add ability to prompt for selected settings on startup

Some settings may be considered sensitive, such as passwords, and storing them
in the configuration file on disk is not good from a security perspective. This change
allows settings to have a special value, `${prompt::text}` or `${prompt::secret}`, to
indicate that  elasticsearch should prompt the user for the actual value on startup.
This only works when started in the foreground. In cases where elasticsearch is started
as a service or in the background, an exception will be thrown.

Closes #10838

Author: jaymode

docs/reference/setup/configuration.asciidoc

@@ -264,6 +264,29 @@ file which will resolve to an environment setting, for example:
 }
 --------------------------------------------------
 
+Additionally, for settings that you do not wish to store in the configuration
+file, you can use the value `${prompt::text}` or `${prompt::secret}` and start
+Elasticsearch in the foreground. `${prompt::secret}` has echoing disabled so
+that the value entered will not be shown in your terminal; `${prompt::text}`
+will allow you to see the value as you type it in. For example:
+
+[source,yaml]
+--------------------------------------------------
+node:
+  name: ${prompt::text}
+--------------------------------------------------
+
+On execution of the `elasticsearch` command, you will be prompted to enter
+the actual value like so:
+
+[source,sh]
+--------------------------------------------------
+Enter value for [node.name]:
+--------------------------------------------------
+
+NOTE: Elasticsearch will not start if `${prompt::text}` or `${prompt::secret}`
+is used in the settings and the process is run as a service or in the background.
+
 The location of the configuration file can be set externally using a
 system property:
 

src/main/java/org/elasticsearch/bootstrap/Bootstrap.java

@@ -25,6 +25,7 @@
 import org.elasticsearch.Version;
 import org.elasticsearch.common.PidFile;
 import org.elasticsearch.common.SuppressForbidden;
+import org.elasticsearch.common.cli.Terminal;
 import org.elasticsearch.common.collect.Tuple;
 import org.elasticsearch.common.inject.CreationException;
 import org.elasticsearch.common.inject.spi.Message;
@@ -163,8 +164,16 @@ public void run() {
 
         // install SM after natives, shutdown hooks, etc.
         setupSecurity(settings, environment);
-        
-        NodeBuilder nodeBuilder = NodeBuilder.nodeBuilder().settings(settings).loadConfigSettings(false);
+
+        // We do not need to reload system properties here as we have already applied them in building the settings and
+        // reloading could cause multiple prompts to the user for values if a system property was specified with a prompt
+        // placeholder
+        Settings nodeSettings = Settings.settingsBuilder()
+                .put(settings)
+                .put(InternalSettingsPreparer.IGNORE_SYSTEM_PROPERTIES_SETTING, true)
+                .build();
+
+        NodeBuilder nodeBuilder = NodeBuilder.nodeBuilder().settings(nodeSettings).loadConfigSettings(false);
         node = nodeBuilder.build();
     }
 
@@ -195,8 +204,9 @@ private static void setupLogging(Settings settings, Environment environment) {
         }
     }
 
-    private static Tuple<Settings, Environment> initialSettings() {
-        return InternalSettingsPreparer.prepareSettings(EMPTY_SETTINGS, true);
+    private static Tuple<Settings, Environment> initialSettings(boolean foreground) {
+        Terminal terminal = foreground ? Terminal.DEFAULT : null;
+        return InternalSettingsPreparer.prepareSettings(EMPTY_SETTINGS, true, terminal);
     }
 
     private void start() {
@@ -227,7 +237,7 @@ public static void main(String[] args) {
         Settings settings = null;
         Environment environment = null;
         try {
-            Tuple<Settings, Environment> tuple = initialSettings();
+            Tuple<Settings, Environment> tuple = initialSettings(foreground);
             settings = tuple.v1();
             environment = tuple.v2();
 

