Class KeyStoreWrapper
java.lang.Object
org.elasticsearch.common.settings.KeyStoreWrapper
- All Implemented Interfaces:
java.io.Closeable
,java.lang.AutoCloseable
,SecureSettings
public class KeyStoreWrapper extends java.lang.Object implements SecureSettings
A disk based container for sensitive settings in Elasticsearch.
Loading a keystore has 2 phases. First, call
load(Path)
. Then call
decrypt(char[])
with the keystore password, or an empty char array if
hasPassword()
is false
. Loading and decrypting should happen
in a single thread. Once decrypted, settings may be read in multiple threads.-
Field Summary
Fields Modifier and Type Field Description static Setting<SecureString>
SEED_SETTING
-
Method Summary
Modifier and Type Method Description static void
addBootstrapSeed(KeyStoreWrapper wrapper)
Add the bootstrap seed setting, which may be used as a unique, secure, random value by the nodevoid
close()
static KeyStoreWrapper
create()
Constructs a new keystore with the given password.void
decrypt(char[] password)
Decrypts the underlying keystore data.java.io.InputStream
getFile(java.lang.String setting)
Return a file setting.int
getFormatVersion()
Get the metadata format version for the keystorejava.util.Set<java.lang.String>
getSettingNames()
It is possible to retrieve the setting names even if the keystore is closed.byte[]
getSHA256Digest(java.lang.String setting)
Returns the SHA256 digest for the setting's value, even after#close()
has been called.SecureString
getString(java.lang.String setting)
Return a string setting.boolean
hasPassword()
Return true iff callingdecrypt(char[])
requires a non-empty password.boolean
isLoaded()
Returns true iff the settings are loaded and retrievable.static java.nio.file.Path
keystorePath(java.nio.file.Path configDir)
Returns a path representing the ES keystore in the given config dir.static KeyStoreWrapper
load(java.nio.file.Path configDir)
Loads information about the Elasticsearch keystore from the provided config directory.void
save(java.nio.file.Path configDir, char[] password)
Write the keystore to the given config directory.static void
upgrade(KeyStoreWrapper wrapper, java.nio.file.Path configDir, char[] password)
Upgrades the format of the keystore, if necessary.static void
validateSettingName(java.lang.String setting)
Ensure the given setting name is allowed.
-
Field Details
-
Method Details
-
getFormatVersion
public int getFormatVersion()Get the metadata format version for the keystore -
keystorePath
public static java.nio.file.Path keystorePath(java.nio.file.Path configDir)Returns a path representing the ES keystore in the given config dir. -
create
Constructs a new keystore with the given password. -
addBootstrapSeed
Add the bootstrap seed setting, which may be used as a unique, secure, random value by the node -
load
Loads information about the Elasticsearch keystore from the provided config directory.decrypt(char[])
must be called before reading or writing any entries. Returnsnull
if no keystore exists.- Throws:
java.io.IOException
-
upgrade
public static void upgrade(KeyStoreWrapper wrapper, java.nio.file.Path configDir, char[] password) throws java.lang.ExceptionUpgrades the format of the keystore, if necessary.- Throws:
java.lang.Exception
-
isLoaded
public boolean isLoaded()Description copied from interface:SecureSettings
Returns true iff the settings are loaded and retrievable.- Specified by:
isLoaded
in interfaceSecureSettings
-
hasPassword
public boolean hasPassword()Return true iff callingdecrypt(char[])
requires a non-empty password. -
decrypt
public void decrypt(char[] password) throws java.security.GeneralSecurityException, java.io.IOExceptionDecrypts the underlying keystore data. This may only be called once.- Throws:
java.security.GeneralSecurityException
java.io.IOException
-
save
public void save(java.nio.file.Path configDir, char[] password) throws java.lang.ExceptionWrite the keystore to the given config directory.- Throws:
java.lang.Exception
-
getSettingNames
public java.util.Set<java.lang.String> getSettingNames()It is possible to retrieve the setting names even if the keystore is closed. This allowsSecureSetting
to correctly determine that a entry exists even though it cannot be read. Thus attempting to read a secure setting after the keystore is closed will generate a "keystore is closed" exception rather than using the fallback setting.- Specified by:
getSettingNames
in interfaceSecureSettings
-
getString
Description copied from interface:SecureSettings
Return a string setting. TheSecureString
should be closed once it is used.- Specified by:
getString
in interfaceSecureSettings
-
getFile
public java.io.InputStream getFile(java.lang.String setting)Description copied from interface:SecureSettings
Return a file setting. TheInputStream
should be closed once it is used.- Specified by:
getFile
in interfaceSecureSettings
-
getSHA256Digest
public byte[] getSHA256Digest(java.lang.String setting)Returns the SHA256 digest for the setting's value, even after#close()
has been called. The setting must exist. The digest is used to check for value changes without actually storing the value.- Specified by:
getSHA256Digest
in interfaceSecureSettings
-
validateSettingName
public static void validateSettingName(java.lang.String setting)Ensure the given setting name is allowed.- Throws:
java.lang.IllegalArgumentException
- if the setting name is not valid
-
close
public void close()- Specified by:
close
in interfacejava.lang.AutoCloseable
- Specified by:
close
in interfacejava.io.Closeable
- Specified by:
close
in interfaceSecureSettings
-