Security auto-configuration for packaged installations

build-tools-internal/src/main/resources/forbidden/es-all-signatures.txt

@@ -10,7 +10,6 @@ java.nio.file.Path#of(java.lang.String, java.lang.String[]) @ Use org.elasticsea
 java.nio.file.FileSystems#getDefault() @ use org.elasticsearch.core.PathUtils.getDefaultFileSystem() instead.
 
 java.nio.file.Files#getFileStore(java.nio.file.Path) @ Use org.elasticsearch.env.Environment.getFileStore() instead, impacted by JDK-8034057
-java.nio.file.Files#isWritable(java.nio.file.Path) @ Use org.elasticsearch.env.Environment.isWritable() instead, impacted by JDK-8034057
 
 @defaultMessage Use org.elasticsearch.common.Randomness#get for reproducible sources of randomness
 java.util.Random#<init>()

build-tools/src/main/java/org/elasticsearch/gradle/testclusters/ElasticsearchNode.java

@@ -766,6 +766,7 @@ private Map<String, String> getESEnvironment() {
         // If we are testing the current version of Elasticsearch, use the configured runtime Java, otherwise use the bundled JDK
         if (getTestDistribution() == TestDistribution.INTEG_TEST || getVersion().equals(VersionProperties.getElasticsearchVersion())) {
             defaultEnv.put("ES_JAVA_HOME", runtimeJava.get().getAbsolutePath());
+            defaultEnv.put("AUTO_CONFIG", "false");
         }
         defaultEnv.put("ES_PATH_CONF", configFile.getParent().toString());
         String systemPropertiesString = "";

distribution/packages/src/common/scripts/postinst

@@ -49,13 +49,25 @@ case "$1" in
         exit 1
     ;;
 esac
-
 # to pick up /usr/lib/sysctl.d/elasticsearch.conf
 if command -v systemctl > /dev/null; then
     systemctl restart systemd-sysctl.service || true
 fi
 
 if [ "x$IS_UPGRADE" != "xtrue" ]; then
+    # This runs on installation and since we do not set a password for the keystore by default, we can assume it's not password protected
+    /usr/share/elasticsearch/bin/elasticsearch-autoconfig-security --explicitly-acknowledge-execution <<< ""
+    if [ -f "${ES_PATH_CONF}"/elasticsearch.keystore ]; then
+        INITIAL_PASSWORD=$(tr -dc 'A-Za-z0-9~!@#$%^&*-_=+?' </dev/urandom | head -c 14)
+        echo "$INITIAL_PASSWORD" | /usr/share/elasticsearch/bin/elasticsearch-keystore add -x 'bootstrap.password'
+        echo "##########                 Security autoconfiguration information                ############"
+        echo "#                                                                                           #"
+        echo "# The password of the elastic superuser will be set to: ${INITIAL_PASSWORD}                      #"
+        echo "#                                                                                           #"
+        echo "#                                                                                           #"
+        echo "#                                                                                           #"
+        echo "#############################################################################################"
+    fi
     if command -v systemctl >/dev/null; then
         echo "### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using systemd"
         echo " sudo systemctl daemon-reload"

distribution/src/bin/elasticsearch

@@ -16,15 +16,20 @@
 source "`dirname "$0"`"/elasticsearch-env
 
 CHECK_KEYSTORE=true
+AUTO_CONFIG="${AUTO_CONFIG:-true}"
 DAEMONIZE=false
 for option in "$@"; do
   case "$option" in
     -h|--help|-V|--version)
       CHECK_KEYSTORE=false
+      AUTO_CONFIG=false
       ;;
     -d|--daemonize)
       DAEMONIZE=true
       ;;
+    -e|--enroll)
+      AUTO_CONFIG=false
+      ;;
   esac
 done
 