src/main/java/org/elasticsearch/common/cli/CliTool.java

@@ -93,7 +93,7 @@ protected CliTool(CliToolConfig config, Terminal terminal) {
         Preconditions.checkArgument(config.cmds().size() != 0, "At least one command must be configured");
         this.config = config;
         this.terminal = terminal;
-        Tuple<Settings, Environment> tuple = InternalSettingsPreparer.prepareSettings(EMPTY_SETTINGS, true);
+        Tuple<Settings, Environment> tuple = InternalSettingsPreparer.prepareSettings(EMPTY_SETTINGS, true, terminal);
         settings = tuple.v1();
         env = tuple.v2();
     }

src/main/java/org/elasticsearch/common/settings/Settings.java

@@ -1211,7 +1211,7 @@ public Builder putProperties(String prefix, Properties properties, String[] igno
          * tries and resolve it against an environment variable ({@link System#getenv(String)}), and last, tries
          * and replace it with another setting already set on this builder.
          */
-        public Builder replacePropertyPlaceholders() {
+        public Builder replacePropertyPlaceholders(String... ignoredValues) {
             PropertyPlaceholder propertyPlaceholder = new PropertyPlaceholder("${", "}", false);
             PropertyPlaceholder.PlaceholderResolver placeholderResolver = new PropertyPlaceholder.PlaceholderResolver() {
                     @Override
@@ -1241,7 +1241,19 @@ public boolean shouldIgnoreMissing(String placeholderName) {
                     }
                 };
             for (Map.Entry<String, String> entry : Maps.newHashMap(map).entrySet()) {
-                String value = propertyPlaceholder.replacePlaceholders(entry.getValue(), placeholderResolver);
+                String possiblePlaceholder = entry.getValue();
+                boolean ignored = false;
+                for (String ignoredValue : ignoredValues) {
+                    if (ignoredValue.equals(possiblePlaceholder)) {
+                        ignored = true;
+                        break;
+                    }
+                }
+                if (ignored) {
+                    continue;
+                }
+
+                String value = propertyPlaceholder.replacePlaceholders(possiblePlaceholder, placeholderResolver);
                 // if the values exists and has length, we should maintain it  in the map
                 // otherwise, the replace process resolved into removing it
                 if (Strings.hasLength(value)) {

src/main/java/org/elasticsearch/node/internal/InternalSettingsPreparer.java

@@ -20,9 +20,11 @@
 package org.elasticsearch.node.internal;
 
 import com.google.common.collect.ImmutableList;
+import com.google.common.collect.UnmodifiableIterator;
 import org.elasticsearch.cluster.ClusterName;
 import org.elasticsearch.common.Names;
 import org.elasticsearch.common.Strings;
+import org.elasticsearch.common.cli.Terminal;
 import org.elasticsearch.common.collect.Tuple;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.env.Environment;
@@ -41,10 +43,38 @@ public class InternalSettingsPreparer {
 
     static final List<String> ALLOWED_SUFFIXES = ImmutableList.of(".yml", ".yaml", ".json", ".properties");
 
