Reset elastic password cli tool

[jkakavas]

This change introduces a new CLI tool that allows users to reset
the password for the elastic user, setting it to a user defined
or an auto-generated value.

Resolves: #70113
Depends on: #74890

[elasticmachine]

Pinging @elastic/es-security (Team:Security)

[jkakavas]

We were chatting around this with @albertzaharovits today. This seems reasonable as a base check but were wondering whether a more nuanced approach is necessary/helpful.

The concern is that for some tools that extend this command and have specialized purpose and needs, this check might be overly coarse grained. Point in case, for the reset password tool, we might not be interested if any data index is red( making the cluster health red ), as long as .security is green. On the other hand, we want this to be useful even if the .security index is not yet created so we'd need to check for the existence of the .security index before the health check so that it won't time out. We can't use the exists API in 8.0 for system indices, so we'd have to use _cat/indices or _cat/aliases and parse the response.

The question is whether we need this nuanced approach, and if we do, do we implement it here in the base class or do we abstract it and let the extending classes implement this as they see fit. Given in the two classes that extend this (CreateEnrollmentTokenTool and ResetElasticPasswordTool) so far, we only care about the security index, I lean on doing the former.

[jkakavas]

_cat/indices and/or _cat/aliases are not that friendly for parsing the output. Another idea would be to not attempt to do the health check up front, but depend on the error message that we would get from Elasticsearch in order to determine if the security index health is RED. There are a couple of issues with this too:

• We don't consistently check the health of the security index in the SecurityIndexManager before making operations on it. Some methods do manual checks like isAvailable() and then call checkIndexVersionThenExecute, some call prepareIndexIfNeededThenExecute() directly which doesn't call isAvailable(). So we would need to depend on the behavior of the actual indexing of the document in the index.
• Not all implementing classes of BaseRunAsSuperuser will be calling APIs with the CommandLineHttpClient themselves. Reset password does, but CreateEnrollmentTokenTool does not, instead depends on CreateEnrollmentToken methods that call the APIs internally and will wrap exceptions.

It should still be doable but some of it sounds like guesswork.

Is "if your cluster health is RED, you shouldn't be making additional operations on it (like using these tools) unless it's about resolving the issue, so the tool doesn't work if cluster health is RED" an appropriate stance or do we think that a nuanced approach ( i.e. each tool defines it's own health/index checks as it sees fit and the base class just validates file realm auto-generated credentials ) is helpful and necessary ?

Opening up the discussion, @tvernum I know from previous discussions that you have opinions on this type of behavior by our CLI tools, care to chime in?

[albertzaharovits]

Disclaimer: Speaking in principle, haven't checked the code too carefully:
Any check that we do before the actual operation has limited usefulness because the condition can change in between the time of check and the operation time (time of check, time of use).
I think it's worth investing in some tests that "pin" the errors (ideally consistent across APIs) for an unavailable/red .security index.

[jkakavas]

We chatted with Tim a little bit about this and we came to a similar conclusion which was that until we can identify all the ways this can fail in an actionable and informative way, replicating the behavior of other tools ( warn if cluster health is red and allow to override ) is preferable to complicate the checks for handling some of the cases. I plan on moving forward as is and open an issue to track the effort to do what you suggest, if you don't think this is blocking for the current PR

[albertzaharovits]

Looks like you're building an environment here.
There is the EnvironmentAwareCommand to handle that.

[jkakavas]

BaseRunAsSuperuserCommand extends KeyStoreAwareCommand which extends EnvironmentAwareCommand already. What I need to do here is to to factor in the secure settings we might have read from the keystore , thus the new environment. Not sure how EnvironmentAwareCommand can handle that for me ,let me know if I'm missing something !

[albertzaharovits]

Do you think guaranteeing that the user has roles assigned when it exists is important?

To make it appear atomic, maybe it would be better to first update the roles file and then the users file (otherwise there are states where the user exists but doesn't have a role, and we ought to handle this case as a retry).
In addition, we would also have to change the server code to ensure that if the roles file is changed before the users file, changes to the roles file are always considered when updating the users.