@@ -45,6 +50,19 @@ then
   fi
 fi
 
+if [[ $AUTO_CONFIG = true ]]; then
+  # ignore failures in auto-configuration
+  # it is possible that an auto-configuration failure can prevent the node from starting, but this is only the exceptional case
+  # most likely an auto-configuration failure will leave the configuration untouched, optionally printing a message
+  # if the error is unexpected, but the node will start as usual
+  ES_MAIN_CLASS=org.elasticsearch.xpack.security.cli.AutoConfigInitialNode \
+    ES_ADDITIONAL_SOURCES="x-pack-env;x-pack-security-env" \
+    ES_ADDITIONAL_CLASSPATH_DIRECTORIES=lib/tools/security-cli \
+    "$(dirname "$0")/elasticsearch-cli" \
+    "$@" \
+    <<<"$KEYSTORE_PASSWORD" || true
+fi
+
 # The JVM options parser produces the final JVM options to start Elasticsearch.
 # It does this by incorporating JVM options in the following way:
 #   - first, system JVM options are applied (these are hardcoded options in the

distribution/src/bin/elasticsearch-autoconfig-security

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+ES_MAIN_CLASS=org.elasticsearch.xpack.security.cli.AutoConfigInitialNode \
+    ES_ADDITIONAL_SOURCES="x-pack-env;x-pack-security-env" \
+    ES_ADDITIONAL_CLASSPATH_DIRECTORIES=lib/tools/security-cli \
+    "`dirname "$0"`"/elasticsearch-cli \
+    "$@"

distribution/src/bin/elasticsearch-env

@@ -119,16 +119,23 @@ if [[ "$ES_DISTRIBUTION_TYPE" == "docker" ]]; then
 
   declare -a es_arg_array
 
+  containsElement () {
+    local e match="$1"
+    shift
+    for e; do [[ "$e" == "$match" ]] && return 0; done
+    return 1
+  }
+
   while IFS='=' read -r envvar_key envvar_value
   do
     # Elasticsearch settings need to have at least two dot separated lowercase
     # words, e.g. `cluster.name`, or uppercased with underscore separators and
     # prefixed with `ES_`, e.g. `ES_CLUSTER_NAME`. Underscores in setting names
     # are escaped by writing them as a double-underscore e.g. "__"
     if [[ ! -z "$envvar_value" ]]; then
+      es_opt=""
       if [[ "$envvar_key" =~ ^[a-z0-9_]+\.[a-z0-9_]+ ]]; then
         es_opt="-E${envvar_key}=${envvar_value}"
-        es_arg_array+=("${es_opt}")
       elif [[ "$envvar_key" =~ ^ES(_{1,2}[A-Z]+)+$ ]]; then
         case "$envvar_key" in
           # Do nothing for these. Not all of these are actually exported into the environment by our scripts,
@@ -148,10 +155,14 @@ if [[ "$ES_DISTRIBUTION_TYPE" == "docker" ]]; then
             # The long-hand sed `y` command works in any sed variant.
             envvar_key="$(echo "$envvar_key" | sed -e 's/^ES_//; s/_/./g ; s/\.\./_/g; y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/' )"
             es_opt="-E${envvar_key}=${envvar_value}"
-            es_arg_array+=("${es_opt}")
             ;;
         esac
       fi
+      if [[ ! -z "$es_opt" ]]; then
+        if ! containsElement "${es_opt}" "$@"; then
+          es_arg_array+=("${es_opt}")
+        fi
+      fi
     fi
   done <<< "$(env)"
 

libs/cli/src/main/java/org/elasticsearch/cli/ExitCodes.java

@@ -13,6 +13,7 @@
  */
 public class ExitCodes {
     public static final int OK = 0;
+    public static final int NOOP = 63;           /* nothing to do */
     public static final int USAGE = 64;          /* command line usage error */
     public static final int DATA_ERROR = 65;     /* data format error */
     public static final int NO_INPUT = 66;       /* cannot open input */

qa/os/src/test/java/org/elasticsearch/packaging/util/Packages.java

@@ -37,6 +37,7 @@
 import static org.hamcrest.CoreMatchers.containsString;
 import static org.hamcrest.CoreMatchers.is;
 import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.contains;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
 
@@ -153,7 +154,7 @@ public static void remove(Distribution distribution) throws Exception {
         });
     }
 