+    public static final String SECRET_PROMPT_VALUE = "${prompt::secret}";
+    public static final String TEXT_PROMPT_VALUE = "${prompt::text}";
+    public static final String IGNORE_SYSTEM_PROPERTIES_SETTING = "config.ignore_system_properties";
+
+    /**
+     * Prepares the settings by gathering all elasticsearch system properties, optionally loading the configuration settings,
+     * and then replacing all property placeholders. This method will not work with settings that have <code>__prompt__</code>
+     * as their value unless they have been resolved previously.
+     * @param pSettings The initial settings to use
+     * @param loadConfigSettings flag to indicate whether to load settings from the configuration directory/file
+     * @return the {@link Settings} and {@link Environment} as a {@link Tuple}
+     */
     public static Tuple<Settings, Environment> prepareSettings(Settings pSettings, boolean loadConfigSettings) {
+        return prepareSettings(pSettings, loadConfigSettings, null);
+    }
+
+    /**
+     * Prepares the settings by gathering all elasticsearch system properties, optionally loading the configuration settings,
+     * and then replacing all property placeholders. If a {@link Terminal} is provided and configuration settings are loaded,
+     * settings with the <code>__prompt__</code> value will result in a prompt for the setting to the user.
+     * @param pSettings The initial settings to use
+     * @param loadConfigSettings flag to indicate whether to load settings from the configuration directory/file
+     * @param terminal the Terminal to use for input/output
+     * @return the {@link Settings} and {@link Environment} as a {@link Tuple}
+     */
+    public static Tuple<Settings, Environment> prepareSettings(Settings pSettings, boolean loadConfigSettings, Terminal terminal) {
         // ignore this prefixes when getting properties from es. and elasticsearch.
         String[] ignorePrefixes = new String[]{"es.default.", "elasticsearch.default."};
-        boolean useSystemProperties = !pSettings.getAsBoolean("config.ignore_system_properties", false);
+        // ignore the special prompt placeholders since they have the same format as property placeholders and will be resolved
+        // as having a default value because of the ':' in the format
+        String[] ignoredPlaceholders = new String[] { SECRET_PROMPT_VALUE, TEXT_PROMPT_VALUE };
+        boolean useSystemProperties = !pSettings.getAsBoolean(IGNORE_SYSTEM_PROPERTIES_SETTING, false);
         // just create enough settings to build the environment
         Settings.Builder settingsBuilder = settingsBuilder().put(pSettings);
         if (useSystemProperties) {
@@ -53,7 +83,7 @@ public static Tuple<Settings, Environment> prepareSettings(Settings pSettings, b
                     .putProperties("elasticsearch.", System.getProperties(), ignorePrefixes)
                     .putProperties("es.", System.getProperties(), ignorePrefixes);
         }
-        settingsBuilder.replacePropertyPlaceholders();
+        settingsBuilder.replacePropertyPlaceholders(ignoredPlaceholders);
 
         Environment environment = new Environment(settingsBuilder.build());
 
@@ -91,17 +121,17 @@ public static Tuple<Settings, Environment> prepareSettings(Settings pSettings, b
             settingsBuilder.putProperties("elasticsearch.", System.getProperties(), ignorePrefixes)
                     .putProperties("es.", System.getProperties(), ignorePrefixes);
         }
-        settingsBuilder.replacePropertyPlaceholders();
+        settingsBuilder.replacePropertyPlaceholders(ignoredPlaceholders);
 
         // allow to force set properties based on configuration of the settings provided
         for (Map.Entry<String, String> entry : pSettings.getAsMap().entrySet()) {
             String setting = entry.getKey();
             if (setting.startsWith("force.")) {
                 settingsBuilder.remove(setting);
-                settingsBuilder.put(setting.substring(".force".length()), entry.getValue());
+                settingsBuilder.put(setting.substring("force.".length()), entry.getValue());
             }
         }
-        settingsBuilder.replacePropertyPlaceholders();
+        settingsBuilder.replacePropertyPlaceholders(ignoredPlaceholders);
 
         // generate the name
         if (settingsBuilder.get("name") == null) {
@@ -123,7 +153,7 @@ public static Tuple<Settings, Environment> prepareSettings(Settings pSettings, b
             settingsBuilder.put(ClusterName.SETTING, ClusterName.DEFAULT.value());
         }
 
-        Settings v1 = settingsBuilder.build();
+        Settings v1 = replacePromptPlaceholders(settingsBuilder.build(), terminal);
         environment = new Environment(v1);
 
         // put back the env settings
@@ -135,4 +165,45 @@ public static Tuple<Settings, Environment> prepareSettings(Settings pSettings, b
 
