Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set elastic password from stored hash for packaged installations #75704

Closed
jkakavas opened this issue Jul 26, 2021 · 7 comments
Closed

Set elastic password from stored hash for packaged installations #75704

jkakavas opened this issue Jul 26, 2021 · 7 comments
Labels
:Security/Security Security issues without another label Team:Security Meta label for security team v8.0.0-beta1

Comments

@jkakavas
Copy link
Member

jkakavas commented Jul 26, 2021
edited
Loading

During packaged installations we will be generating and storing a new setting, named autoconfiguration.password_hash in the elasticsearch.keystore. This will be the -to be- password of the elastic user and its value in the keystore will be salted and hashed using the default hashing algorithm of elasticsearch.

We should

  • Detect that there is an autoconfiguration.password_hash setting in the keystore
  • Create the document for the elastic built-in user in the security index and set its password to the value it read from autoconfiguration.password_hash
  • Allow the users to authenticate locally to the node with the actual password that is hashed and stored in autoconfiguration.password_hash even before the password is "promoted" to the security index.
  • Strive to have a deterministic behavior that is as simple as possible and easy to describe/argue about. i.e. we should
    • try to prevent race conditions from different nodes attempting to set the password in the security index
    • ensure that once a successful authentication happens with a given password, this password will not change without explicit user interaction.
  • not override a user added password ( i.e. on restarts )

Out of scope / handled in other work items

  • We can assume the password is already generated and hashed/stored in the keystore
@jkakavas jkakavas added :Security/Security Security issues without another label v8.0.0 labels Jul 26, 2021
@elasticmachine elasticmachine added the Team:Security Meta label for security team label Jul 26, 2021
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

@BigPandaToo
Copy link
Contributor

Moving discussion from this draft here...

@jkakavas

what should happen if the security index gets deleted ? Would bootstrapping this again to set value be >valuable/surprising/wrong?

I think it may be valuable (if the index was deleted by mistake for example). Also if it was a conscious decision made by a user it would be confusing, because they would expect the old bootstrap password behaviour. How can we determine that the index has been deleted? Should we try to remove the autoconfiguration.password_hash from that node's keystore once we read it to XPackSettings?

@albertzaharovits

Doing it [setting password hash] in the action listener adds a level of ambiguity about when the password hash is actually >going to take effect, i.e. the keystore seed is a valid password before the index is created, and also after the index is created >but before the change password is executed

But as you suggested above we are going to prioritize autoconfiguration.password_hash over keystore seed

@jkakavas

[If we fail to set the password the first time] something else might have created the security index until the second time this >node starts.. We could in theory extend the check to be "security index doesn't exist or the doc for the elastic user doesn't >exist"

What would be that "something"?

@jkakavas
Copy link
Member Author

How can we determine that the index has been deleted?

We are discussing about triggering some code paths when the security index doesn't exist. If it gets deleted, it won't exist and the behavior will be triggered.

Should we try to remove the autoconfiguration.password_hash from that node's keystore once we read it to XPackSettings?

We can't unfortunately since the file is owned by root and elasticsearch can't write to it.

What would be that "something"?

We trigger the auto-creation of the security index when we need to index a doc into it ( see SecurityIndexManager#prepareIndexIfNeededThenExecute so that something could be the addition of a native user, the creation of an API key etc.

@BigPandaToo
Copy link
Contributor

We are discussing about triggering some code paths when the security index doesn't exist. If it gets deleted, it won't exist >and the behavior will be triggered.

What meant: how we detect that we have already bootstrapped the user and the index was deleted after. I don't think we have a way to detect it, right? But if autoconfiguration.password_hash doesn't exist anymore we won't attempt to do it again.

@BigPandaToo
Copy link
Contributor

We can't unfortunately since the file is owned by root and elasticsearch can't write to it.

((

@BigPandaToo
Copy link
Contributor

so that something could be the addition of a native user, the creation of an API key etc.

Checking for that a doc forelastic doesn't exist is still an option

@jkakavas jkakavas mentioned this issue Aug 23, 2021
Merged
BigPandaToo added a commit to BigPandaToo/elasticsearch that referenced this issue Aug 30, 2021
@BigPandaToo
Setting elastic password from stored hash
0ffe056 
In package installations, we will be generating the password of
the elastic user on installation and we will be storing the hash
of it to the elasticsearch.keystore.
This change will
- attempt to create the security index and elastic user document at the
time of the first successful authentication using the
the "promised" password
- if bootstrap.password setting is detected, won’t attempt to use
autoconfiguration.password_hash setting and proceed with the normal
authentication path
- if elastic user document exists, won't attempt to use
autoconfiguration.password_hash setting and proceed with the normal
authentication path
- if unable  to create the Security Index for any reason, returns
HTTP_SERVER_ERROR to indicate that the cluster is probably not ready yet

Resolves: elastic#75704
@BigPandaToo BigPandaToo mentioned this issue Aug 30, 2021
Closed
@jkakavas jkakavas mentioned this issue Sep 22, 2021
Merged
albertzaharovits added a commit that referenced this issue Oct 14, 2021
@albertzaharovits @jkakavas
Auto configure TLS for new nodes of new clusters (#77231)
b257da1 
This commit introduces TLS auto-configuration for elasticsearch nodes, during
the first startup. A number of heuristics are performed in order to determine if
the node should get TLS auto-configuration which can also be explicitly
disallowed with the use of xpack.security.autoconfiguration.enabled setting.

This affects archive installations and docker. Packaged installations are
handled in #75144 and #75704 .

Co-authored-by: Ioannis Kakavas <[email protected]>
@jkakavas
Copy link
Member Author

Closed by #78306

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
:Security/Security Security issues without another label Team:Security Meta label for security team v8.0.0-beta1
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Setting elastic password from stored hash BigPandaToo/elasticsearch
4 participants
@jakelandis @jkakavas @elasticmachine @BigPandaToo