-    public static void verifyPackageInstallation(Installation installation, Distribution distribution, Shell sh) {
+    public static void verifyPackageInstallation(Installation installation, Distribution distribution, Shell sh) throws IOException {
         verifyOssInstallation(installation, distribution, sh);
         verifyDefaultInstallation(installation, distribution);
     }
@@ -217,7 +218,7 @@ private static void verifyOssInstallation(Installation es, Distribution distribu
         }
     }
 
-    private static void verifyDefaultInstallation(Installation es, Distribution distribution) {
+    private static void verifyDefaultInstallation(Installation es, Distribution distribution) throws IOException {
 
         Stream.of(
             "elasticsearch-certgen",
@@ -240,6 +241,45 @@ private static void verifyDefaultInstallation(Installation es, Distribution dist
 
         Stream.of("users", "users_roles", "roles.yml", "role_mapping.yml", "log4j2.properties")
             .forEach(configFile -> assertThat(es.config(configFile), file(File, "root", "elasticsearch", p660)));
+        verifySecurityAutoConfigured(es, distribution);
+    }
+
+    private static void verifySecurityAutoConfigured(Installation es, Distribution distribution) throws IOException {
+        assertThat(es.config("auto_generated_certs"), file(Directory, "root", "elasticsearch", p755));
+        Stream.of("http_keystore.p12", "http_truststore.p12", "transport_keystore_all_nodes.p12", "transport_truststore_all_nodes.p12")
+            .forEach(
+                keystore -> assertThat(es.config("auto_generated_certs").resolve(keystore), file(File, "root", "elasticsearch", p660))
+            );
+        List<String> configLines = Files.readAllLines(es.config("elasticsearch.yml"));
+        assertThat(configLines, contains("xpack.security.enabled: true"));
+        assertThat(configLines, contains("xpack.security.enrollment.enabled: true"));
+        assertThat(configLines, contains("xpack.security.authc.realms.file.auto_generated_1625753263.order: 0"));
+        assertThat(configLines, contains("xpack.security.transport.ssl.enabled: true"));
+        assertThat(configLines, contains("xpack.security.transport.ssl.verification_mode: certificate"));
+        assertThat(configLines, contains("xpack.security.transport.ssl.client_authentication: required"));
+        assertThat(
+            configLines,
+            contains(
+                "xpack.security.transport.ssl.keystore.path: " + "/etc/elasticsearch/auto_generated_certs/transport_keystore_all_nodes.p12"
+            )
+        );
+        assertThat(
+            configLines,
+            contains(
+                "xpack.security.transport.ssl.truststore.path: "
+                    + "/etc/elasticsearch/auto_generated_certs/transport_truststore_all_nodes.p12"
+            )
+        );
+        assertThat(configLines, contains("xpack.security.http.ssl.enabled: true"));
+        assertThat(
+            configLines,
+            contains("xpack.security.http.ssl.keystore.path: " + "/etc/elasticsearch/auto_generated_certs/http_keystore.p12")
+        );
+        assertThat(
+            configLines,
+            contains("xpack.security.http.ssl.truststore.path: " + "/etc/elasticsearch/auto_generated_certs/http_truststore.p12")
+        );
+        assertThat(configLines, contains("http.host: [_local_, _site_]"));
     }
 
     /**

server/src/main/java/org/elasticsearch/bootstrap/Bootstrap.java

@@ -18,7 +18,6 @@
 import org.apache.lucene.util.StringHelper;
 import org.elasticsearch.ElasticsearchException;
 import org.elasticsearch.Version;
-import org.elasticsearch.cli.KeyStoreAwareCommand;
 import org.elasticsearch.cli.Terminal;
 import org.elasticsearch.cli.UserException;
 import org.elasticsearch.common.PidFile;
@@ -238,37 +237,11 @@ static SecureSettings loadSecureSettings(Environment initialEnv) throws Bootstra
     }
 
