Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
OpenSearch 2.4.0
Describe the issue:
Is there any documentation for using secure settings (opensearch-keystore), and if not does anyone know what needs to be done to allow for secure configuration of security passwords (certs, auth ldap etc).
Looking over the source code for opensearch and the security plugin, it appears that some minor changes are needed in security/OpenSearchSecuritySSLPlugin.java at main · opensearch-project/security · GitHub to use SecureSetting.secureString rather than Setting.simpleString.
Saying all that, adding say plugins.security.ssl.http.pemkey_password to the keystore doesn’t seem to throw an exception (as I would expect given the code in OpenSearch/Setting.java at 10bff0c9f5b9ca78b3dc50f5c704dabf41b9d535 · opensearch-project/OpenSearch · GitHub innerGetRaw method), but then i get a startup error as opensearch can’t load the pemkey_filepath because it needs a password.
Happy to raise a PR for what appears to be trivial changes, but some guidance on whether i’m overlooking anything obvious for how to use secure settings without code changes.
It appears that the auth plugins might be more complicated (to say configure ldap bind password securely) because the setting name is dynamic based upon what you call the authc / z provider name.
Is there a simpler way using variable interpolation in the yml files? I tried adding my own value into the keystore (say ldap_bind_password), and using bind_password: "${ldap_bind_password}", but that errors are startup because the keys in the keystore appear to be validated for whether they are known or not