elastic · jkakavas · Oct 15, 2021 · Jul 13, 2021 · Jul 13, 2021 · Jul 14, 2021
diff --git a/distribution/packages/build.gradle b/distribution/packages/build.gradle
@@ -254,7 +254,7 @@ def commonPackageConfig(String type, String architecture) {
   }
 }
 
-// this is package indepdendent configuration
+// this is package independent configuration
 ospackage {
   maintainer 'Elasticsearch Team <[email protected]>'
   summary 'Distributed RESTful search engine built for the cloud'

diff --git a/distribution/packages/src/common/scripts/postinst b/distribution/packages/src/common/scripts/postinst
@@ -49,20 +49,68 @@ case "$1" in
         exit 1
     ;;
 esac
-
 # to pick up /usr/lib/sysctl.d/elasticsearch.conf
 if command -v systemctl > /dev/null; then
     systemctl restart systemd-sysctl.service || true
 fi
-
 if [ "x$IS_UPGRADE" != "xtrue" ]; then
+    # Don't exit immediately on error, we want to hopefully print some helpful banners
+    set +e
+    # Attempt to auto-configure security, this seems to be an installation
+    if ES_MAIN_CLASS=org.elasticsearch.xpack.security.cli.ConfigInitialNode \
+    ES_ADDITIONAL_SOURCES="x-pack-env;x-pack-security-env" \
+    ES_ADDITIONAL_CLASSPATH_DIRECTORIES=lib/tools/security-cli \
+    /usr/share/elasticsearch/bin/elasticsearch-cli -strict <<< ""; then
+        # Above command runs as root and TLS keystores are created group-owned by root. It's simple to correct the ownership here
+        for dir in "${ES_PATH_CONF}"/auto_config_on*
+        do
+            chown root:elasticsearch "${dir}"/http_keystore_local_node.p12
+            chown root:elasticsearch "${dir}"/http_ca.crt
+            chown root:elasticsearch "${dir}"/transport_keystore_all_nodes.p12
+        done
+        if INITIAL_PASSWORD=$(ES_MAIN_CLASS=org.elasticsearch.xpack.security.enrollment.tool.AutoConfigGenerateElasticPasswordHash \
+        ES_ADDITIONAL_SOURCES="x-pack-env;x-pack-security-env" \
+        ES_ADDITIONAL_CLASSPATH_DIRECTORIES=lib/tools/security-cli \
+        /usr/share/elasticsearch/bin/elasticsearch-cli); then
+            echo "##########         Security autoconfiguration information         ############"
+            echo "#                                                                            #"
+            echo "# Authentication and Authorization are enabled.                              #"
+            echo "# TLS for the transport and the http layers is enabled and configured.       #"
+            echo "#                                                                            #"
+            echo "# The password of the elastic superuser will be set to: ${INITIAL_PASSWORD} #"
+            echo "# upon starting elasticsearch for the first time                             #"
+            echo "#                                                                            #"
+            echo "##############################################################################"
+        fi
+    else
+        if [ $? -eq 63 ]; then
+            # ExitCodes.NOOP
+            echo "##########         Security autoconfiguration information         ############"
+            echo "#                                                                            #"
+            echo "# Security features appear to be already configured.                         #"
+            echo "#                                                                            #"
+            echo "##############################################################################"
+        else
+            echo "##########         Security autoconfiguration information         ############"
+            echo "#                                                                            #"
+            echo "# Failed to auto-configure security features.                                #"
+            echo "# Authentication and Authorization are enabled.                              #"
+            echo "# You can use elasticsearch-reset-elastic-password to set a password         #"
+            echo "# for the elastic user.                                                      #"
+            echo "# See <link_here> for instructions on how to configure TLS manually.          #"
+            echo "#                                                                            #"
+            echo "##############################################################################"
+        fi
+    fi
     if command -v systemctl >/dev/null; then
         echo "### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using systemd"
         echo " sudo systemctl daemon-reload"
         echo " sudo systemctl enable elasticsearch.service"
         echo "### You can start elasticsearch service by executing"
         echo " sudo systemctl start elasticsearch.service"
     fi
+    set -e
+
 elif [ "$RESTART_ON_UPGRADE" = "true" ]; then
 
     echo -n "Restarting elasticsearch service..."

diff --git a/distribution/packages/src/common/scripts/postrm b/distribution/packages/src/common/scripts/postrm
@@ -18,6 +18,7 @@ export ES_PATH_CONF=${ES_PATH_CONF:[email protected]@}
 
