Elasticsearch-keystore for opendistro config.yml

Hi,

I’m looking at implementing ldap as the auth mechanism. No problems getting it working but securing it is an issue. As far as I’ve found it stores a plain text password and cannot seem to use the elasticsearch-keystore module. This is teh same as I’ve bee doing for both logstash and kibana but not in any plugin config files.

I’m currently passing the password into the container as a secret and creating the key from that at the entrypoint:

echo $secret | /usr/share/elasticsearch/bin/elasticsearch-keystore add ldap.password --stdin

and I’ve substituted the secure setting into the config.yml file:
ldap:
http_enabled: true
transport_enabled: true
order: 5
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: ldap
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- ldap.example:389
bind_dn: ‘cn=admin,ou=example,ou=com’
password: ‘${ldap.password}’
userbase: ‘ou=example,ou=com’
usersearch: ‘(sAMAccountName={0})’
username_attribute: cn

I get the following error, referencing an unknown secure setting:
hermes_elasticsearch.0.uc3fl5x8bla9@leader | org.elasticsearch.bootstrap.StartupException: java.lang.IllegalArgumentException: unknown secure setting [ldap.password] please check that any required plugins are installed, or check the breaking changes documentation for removed settings
at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:163) ~[elasticsearch-6.6.2.jar:6.6.2]
at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:150) ~[elasticsearch-6.6.2.jar:6.6.2]
at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) ~[elasticsearch-6.6.2.jar:6.6.2]
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124) ~[elasticsearch-cli-6.6.2.jar:6.6.2]
at org.elasticsearch.cli.Command.main(Command.java:90) ~[elasticsearch-cli-6.6.2.jar:6.6.2]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:116) ~[elasticsearch-6.6.2.jar:6.6.2]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:93) ~[elasticsearch-6.6.2.jar:6.6.2]
Caused by: java.lang.IllegalArgumentException: unknown secure setting [ldap.password] please check that any required plugins are installed, or check the breaking changes documentation for removed settings
at org.elasticsearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:482) ~[elasticsearch-6.6.2.jar:6.6.2]
at org.elasticsearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:427) ~[elasticsearch-6.6.2.jar:6.6.2]
at org.elasticsearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:398) ~[elasticsearch-6.6.2.jar:6.6.2]
at org.elasticsearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:369) ~[elasticsearch-6.6.2.jar:6.6.2]
at org.elasticsearch.common.settings.SettingsModule.(SettingsModule.java:148) ~[elasticsearch-6.6.2.jar:6.6.2]
at org.elasticsearch.node.Node.(Node.java:372) ~[elasticsearch-6.6.2.jar:6.6.2]
at org.elasticsearch.node.Node.(Node.java:265) ~[elasticsearch-6.6.2.jar:6.6.2]
at org.elasticsearch.bootstrap.Bootstrap$5.(Bootstrap.java:212) ~[elasticsearch-6.6.2.jar:6.6.2]
at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:212) ~[elasticsearch-6.6.2.jar:6.6.2]
at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:333) ~[elasticsearch-6.6.2.jar:6.6.2]
at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-6.6.2.jar:6.6.2]
… 6 more

OpenDistro needs to support the Elasticsearch Keystore so we can store secure settings such as passwords. We tried using keystore for OpenDistro settings in the elasticsearch.yml config file and got similar errors as above.

1 Like

How did you overwrite the config.yml?

I tried with values.yml without success. still, it comes with default config.

any help please @krisantrobus @kri