Class KeyStoreWrapper
java.lang.Object
org.elasticsearch.common.settings.KeyStoreWrapper
- All Implemented Interfaces:
java.io.Closeable
,java.lang.AutoCloseable
,SecureSettings
public class KeyStoreWrapper extends java.lang.Object implements SecureSettings
A disk based container for sensitive settings in Elasticsearch.
Loading a keystore has 2 phases. First, call
load(Path)
. Then call
decrypt(char[])
with the keystore password, or an empty char array if
hasPassword()
is false
. Loading and decrypting should happen
in a single thread. Once decrypted, settings may be read in multiple threads.-
Field Summary
Fields Modifier and Type Field Description static Setting<SecureString>
SEED_SETTING
-
Method Summary
Modifier and Type Method Description static void
addBootstrapSeed(KeyStoreWrapper wrapper)
Add the bootstrap seed setting, which may be used as a unique, secure, random value by the nodevoid
close()
static KeyStoreWrapper
create()
Constructs a new keystore with the given password.void
decrypt(char[] password)
Decrypts the underlying keystore data.java.io.InputStream
getFile(java.lang.String setting)
Return a file setting.int
getFormatVersion()
Get the metadata format version for the keystorejava.util.Set<java.lang.String>
getSettingNames()
It is possible to retrieve the setting names even if the keystore is closed.byte[]
getSHA256Digest(java.lang.String setting)
Returns the SHA256 digest for the setting's value, even after#close()
has been called.SecureString
getString(java.lang.String setting)
Return a string setting.boolean
hasPassword()
Return true iff callingdecrypt(char[])
requires a non-empty password.boolean
isLoaded()
Returns true iff the settings are loaded and retrievable.static java.nio.file.Path
keystorePath(java.nio.file.Path configDir)
Returns a path representing the ES keystore in the given config dir.static KeyStoreWrapper
load(java.nio.file.Path configDir)
Loads information about the Elasticsearch keystore from the provided config directory.void
save(java.nio.file.Path configDir, char[] password)
Write the keystore to the given config directory.static void
upgrade(KeyStoreWrapper wrapper, java.nio.file.Path configDir, char[] password)
Upgrades the format of the keystore, if necessary.static void
validateSettingName(java.lang.String setting)
Ensure the given setting name is allowed.Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Field Details
-
SEED_SETTING
-
-
Method Details
-
getFormatVersion
public int getFormatVersion()Get the metadata format version for the keystore -
keystorePath
public static java.nio.file.Path keystorePath(java.nio.file.Path configDir)Returns a path representing the ES keystore in the given config dir. -
create
Constructs a new keystore with the given password. -
addBootstrapSeed
Add the bootstrap seed setting, which may be used as a unique, secure, random value by the node -
load
Loads information about the Elasticsearch keystore from the provided config directory.decrypt(char[])
must be called before reading or writing any entries. Returnsnull
if no keystore exists.- Throws:
java.io.IOException
-
upgrade
public static void upgrade(KeyStoreWrapper wrapper, java.nio.file.Path configDir, char[] password) throws java.lang.ExceptionUpgrades the format of the keystore, if necessary.- Throws:
java.lang.Exception
-
isLoaded
public boolean isLoaded()Description copied from interface:SecureSettings
Returns true iff the settings are loaded and retrievable.- Specified by:
isLoaded
in interfaceSecureSettings
-
hasPassword
public boolean hasPassword()Return true iff callingdecrypt(char[])
requires a non-empty password. -
decrypt
public void decrypt(char[] password) throws java.security.GeneralSecurityException, java.io.IOExceptionDecrypts the underlying keystore data. This may only be called once.- Throws:
java.security.GeneralSecurityException
java.io.IOException
-
save
public void save(java.nio.file.Path configDir, char[] password) throws java.lang.ExceptionWrite the keystore to the given config directory.- Throws:
java.lang.Exception
-
getSettingNames
public java.util.Set<java.lang.String> getSettingNames()It is possible to retrieve the setting names even if the keystore is closed. This allowsSecureSetting
to correctly determine that a entry exists even though it cannot be read. Thus attempting to read a secure setting after the keystore is closed will generate a "keystore is closed" exception rather than using the fallback setting.- Specified by:
getSettingNames
in interfaceSecureSettings
-
getString
Description copied from interface:SecureSettings
Return a string setting. TheSecureString
should be closed once it is used.- Specified by:
getString
in interfaceSecureSettings
-
getFile
public java.io.InputStream getFile(java.lang.String setting)Description copied from interface:SecureSettings
Return a file setting. TheInputStream
should be closed once it is used.- Specified by:
getFile
in interfaceSecureSettings
-
getSHA256Digest
public byte[] getSHA256Digest(java.lang.String setting)Returns the SHA256 digest for the setting's value, even after#close()
has been called. The setting must exist. The digest is used to check for value changes without actually storing the value.- Specified by:
getSHA256Digest
in interfaceSecureSettings
-
validateSettingName
public static void validateSettingName(java.lang.String setting)Ensure the given setting name is allowed.- Throws:
java.lang.IllegalArgumentException
- if the setting name is not valid
-
close
public void close()- Specified by:
close
in interfacejava.lang.AutoCloseable
- Specified by:
close
in interfacejava.io.Closeable
- Specified by:
close
in interfaceSecureSettings
-