Azure plugin certificate too dangerous ?

[precbioinf]

Hi,

I have played with the azure plugin and am worried that the certificate
placed into Azure management pool can be very powerful. If a cracker
steals the password and keystore from the elasticsearch.yml, would they
be able to disrupt all the deployments from the same Azure subscription,
even if not related to elasticsearch ? E.g. they could use the keystore,
password to access the subscription fully and delete all the nodes ?

Is there a way to reduce the privilege of the uploaded certificates to
something safer ?

Thanks.

[dadoonet]

I do agree. That's the reason I brought up #67.
If doable it will fix that.

[pwli]

After trying to keep passwords/keys safe for luks/cryptsetup and other tools,
I was wondering if ES can allow the use of stdin for password at start up ?
For example, if elasticsearch.yml has:

cloud:
    ...
             keystore:
                   path: /path/to/azurekeystore.pkcs12
                   password: "<stdin>" or a simple "-"
                   type: pkcs12

then it will flag azure plugin to prompt the user to enter a password to continue.
In this case, if someone steals the .yml and keystore file, they won't
be able to get to the certificate.

This won't work if we expect ES to start automatically from a node
reboot. In this case, you just have to put the password in. But this
could provide some protection than leaving the files out in the open
even if they are unix permission restricted.

My two cents.

[dadoonet]

@pwli I think that we can now support this (not tested though) with elastic/elasticsearch#10918

cc @jaymode

[jaymode]

@dadoonet correct we should be able to support prompting for any setting in the elasticsearch.yml file starting with elasticsearch 1.6.0.

Configuration details are documented here https://www.elastic.co/guide/en/elasticsearch/reference/current/setup-configuration.html#styles

[dadoonet]

Closing as you could probably now use what @pwli suggested.

Feel free to open a new issue in https://github.com/elastic/elasticsearch repo if it does not work as expected.