java.lang.Object
org.elasticsearch.common.settings.RotatableSecret
A container for a
SecureString
that can be rotated with a grace period for the secret that has been rotated out.
Once rotated the prior secret is available for a configured amount of time before it is invalidated.
This allows for secret rotation without temporary failures or the need to tightly orchestrate
multiple parties. This class is threadsafe, however it is also assumes that reading secrets are frequent (i.e. every request)
but rotation is a rare (i.e. once a day).-
Nested Class Summary
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionboolean
isSet()
boolean
matches
(SecureString secret) Check to see if the current or (non-expired) prior secret matches the passed in secret.void
rotate
(SecureString newSecret, TimeValue gracePeriod) Rotates the secret iff the new secret and current secret are different.
-
Constructor Details
-
RotatableSecret
- Parameters:
secret
- The secret to rotate.null
if the secret is not configured.
-
-
Method Details
-
rotate
Rotates the secret iff the new secret and current secret are different. If rotated, the current secret is moved to the prior secret which is valid for the given grace period and new secret is now considered the current secret.- Parameters:
newSecret
- the secret to rotate in.gracePeriod
- the time period that the prior secret is valid.
-
isSet
public boolean isSet()- Returns:
- true if the current or prior value has a non-null and a non-empty value
-
matches
Check to see if the current or (non-expired) prior secret matches the passed in secret.- Parameters:
secret
- The secret to match against.- Returns:
- true if either the current or (non-expired) prior secret matches. false if nether match. false if current and prior secret are unset. false if passed in secret is null or empty
-