         return new Tuple<>(v1, environment);
     }
+
+    static Settings replacePromptPlaceholders(Settings settings, Terminal terminal) {
+        UnmodifiableIterator<Map.Entry<String, String>> iter = settings.getAsMap().entrySet().iterator();
+        Settings.Builder builder = Settings.builder();
+
+        while (iter.hasNext()) {
+            Map.Entry<String, String> entry = iter.next();
+            String value = entry.getValue();
+            String key = entry.getKey();
+            switch (value) {
+                case SECRET_PROMPT_VALUE:
+                    String secretValue = promptForValue(key, terminal, true);
+                    if (Strings.hasLength(secretValue)) {
+                        builder.put(key, secretValue);
+                    }
+                    break;
+                case TEXT_PROMPT_VALUE:
+                    String textValue = promptForValue(key, terminal, false);
+                    if (Strings.hasLength(textValue)) {
+                        builder.put(key, textValue);
+                    }
+                    break;
+                default:
+                    builder.put(key, value);
+                    break;
+            }
+        }
+
+        return builder.build();
+    }
+
+    static String promptForValue(String key, Terminal terminal, boolean secret) {
+        if (terminal == null) {
+            throw new UnsupportedOperationException("found property [" + key + "] with value [" + (secret ? SECRET_PROMPT_VALUE : TEXT_PROMPT_VALUE) +"]. prompting for property values is only supported when running elasticsearch in the foreground");
+        }
+
+        if (secret) {
+            return new String(terminal.readSecret("Enter value for [%s]: ", key));
+        }
+        return terminal.readText("Enter value for [%s]: ", key);
+    }
 }

src/main/java/org/elasticsearch/plugins/PluginManager.java

@@ -25,6 +25,7 @@
 import org.apache.lucene.util.IOUtils;
 import org.elasticsearch.*;
 import org.elasticsearch.common.SuppressForbidden;
+import org.elasticsearch.common.cli.Terminal;
 import org.elasticsearch.common.collect.Tuple;
 import org.elasticsearch.common.http.client.HttpDownloadHelper;
 import org.elasticsearch.common.io.FileSystemUtils;
@@ -338,7 +339,7 @@ public void listInstalledPlugins() throws IOException {
     private static final int EXIT_CODE_ERROR = 70;
 
     public static void main(String[] args) {
-        Tuple<Settings, Environment> initialSettings = InternalSettingsPreparer.prepareSettings(EMPTY_SETTINGS, true);
+        Tuple<Settings, Environment> initialSettings = InternalSettingsPreparer.prepareSettings(EMPTY_SETTINGS, true, Terminal.DEFAULT);
 
         try {
             Files.createDirectories(initialSettings.v2().pluginsFile());

src/main/java/org/elasticsearch/tribe/TribeService.java

@@ -45,6 +45,7 @@
 import org.elasticsearch.gateway.GatewayService;
 import org.elasticsearch.node.Node;
 import org.elasticsearch.node.NodeBuilder;
+import org.elasticsearch.node.internal.InternalSettingsPreparer;
 import org.elasticsearch.rest.RestStatus;
 
 import java.util.EnumSet;
@@ -128,7 +129,7 @@ public TribeService(Settings settings, ClusterService clusterService, DiscoveryS
             sb.put("node.name", settings.get("name") + "/" + entry.getKey());
             sb.put("path.home", settings.get("path.home")); // pass through ES home dir
             sb.put(TRIBE_NAME, entry.getKey());
-            sb.put("config.ignore_system_properties", true);
+            sb.put(InternalSettingsPreparer.IGNORE_SYSTEM_PROPERTIES_SETTING, true);
             if (sb.get("http.enabled") == null) {
                 sb.put("http.enabled", false);
             }

src/test/java/org/elasticsearch/client/transport/TransportClientRetryTests.java

@@ -28,6 +28,7 @@
 import org.elasticsearch.cluster.ClusterState;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.transport.TransportAddress;
+import org.elasticsearch.node.internal.InternalSettingsPreparer;
 import org.elasticsearch.plugins.PluginsService;
 import org.elasticsearch.test.ElasticsearchIntegrationTest;
 import org.elasticsearch.test.InternalTestCluster;
@@ -61,7 +62,7 @@ public void testRetry() throws IOException, ExecutionException, InterruptedExcep
                 .put("node.mode", InternalTestCluster.nodeMode())
                 .put("plugins." + PluginsService.LOAD_PLUGIN_FROM_CLASSPATH, false)
                 .put(ClusterName.SETTING, internalCluster().getClusterName())
-                .put("config.ignore_system_properties", true)
+                .put(InternalSettingsPreparer.IGNORE_SYSTEM_PROPERTIES_SETTING, true)
                 .put("path.home", createTempDir());
 