 REMOVE_DIRS=false
 REMOVE_JVM_OPTIONS_DIRECTORY=false
+REMOVE_SECURITY_AUTO_CONFIG_DIRECTORY=false
 REMOVE_ELASTICSEARCH_KEYSTORE=false
 REMOVE_USER_AND_GROUP=false
 
@@ -31,6 +32,7 @@ case "$1" in
     purge)
         REMOVE_DIRS=true
         REMOVE_JVM_OPTIONS_DIRECTORY=true
+        REMOVE_SECURITY_AUTO_CONFIG_DIRECTORY=true
         REMOVE_ELASTICSEARCH_KEYSTORE=true
         REMOVE_USER_AND_GROUP=true
     ;;
@@ -99,6 +101,16 @@ if [ "$REMOVE_DIRS" = "true" ]; then
       fi
     fi
 
+    # delete the security auto config directory if we are purging
+    if [ "$REMOVE_SECURITY_AUTO_CONFIG_DIRECTORY" = "true" ]; then
+      for dir in "${ES_PATH_CONF}"/auto_config_on*
+      do
+        echo -n "Deleting security auto-configuration directory..."
+        rm -rf "${dir}"
+        echo "OK"
+      done
+    fi
+
     # delete the elasticsearch keystore if we are purging
     if [ "$REMOVE_ELASTICSEARCH_KEYSTORE" = "true" ]; then
       if [ -e "${ES_PATH_CONF}/elasticsearch.keystore" ]; then

diff --git a/docs/changelog/75144.yaml b/docs/changelog/75144.yaml
@@ -0,0 +1,6 @@
+pr: 75144
+summary: Security auto-configuration for packaged installations
+area: "Security"
+type: enhancement
+issues:
+ - 75704
diff --git a/qa/os/src/test/java/org/elasticsearch/packaging/test/CertGenCliTests.java b/qa/os/src/test/java/org/elasticsearch/packaging/test/CertGenCliTests.java
@@ -22,10 +22,12 @@
 import java.util.List;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
+import java.util.stream.Collectors;
 
 import static com.carrotsearch.randomizedtesting.RandomizedTest.assumeFalse;
 import static java.nio.file.StandardOpenOption.APPEND;
 import static java.nio.file.StandardOpenOption.CREATE;
+import static java.nio.file.StandardOpenOption.TRUNCATE_EXISTING;
 import static org.elasticsearch.packaging.util.FileMatcher.Fileness.File;
 import static org.elasticsearch.packaging.util.FileMatcher.file;
 import static org.elasticsearch.packaging.util.FileMatcher.p600;
@@ -96,8 +98,8 @@ public void test40RunWithCert() throws Exception {
         final String keyPath = escapePath(installation.config("certs/mynode/mynode.key"));
         final String certPath = escapePath(installation.config("certs/mynode/mynode.crt"));
         final String caCertPath = escapePath(installation.config("certs/ca/ca.crt"));
-
-        List<String> yaml = List.of(
+        // Replace possibly auto-configured TLS settings with ones pointing to the material generated with certgen
+        List<String> newTlsConfig = List.of(
             "node.name: mynode",
             "xpack.security.transport.ssl.key: " + keyPath,
             "xpack.security.transport.ssl.certificate: " + certPath,
@@ -108,8 +110,15 @@ public void test40RunWithCert() throws Exception {
             "xpack.security.transport.ssl.enabled: true",
             "xpack.security.http.ssl.enabled: true"
         );
+        List<String> existingConfig = Files.readAllLines(installation.config("elasticsearch.yml"));
+        List<String> newConfig = existingConfig.stream()
+            .filter(l -> l.startsWith("node.name:") == false)
+            .filter(l -> l.startsWith("xpack.security.transport.ssl.") == false)
+            .filter(l -> l.startsWith("xpack.security.http.ssl.") == false)
+            .collect(Collectors.toList());
+        newConfig.addAll(newTlsConfig);
 
-        Files.write(installation.config("elasticsearch.yml"), yaml, CREATE, APPEND);
+        Files.write(installation.config("elasticsearch.yml"), newConfig, TRUNCATE_EXISTING);
 
         assertWhileRunning(() -> {
             final String password = setElasticPassword();
@@ -120,7 +129,7 @@ public void test40RunWithCert() throws Exception {
 
     private String setElasticPassword() {
         final Pattern userpassRegex = Pattern.compile("PASSWORD (\\w+) = ([^\\s]+)");
-        Shell.Result result = installation.executables().setupPasswordsTool.run("auto --batch", null);
+        Shell.Result result = installation.executables().setupPasswordsTool.run("auto --batch -u https://127.0.0.1:9200", null);
         Matcher matcher = userpassRegex.matcher(result.stdout);
         assertNotNull(matcher);
         while (matcher.find()) {