     static SecureSettings loadSecureSettings(Environment initialEnv, InputStream stdin) throws BootstrapException {
-        final KeyStoreWrapper keystore;
         try {
-            keystore = KeyStoreWrapper.load(initialEnv.configFile());
-        } catch (IOException e) {
-            throw new BootstrapException(e);
-        }
-
-        SecureString password;
-        try {
-            if (keystore != null && keystore.hasPassword()) {
-                password = readPassphrase(stdin, KeyStoreAwareCommand.MAX_PASSPHRASE_LENGTH);
-            } else {
-                password = new SecureString(new char[0]);
-            }
-        } catch (IOException e) {
-            throw new BootstrapException(e);
-        }
-
-        try (password) {
-            if (keystore == null) {
-                final KeyStoreWrapper keyStoreWrapper = KeyStoreWrapper.create();
-                keyStoreWrapper.save(initialEnv.configFile(), new char[0]);
-                return keyStoreWrapper;
-            } else {
-                keystore.decrypt(password.getChars());
-                KeyStoreWrapper.upgrade(keystore, initialEnv.configFile(), password.getChars());
-            }
+            return KeyStoreWrapper.bootstrap(initialEnv.configFile(), () -> readPassphrase(stdin, KeyStoreWrapper.MAX_PASSPHRASE_LENGTH));
         } catch (Exception e) {
             throw new BootstrapException(e);
         }
-        return keystore;
     }
 
     // visible for tests

server/src/main/java/org/elasticsearch/cli/KeyStoreAwareCommand.java

@@ -26,9 +26,6 @@ public KeyStoreAwareCommand(String description) {
         super(description);
     }
 
-    /** Arbitrarily chosen maximum passphrase length */
-    public static final int MAX_PASSPHRASE_LENGTH = 128;
-
     /**
      * Reads the keystore password from the {@link Terminal}, prompting for verification where applicable and returns it as a
      * {@link SecureString}.
@@ -42,9 +39,9 @@ protected static SecureString readPassword(Terminal terminal, boolean withVerifi
         final char[] passwordArray;
         if (withVerification) {
             passwordArray = terminal.readSecret("Enter new password for the elasticsearch keystore (empty for no password): ",
-                MAX_PASSPHRASE_LENGTH);
+                KeyStoreWrapper.MAX_PASSPHRASE_LENGTH);
             char[] passwordVerification = terminal.readSecret("Enter same password again: ",
-                MAX_PASSPHRASE_LENGTH);
+                KeyStoreWrapper.MAX_PASSPHRASE_LENGTH);
             if (Arrays.equals(passwordArray, passwordVerification) == false) {
                 throw new UserException(ExitCodes.DATA_ERROR, "Passwords are not equal, exiting.");
             }

server/src/main/java/org/elasticsearch/common/settings/KeyStoreWrapper.java

@@ -21,6 +21,7 @@
 import org.apache.lucene.util.SetOnce;
 import org.elasticsearch.cli.ExitCodes;
 import org.elasticsearch.cli.UserException;
+import org.elasticsearch.common.CheckedSupplier;
 import org.elasticsearch.common.Randomness;
 import org.elasticsearch.common.hash.MessageDigests;
 
@@ -45,6 +46,7 @@
 import java.nio.charset.StandardCharsets;
 import java.nio.file.AccessDeniedException;
 import java.nio.file.Files;
+import java.nio.file.LinkOption;
 import java.nio.file.Path;
 import java.nio.file.StandardCopyOption;
 import java.nio.file.attribute.PosixFileAttributeView;
@@ -72,6 +74,9 @@
  */
 public class KeyStoreWrapper implements SecureSettings {
 
+    /** Arbitrarily chosen maximum passphrase length */
+    public static final int MAX_PASSPHRASE_LENGTH = 128;
+
     /** An identifier for the type of data that may be stored in a keystore entry. */
     private enum EntryType {
         STRING,
@@ -101,7 +106,7 @@ private static class Entry {
         "~!@#$%^&*-_=+?").toCharArray();
 
     /** The name of the keystore file to read and write. */
-    private static final String KEYSTORE_FILENAME = "elasticsearch.keystore";
+    public static final String KEYSTORE_FILENAME = "elasticsearch.keystore";
 
