Package org.elasticsearch.common.settings

Class KeyStoreWrapper

  • All Implemented Interfaces:
    java.io.Closeable, java.lang.AutoCloseable, SecureSettings
    public class KeyStoreWrapper
extends java.lang.Object
implements SecureSettings
    A disk based container for sensitive settings in Elasticsearch. Loading a keystore has 2 phases. First, call load(Path). Then call decrypt(char[]) with the keystore password, or an empty char array if hasPassword() is false. Loading and decrypting should happen in a single thread. Once decrypted, settings may be read in multiple threads.

    • Method Summary

      Modifier and Type Method Description
      static void addBootstrapSeed​(KeyStoreWrapper wrapper)
      Add the bootstrap seed setting, which may be used as a unique, secure, random value by the node
      void close()  
      static KeyStoreWrapper create()
      Constructs a new keystore with the given password.
      void decrypt​(char[] password)
      Decrypts the underlying keystore data.
      java.io.InputStream getFile​(java.lang.String setting)
      Return a file setting.
      int getFormatVersion()
      Get the metadata format version for the keystore
      java.util.Set<java.lang.String> getSettingNames()
      It is possible to retrieve the setting names even if the keystore is closed.
      SecureString getString​(java.lang.String setting)
      Return a string setting.
      boolean hasPassword()
      Return true iff calling decrypt(char[]) requires a non-empty password.
      boolean isLoaded()
      Returns true iff the settings are loaded and retrievable.
      static java.nio.file.Path keystorePath​(java.nio.file.Path configDir)
      Returns a path representing the ES keystore in the given config dir.
      static KeyStoreWrapper load​(java.nio.file.Path configDir)
      Loads information about the Elasticsearch keystore from the provided config directory.
      void save​(java.nio.file.Path configDir, char[] password)
      Write the keystore to the given config directory.
      static void upgrade​(KeyStoreWrapper wrapper, java.nio.file.Path configDir, char[] password)
      Upgrades the format of the keystore, if necessary.
      static void validateSettingName​(java.lang.String setting)
      Ensure the given setting name is allowed.

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Method Detail

      • getFormatVersion

        public int getFormatVersion()
        Get the metadata format version for the keystore

      • keystorePath

        public static java.nio.file.Path keystorePath​(java.nio.file.Path configDir)
        Returns a path representing the ES keystore in the given config dir.

      • create

        public static KeyStoreWrapper create()
        Constructs a new keystore with the given password.

      • addBootstrapSeed

        public static void addBootstrapSeed​(KeyStoreWrapper wrapper)
        Add the bootstrap seed setting, which may be used as a unique, secure, random value by the node

      • load

        public static KeyStoreWrapper load​(java.nio.file.Path configDir)
                            throws java.io.IOException
        Loads information about the Elasticsearch keystore from the provided config directory. decrypt(char[]) must be called before reading or writing any entries. Returns null if no keystore exists.
        Throws:
        java.io.IOException

      • upgrade

        public static void upgrade​(KeyStoreWrapper wrapper,
                           java.nio.file.Path configDir,
                           char[] password)
                    throws java.lang.Exception
        Upgrades the format of the keystore, if necessary.
        Throws:
        java.lang.Exception

      • isLoaded

        public boolean isLoaded()
        Description copied from interface: SecureSettings
        Returns true iff the settings are loaded and retrievable.
        Specified by:
        isLoaded in interface SecureSettings

      • hasPassword

        public boolean hasPassword()
        Return true iff calling decrypt(char[]) requires a non-empty password.

      • decrypt

        public void decrypt​(char[] password)
             throws java.security.GeneralSecurityException,
                    java.io.IOException
        Decrypts the underlying keystore data. This may only be called once.
        Throws:
        java.security.GeneralSecurityException
        java.io.IOException

      • save

        public void save​(java.nio.file.Path configDir,
                 char[] password)
          throws java.lang.Exception
        Write the keystore to the given config directory.
        Throws:
        java.lang.Exception

      • getSettingNames

        public java.util.Set<java.lang.String> getSettingNames()
        It is possible to retrieve the setting names even if the keystore is closed. This allows SecureSetting to correctly determine that a entry exists even though it cannot be read. Thus attempting to read a secure setting after the keystore is closed will generate a "keystore is closed" exception rather than using the fallback setting.
        Specified by:
        getSettingNames in interface SecureSettings

      • getFile

        public java.io.InputStream getFile​(java.lang.String setting)
        Description copied from interface: SecureSettings
        Return a file setting. The InputStream should be closed once it is used.
        Specified by:
        getFile in interface SecureSettings

      • validateSettingName

        public static void validateSettingName​(java.lang.String setting)
        Ensure the given setting name is allowed.
        Throws:
        java.lang.IllegalArgumentException - if the setting name is not valid

      • close

        public void close()
        Specified by:
        close in interface java.lang.AutoCloseable
        Specified by:
        close in interface java.io.Closeable
        Specified by:
        close in interface SecureSettings