allow prompts for passwords in elasticsearch.yml

[pwli]

The listing of passwords in elasticsearch.yml for accessing key stores is
dangerous. If someone steals the yml and key store file, they can open
the keystore and access to mimic the system. I wonder if there is a way to
create a tag for the passwords in the yml file that will have the process
prompt for the password at startup.

For example, in the yml:

marvel.agent.exporter.es.ssl.truststore.password: 123password

will become:

marvel.agent.exporter.es.ssl.truststore.password: -

and the system will then prompt the user for the password at start up:

Enter password for marvel.agent.exporter.es.ssl.truststore: 

Hopefully, the password is a strong one. But it won't be recorded and
be visible.

If the yml file is stolen, it won't have sufficient information to crack the key
store. For multiple password entries, they will be prompted in their order
of appearance.

Thanks

[clintongormley]

@jaymode any thoughts on this?

[jaymode]

This is something we've discussed and looked into, but ran into issues with multiple passwords prompts I believe (/cc @spinscale). I'm also not sure how or if this will work with the services used for package installations.

If we were to implement it as described, I think it would need to be a startup time scan through all settings with a special value (maybe __prompt__ or something) and prompt for each one with the name of the setting in the prompt, then replace the values in the settings internally. This could wind up being a lot of prompts with multiple password settings and could be a lot of work for someone to restart an elasticsearch process.

[pwli]

I realize the complication associated with multiple passwords, hence different prompts. One solution is a key-value file with root only access, or a here file (<<eof) in the auto-startup script with root only access. Another is to encrypt the whole elasticsearch.yml file and on start up, a single password is used to decrypt in memory. The password can be passed by stdin.

In my situation, bare passwords are not allowed to be in the nodes for security reasons. So we always start the services remotely from command and control hosts and with control programs, not manually. Also, if we have to restart a node, we rather it didn't automatically. We want to know why it failed first.

Thanks
Peter

On Apr 28, 2015, at 10:19 AM, Jay Modi notifications@github.com wrote:

This is something we've discussed and looked into, but ran into issues with multiple passwords prompts I believe (/cc @spinscale). I'm also not sure how or if this will work with the services used for package installations.

If we were to implement it as described, I think it would need to be a startup time scan through all settings with a special value (maybe prompt or something) and prompt for each one with the name of the setting in the prompt, then replace the values in the settings internally. This could wind up being a lot of prompts with multiple password settings and could be a lot of work for someone to restart an elasticsearch process.

—
Reply to this email directly or view it on GitHub.

[jaymode]

Peter, thanks for the follow up. I'm going to look into adding the functionality to prompt on startup for settings with a special placeholder.