2021
d3b986f
Add groupSetting fallback
May 21, 2021
8c0e97b
Fix CI
May 21, 2021
8df238c
Add legacy settings in getSettings()
May 21, 2021
5f19129
Add SSL_DUAL_MODE_SETTING to SecuritySettings
May 21, 2021
674b659
Add test
May 21, 2021
eecd54e
Add more UT
May 21, 2021
9c990ca
Remove variable prefix for SlowIntegrationTests
May 21, 2021
99ae075
Add UTs for all settings
May 22, 2021
f31646a
Delete unused imports in test file
May 22, 2021
2e5034d
Remove unused imports in SSLSecuritySettings, remove OPENDISTRO_ pref…
May 24, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ jobs:
uses: github/codeql-action/analyze@v1

- name: Test
run: OPENDISTRO_SECURITY_TEST_OPENSSL_OPT=true mvn -B test
run: SECURITY_TEST_OPENSSL_OPT=true mvn -B test

- name: Coverage
uses: codecov/codecov-action@v1
Expand Down
12 changes: 6 additions & 6 deletions src/main/java/com/amazon/dlic/auth/http/kerberos/HTTPSpnegoAuthenticator.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ public HTTPSpnegoAuthenticator(final Settings settings, final Path configPath) {
super();
try {
final Path configDir = new Environment(settings, configPath).configFile();
final String krb5PathSetting = settings.get("opendistro_security.kerberos.krb5_filepath");
final String krb5PathSetting = settings.get("plugins.security.kerberos.krb5_filepath");

final SecurityManager sm = System.getSecurityManager();

Expand Down Expand Up @@ -129,19 +129,19 @@ public Void run() {
}

stripRealmFromPrincipalName = settings.getAsBoolean("strip_realm_from_principal", true);
acceptorPrincipal = new HashSet<>(settings.getAsList("opendistro_security.kerberos.acceptor_principal", Collections.emptyList()));
final String _acceptorKeyTabPath = settings.get("opendistro_security.kerberos.acceptor_keytab_filepath");
acceptorPrincipal = new HashSet<>(settings.getAsList("plugins.security.kerberos.acceptor_principal", Collections.emptyList()));
final String _acceptorKeyTabPath = settings.get("plugins.security.kerberos.acceptor_keytab_filepath");

if(acceptorPrincipal == null || acceptorPrincipal.size() == 0) {
log.error("acceptor_principal must not be null or empty. Kerberos authentication will not work");
acceptorPrincipal = null;
}

if(_acceptorKeyTabPath == null || _acceptorKeyTabPath.length() == 0) {
log.error("opendistro_security.kerberos.acceptor_keytab_filepath must not be null or empty. Kerberos authentication will not work");
log.error("plugins.security.kerberos.acceptor_keytab_filepath must not be null or empty. Kerberos authentication will not work");
acceptorKeyTabPath = null;
} else {
acceptorKeyTabPath = configDir.resolve(settings.get("opendistro_security.kerberos.acceptor_keytab_filepath"));
acceptorKeyTabPath = configDir.resolve(settings.get("plugins.security.kerberos.acceptor_keytab_filepath"));

if(!Files.exists(acceptorKeyTabPath)) {
log.error("Unable to read keytab from {} - Maybe the file does not exist or is not readable. Kerberos authentication will not work", acceptorKeyTabPath);
Expand All @@ -159,7 +159,7 @@ public Void run() {

} catch (Throwable e) {
log.error("Cannot construct HTTPSpnegoAuthenticator due to {}", e.getMessage(), e);
log.error("Please make sure you configured 'opendistro_security.kerberos.acceptor_keytab_filepath' realtive to the ES config/ dir!");
log.error("Please make sure you configured 'plugins.security.kerberos.acceptor_keytab_filepath' realtive to the ES config/ dir!");
throw e;
}

Expand Down
14 changes: 7 additions & 7 deletions src/main/java/com/amazon/dlic/auth/ldap/backend/LDAPAuthorizationBackend.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -561,23 +561,23 @@ private static Map<String, Object> configureSSL(final ConnectionConfig config, f

} else {
final KeyStore trustStore = PemKeyReader.loadKeyStore(
PemKeyReader.resolve(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, settings,
PemKeyReader.resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, settings,
configPath, !trustAll),
settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD,
settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD,
SSLConfigConstants.DEFAULT_STORE_PASSWORD),
settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE));
settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE));

final List<String> trustStoreAliases = settings.getAsList(ConfigConstants.LDAPS_JKS_TRUST_ALIAS, null);

// for client authentication
final KeyStore keyStore = PemKeyReader.loadKeyStore(
PemKeyReader.resolve(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, settings,
PemKeyReader.resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, settings,
configPath, enableClientAuth),
settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD,
settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD,
SSLConfigConstants.DEFAULT_STORE_PASSWORD),
settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE));
settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE));
final String keyStorePassword = settings.get(
SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD,
SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD,
SSLConfigConstants.DEFAULT_STORE_PASSWORD);

final String keyStoreAlias = settings.get(ConfigConstants.LDAPS_JKS_CERT_ALIAS, null);
Expand Down
18 changes: 9 additions & 9 deletions src/main/java/com/amazon/dlic/util/SettingsBasedSSLConfigurator.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -308,14 +308,14 @@ private void initFromKeyStore() throws SSLConfigException {

try {
trustStore = PemKeyReader.loadKeyStore(
PemKeyReader.resolve(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, settings,
PemKeyReader.resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, settings,
configPath, !isTrustAllEnabled()),
settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD,
settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD,
SSLConfigConstants.DEFAULT_STORE_PASSWORD),
settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE));
settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE));
} catch (Exception e) {
throw new SSLConfigException("Error loading trust store from "
+ settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH), e);
+ settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH), e);
}

effectiveTruststoreAliases = getSettingAsList(CA_ALIAS, null);
Expand All @@ -324,17 +324,17 @@ private void initFromKeyStore() throws SSLConfigException {

try {
keyStore = PemKeyReader.loadKeyStore(
PemKeyReader.resolve(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, settings,
PemKeyReader.resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, settings,
configPath, enableSslClientAuth),
settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD,
settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD,
SSLConfigConstants.DEFAULT_STORE_PASSWORD),
settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE));
settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE));
} catch (Exception e) {
throw new SSLConfigException("Error loading key store from "
+ settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH), e);
+ settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH), e);
}

String keyStorePassword = settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD,
String keyStorePassword = settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD,
SSLConfigConstants.DEFAULT_STORE_PASSWORD);
effectiveKeyPassword = keyStorePassword == null || keyStorePassword.isEmpty() ? null
: keyStorePassword.toCharArray();
Expand Down
Loading