         try (TransportClient transportClient = TransportClient.builder().settings(builder.build()).build()) {

src/test/java/org/elasticsearch/client/transport/TransportClientTests.java

@@ -25,6 +25,7 @@
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.transport.TransportAddress;
 import org.elasticsearch.node.Node;
+import org.elasticsearch.node.internal.InternalSettingsPreparer;
 import org.elasticsearch.test.ElasticsearchIntegrationTest;
 import org.elasticsearch.test.ElasticsearchIntegrationTest.ClusterScope;
 import org.elasticsearch.transport.TransportService;
@@ -59,7 +60,7 @@ public void testNodeVersionIsUpdated() {
                 .put("path.home", createTempDir())
                 .put("node.name", "testNodeVersionIsUpdated")
                 .put("http.enabled", false)
-                .put("config.ignore_system_properties", true) // make sure we get what we set :)
+                .put(InternalSettingsPreparer.IGNORE_SYSTEM_PROPERTIES_SETTING, true) // make sure we get what we set :)
                 .build()).clusterName("foobar").build();
         node.start();
         try {

src/test/java/org/elasticsearch/common/cli/CliToolTests.java

@@ -25,10 +25,12 @@
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.env.Environment;
+import org.elasticsearch.node.internal.InternalSettingsPreparer;
 import org.junit.Test;
 
 import java.io.IOException;
 import java.util.Map;
+import java.util.concurrent.atomic.AtomicInteger;
 import java.util.concurrent.atomic.AtomicReference;
 
 import static org.elasticsearch.common.cli.CliToolConfig.Builder.cmd;
@@ -271,6 +273,49 @@ public CliTool.ExitStatus execute(Settings settings, Environment env) {
         tool.parse("cmd", Strings.splitStringByCommaToArray("--help"));
     }
 
+    @Test
+    public void testPromptForSetting() throws Exception {
+        final AtomicInteger counter = new AtomicInteger();
+        final AtomicReference<String> promptedSecretValue = new AtomicReference<>(null);
+        final AtomicReference<String> promptedTextValue = new AtomicReference<>(null);
+        final Terminal terminal = new MockTerminal() {
+            @Override
+            public char[] readSecret(String text, Object... args) {
+                counter.incrementAndGet();
+                assertThat(args, arrayContaining((Object) "foo.password"));
+                return "changeit".toCharArray();
+            }
+
+            @Override
+            public String readText(String text, Object... args) {
+                counter.incrementAndGet();
+                assertThat(args, arrayContaining((Object) "replace"));
+                return "replaced";
+            }
+        };
+        final NamedCommand cmd = new NamedCommand("noop", terminal) {
+            @Override
+            public CliTool.ExitStatus execute(Settings settings, Environment env) {
+                promptedSecretValue.set(settings.get("foo.password"));
+                promptedTextValue.set(settings.get("replace"));
+                return CliTool.ExitStatus.OK;
+            }
+        };
+
+        System.setProperty("es.foo.password", InternalSettingsPreparer.SECRET_PROMPT_VALUE);
+        System.setProperty("es.replace", InternalSettingsPreparer.TEXT_PROMPT_VALUE);
+        try {
+            new SingleCmdTool("tool", terminal, cmd).execute();
+        } finally {
+            System.clearProperty("es.foo.password");
+            System.clearProperty("es.replace");
+        }
+
+        assertThat(counter.intValue(), is(2));
+        assertThat(promptedSecretValue.get(), is("changeit"));
+        assertThat(promptedTextValue.get(), is("replaced"));
+    }
+
     private void assertStatus(int status, CliTool.ExitStatus expectedStatus) {
         assertThat(status, is(expectedStatus.status()));
     }