Secure Settings / opensearch-keystore

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

OpenSearch 2.4.0

Describe the issue:

Is there any documentation for using secure settings (opensearch-keystore), and if not does anyone know what needs to be done to allow for secure configuration of security passwords (certs, auth ldap etc).

Looking over the source code for opensearch and the security plugin, it appears that some minor changes are needed in security/ at main · opensearch-project/security · GitHub to use SecureSetting.secureString rather than Setting.simpleString.

Saying all that, adding say to the keystore doesn’t seem to throw an exception (as I would expect given the code in OpenSearch/ at 10bff0c9f5b9ca78b3dc50f5c704dabf41b9d535 · opensearch-project/OpenSearch · GitHub innerGetRaw method), but then i get a startup error as opensearch can’t load the pemkey_filepath because it needs a password.

Happy to raise a PR for what appears to be trivial changes, but some guidance on whether i’m overlooking anything obvious for how to use secure settings without code changes.

It appears that the auth plugins might be more complicated (to say configure ldap bind password securely) because the setting name is dynamic based upon what you call the authc / z provider name.

Is there a simpler way using variable interpolation in the yml files? I tried adding my own value into the keystore (say ldap_bind_password), and using bind_password: "${ldap_bind_password}", but that errors are startup because the keys in the keystore appear to be validated for whether they are known or not

Related: Can we use encrypted password in opensearch.yml for · Issue #1549 · opensearch-project/security · GitHub

1 Like

Hey @chriswhite

Question, I noticed you are referring to LDAP Bind Password. If I understand this correct, the password for the authentication connection is not working? Or you referring to OpenSearch Key store and the certification passwords not working? Also Certificates with pass phrase?

I kind of see those as separate entities. For example let’s say I’m using java default keystore , by default it uses changeit as password. For test in Dev I just copy my JAVA cacerts keystore and change the password.

keytool -storepasswd -keystore /usr/lib/jvm/java-1.8.0-openjdk-
  • Type “changeit”
  • New-PASS Type “secret”

I also have LDAP configured with uses User/password. I created a service account ( i.e., opensearch_user, password123) to connect to my LDAP server. And last Certificates, using a passphrase this would be when creating those certificates.