Package org.elasticsearch.common.settings

Class KeyStoreWrapper

org.elasticsearch.common.settings.KeyStoreWrapper
All Implemented Interfaces:
, , SecureSettings
public class KeyStoreWrapper extends implements SecureSettings
A disk based container for sensitive settings in Elasticsearch. Loading a keystore has 2 phases. First, call load(Path). Then call decrypt(char[]) with the keystore password, or an empty char array if hasPassword() is false. Loading and decrypting should happen in a single thread. Once decrypted, settings may be read in multiple threads.

  • Field Summary

    Fields
    Modifier and Type
    Field
    Description
    static Setting<SecureString>
    SEED_SETTING
     

  • Method Summary

    Modifier and Type
    Method
    Description
    static void
    addBootstrapSeed​(KeyStoreWrapper wrapper)
    Add the bootstrap seed setting, which may be used as a unique, secure, random value by the node
    void
    close()
     
    static KeyStoreWrapper
    create()
    Constructs a new keystore with the given password.
    void
    decrypt​(char[] password)
    Decrypts the underlying keystore data.
     setting)
    Return a file setting.
    int
    getFormatVersion()
    Get the metadata format version for the keystore
    <>
    getSettingNames()
    It is possible to retrieve the setting names even if the keystore is closed.
    byte[]
     setting)
    Returns the SHA256 digest for the setting's value, even after #close() has been called.
    SecureString
     setting)
    Return a string setting.
    boolean
    hasPassword()
    Return true iff calling decrypt(char[]) requires a non-empty password.
    boolean
    isLoaded()
    Returns true iff the settings are loaded and retrievable.
    static
     configDir)
    Returns a path representing the ES keystore in the given config dir.
    static KeyStoreWrapper
     configDir)
    Loads information about the Elasticsearch keystore from the provided config directory.
    void
     configDir, char[] password)
    Write the keystore to the given config directory.
    static void
    upgrade​(KeyStoreWrapper wrapper,  configDir, char[] password)
    Upgrades the format of the keystore, if necessary.
    static void
     setting)
    Ensure the given setting name is allowed.

    Methods inherited from class java.lang.

    , , , , , , , , , ,

  • Field Details

  • Method Details

    • getFormatVersion

      public int getFormatVersion()
      Get the metadata format version for the keystore

    • keystorePath

      public static  keystorePath( configDir)
      Returns a path representing the ES keystore in the given config dir.

    • create

      public static KeyStoreWrapper create()
      Constructs a new keystore with the given password.

    • addBootstrapSeed

      public static void addBootstrapSeed(KeyStoreWrapper wrapper)
      Add the bootstrap seed setting, which may be used as a unique, secure, random value by the node

    • load

      public static  configDir) throws
      Loads information about the Elasticsearch keystore from the provided config directory. decrypt(char[]) must be called before reading or writing any entries. Returns null if no keystore exists.
      Throws:

    • upgrade

      public static void upgrade(KeyStoreWrapper wrapper,  configDir, char[] password) throws
      Upgrades the format of the keystore, if necessary.
      Throws:

    • isLoaded

      public boolean isLoaded()
      Description copied from interface: SecureSettings
      Returns true iff the settings are loaded and retrievable.
      Specified by:
      isLoaded in interface SecureSettings

    • hasPassword

      public boolean hasPassword()
      Return true iff calling decrypt(char[]) requires a non-empty password.

    • decrypt

      public void decrypt(char[] password) throws ,
      Decrypts the underlying keystore data. This may only be called once.
      Throws:

    • save

      public void save( configDir, char[] password) throws
      Write the keystore to the given config directory.
      Throws:

    • getSettingNames

      public <> getSettingNames()
      It is possible to retrieve the setting names even if the keystore is closed. This allows SecureSetting to correctly determine that a entry exists even though it cannot be read. Thus attempting to read a secure setting after the keystore is closed will generate a "keystore is closed" exception rather than using the fallback setting.
      Specified by:
      getSettingNames in interface SecureSettings

    • getString

      public  setting)
      Description copied from interface: SecureSettings
      Return a string setting. The SecureString should be closed once it is used.
      Specified by:
      getString in interface SecureSettings

    • getFile

      public  getFile( setting)
      Description copied from interface: SecureSettings
      Return a file setting. The should be closed once it is used.
      Specified by:
      getFile in interface SecureSettings

    • getSHA256Digest

      public byte[] getSHA256Digest( setting)
      Returns the SHA256 digest for the setting's value, even after #close() has been called. The setting must exist. The digest is used to check for value changes without actually storing the value.
      Specified by:
      getSHA256Digest in interface SecureSettings

    • validateSettingName

      public static void validateSettingName( setting)
      Ensure the given setting name is allowed.
      Throws:
      - if the setting name is not valid

    • close

      public void close()
      Specified by:
       in interface 
      Specified by:
       in interface 
      Specified by:
      close in interface SecureSettings