[jkakavas]

Do you think guaranteeing that the user has roles assigned when it exists is important?

Yes!Thanks.

To make it appear atomic, maybe it would be better to first update the roles file and then the users file

I think that's a good idea nevertheless

In addition, we would also have to change the server code to ensure that if the roles file is changed before the users file, changes to the roles file are always considered when updating the users.

Not sure I follow this, maybe we can quickly chat in our sync

[jkakavas]

Changed the order of execution here and added 403 to the list of error codes we should retry upon

[albertzaharovits]

If possible, lets factor out the code in the server code that tells the file realm configuration is correct and that a file realm is enabled and its order.

[jkakavas]

This check is already happening on server side

elasticsearch/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/Realms.java

Line 321 in 4880cea

if (internalTypes.contains(identifier.getType())) {

[jkakavas]

I can remove the check if you think it's cleaner. The base class assumes that any tool that extends it already needs a running cluster and if a node attempts to start with a configuration file that has more than one file realms, then the node would fail to start because of that, so in theory we would never stumble upon this error in the tool.

[BigPandaToo]

As I understand this supposed to be a help message (Command$printHelp)

[jkakavas]

The description of the command is printed when the command is run with -h , yes. Can you elaborate on what your comment was about ? Thanks!

[BigPandaToo]

I would expect a description of allowed parameters (like node/kibana)

[jkakavas]

I would expect a description of allowed parameters (like node/kibana)

We don't put these in the description of the command. All of our CLI tools extend Command and it calls printHelp when the -h parameter is passed ( or on error ). printHelp prints the parameters and their description.

FWIW, the ouput of the -h is

Creates enrollment tokens for elasticsearch nodes and kibana instances

Option (* = required)  Description                                             
---------------------  -----------                                             
-E <KeyValuePair>      Configure a setting                                     
-f, --force            Use this option to force execution of the command       
                         against a cluster that is currently unhealthy.        
-h, --help             Show help                                               
* -s, --scope          The scope of this enrollment token, can be either "node"
                         or "kibana"                                           
-v, --verbose          Show verbose output        

[BigPandaToo]

Should we try to clean UserRolesStore anyway?

[jkakavas]

Yes good idea. I originally thought that worst case scenario is that the roles files remain but reference a non-existent user which is ok. It is a bit sloppy and it's a similar comment to what Albert made on the original PR about trying to make these 2 changes atomic. I will rework this

[BigPandaToo]

Can the password be null? If yes, the user will stay in the file

[jkakavas]

See java.util.Map#remove and FileUserPasswdStore#parseFile. In short, parseFile wlll not return a Map that has a null value because we would have bailed on parsing it. As such, if remove returns null is because the users Map did not contain an entry with the username key.

[BigPandaToo]

Same as above

[BigPandaToo]

or => of
Also, I believe the description is supposed to be the help message

[jkakavas]

Also, I believe the description is supposed to be the help message

It is !

[jkakavas]

I repeated some comments on Base class from the create enrollment token tool PR, pls ignore them if you address them there

Thanks ! Let's keep things contained in one of the PRs. Ideally, as discussed, we can review and merge CreateEnrollmentTokensTool first and then I'll rebase the changes here. No need to have the same discussion in multiple places.

[BigPandaToo]

I added a comment about the help message, I may be wrong about my expectation from the -help, so I am leaving it to you
LGTM otherwise

[jkakavas]

I added a comment about the help message, I may be wrong about my expectation from the -help, so I am leaving it to you
LGTM otherwise

I explained in #74892 (comment)

[lockewritesdocs]

@elasticmachine run elasticsearch-ci/docs

[lockewritesdocs]

Left a number of comments and suggested changes. A few options seemed missing, so I added those or left questions about them.

[albertzaharovits]

LGTM

One minor question: the namespace for ResetElasticPasswordTool looks to me a bit generic. I would've assigned the same namespace as the SetupPasswordTool.

[jkakavas]

the namespace for ResetElasticPasswordTool looks to me a bit generic. I would've assigned the same namespace as the SetupPasswordTool.

SGTM, I did the change, thanks!