     /** The version of the metadata written before the keystore data. */
     static final int FORMAT_VERSION = 4;
@@ -194,6 +199,29 @@ public static void addBootstrapSeed(KeyStoreWrapper wrapper) {
         Arrays.fill(characters, (char)0);
     }
 
+    public static KeyStoreWrapper bootstrap(Path configDir, CheckedSupplier<SecureString, Exception> passwordSupplier) throws Exception {
+        KeyStoreWrapper keystore = KeyStoreWrapper.load(configDir);
+
+        SecureString password;
+        if (keystore != null && keystore.hasPassword()) {
+            password = passwordSupplier.get();
+        } else {
+            password = new SecureString(new char[0]);
+        }
+
+        try (password) {
+            if (keystore == null) {
+                final KeyStoreWrapper keyStoreWrapper = KeyStoreWrapper.create();
+                keyStoreWrapper.save(configDir, new char[0]);
+                return keyStoreWrapper;
+            } else {
+                keystore.decrypt(password.getChars());
+                KeyStoreWrapper.upgrade(keystore, configDir, password.getChars());
+            }
+        }
+        return keystore;
+    }
+
     /**
      * Loads information about the Elasticsearch keystore from the provided config directory.
      *
@@ -482,6 +510,7 @@ public synchronized void save(Path configDir, char[] password) throws Exception
         Directory directory = new NIOFSDirectory(configDir);
         // write to tmp file first, then overwrite
         String tmpFile = KEYSTORE_FILENAME + ".tmp";
+        Path keystoreTempFile = configDir.resolve(tmpFile);
         try (IndexOutput output = directory.createOutput(tmpFile, IOContext.DEFAULT)) {
             CodecUtil.writeHeader(output, KEYSTORE_FILENAME, FORMAT_VERSION);
             output.writeByte(password.length == 0 ? (byte)0 : (byte)1);
@@ -515,18 +544,31 @@ public synchronized void save(Path configDir, char[] password) throws Exception
             final String message = String.format(
                 Locale.ROOT,
                 "unable to create temporary keystore at [%s], write permissions required for [%s] or run [elasticsearch-keystore upgrade]",
-                configDir.resolve(tmpFile),
+                keystoreTempFile,
                 configDir);
+            Files.deleteIfExists(keystoreTempFile);
             throw new UserException(ExitCodes.CONFIG, message, e);
         }
 
         Path keystoreFile = keystorePath(configDir);
-        Files.move(configDir.resolve(tmpFile), keystoreFile, StandardCopyOption.REPLACE_EXISTING, StandardCopyOption.ATOMIC_MOVE);
-        PosixFileAttributeView attrs = Files.getFileAttributeView(keystoreFile, PosixFileAttributeView.class);
+        // check that replace doesn't change the owner
+        if (Files.exists(keystoreFile, LinkOption.NOFOLLOW_LINKS) &&
+                false == Files.getOwner(keystoreTempFile, LinkOption.NOFOLLOW_LINKS).equals(Files.getOwner(keystoreFile,
+                        LinkOption.NOFOLLOW_LINKS))) {
+            Files.deleteIfExists(keystoreTempFile);
+            final String message = String.format(
+                    Locale.ROOT,
+                    "will not overwrite keystore at [%s], because this incurs changing the file owner",
+                    keystoreFile,
+                    configDir);
+            throw new UserException(ExitCodes.CONFIG, message);
+        }
+        PosixFileAttributeView attrs = Files.getFileAttributeView(keystoreTempFile, PosixFileAttributeView.class);
         if (attrs != null) {
             // don't rely on umask: ensure the keystore has minimal permissions
             attrs.setPermissions(PosixFilePermissions.fromString("rw-rw----"));
         }
+        Files.move(keystoreTempFile, keystoreFile, StandardCopyOption.REPLACE_EXISTING, StandardCopyOption.ATOMIC_MOVE);
     }
 
     /**
@@ -584,7 +626,7 @@ public static void validateSettingName(String setting) {
     /**
      * Set a string setting.
      */
-    synchronized void setString(String setting, char[] value) {
+    public synchronized void setString(String setting, char[] value) {
         ensureOpen();
         validateSettingName(setting);