Add ability to prompt for selected settings on startup

[jaymode]

Some settings may be considered sensitive, such as passwords, and storing them
in the configuration file on disk is not good from a security perspective. This change
allows settings to have a special value, __prompt__, that indicates elasticsearch
should prompt the user for the actual value on startup. This only works when
started in the foreground. In cases where elasticsearch is started as a service or
in the background, an exception will be thrown.

Closes #10838

[s1monw]

I don't think this class should have a method with this kind of sideeffects. I thinks we should put all this stuff into
PromptPlaceholderResolver and have a method there with this signature:

public static Settings promtTerminal(Terminal terminal, Settings settings) {
  // this method never modifies a builder we take the settings and build a new one and return
  return newSettings;
}

this way we don't need all the static maps in that class either and we don't need to access inner structures. In prepareSettings we call this as the last thing before we return the settings as the tuple.

does thsi make sense?

[jaymode]

Yeah it does make sense. The static map was more for issues that occurred when creating a Node within Bootstrap and having system properties with __prompt__. We can workaround that by not re-reading the system properties when building the node.

[s1monw]

I left one comment. I also wonder if we should add a SecureString that fully owns it's character array that we can potentially wipe after the fact? maybe as a different PR?

[uboness]

How would you know when to wipe the array?

[s1monw]

so there are multiple ways to do this. IMO there should only be ONE consumer. once the string is consumed we can wipe it. The other option is to have this thing MD5 or SHAxyz the input and never keep it around.

[uboness]

I like the one consumer approach... It's then the responsibility of the consumer to properly handle it and as far as the settings is concerned it's been handled

[s1monw]

@uboness wanna open a new issue or @jaymode maybe?

[jaymode]

I will open the issue to add the SecureString

[jaymode]

@s1monw updated the PR and opened #10950

[uboness]

is that going to only be used for secrets? So it seems based on the code right now... in that case, I'd call it __promt_secret__ or something along those lines.

If the idea is to just keep it a generic prompt, then we'll need some sort of type indication here, like __prompt:secret__ vs. __prompt:text__ or __prompt:int__

[jaymode]

I think we should keep it generic. I think adding __prompt:secret__ and __prompt:text__ is the right thing to do. However, I don't see the need for other types since we store settings internally as a string or maybe I am missing something here?

[s1monw]

+1 for the two

[s1monw]

I left one cosmetic comment - I will leave the final LGTM to @uboness here once you guys sorted out the different prompt options.

[jaymode]

@uboness updated the PR to support prompting for text and secret values

[s1monw]

@jaymode what's the status of this?

[jaymode]

@uboness ping.

@s1monw still waiting on last LGTM

[kimchy]

can we document why we do it (and make this a constant since we use it in several places now)?

[kimchy]

looks great!, left one small comment

[jaymode]

added the constant and rebased to pickup other changes in bootstrap

[s1monw]

@jaymode ping

[uboness]

so, I've been thinking about it. We already have property place holders in the form ${...}. I think it'd be more consistent if we use the same form except with special syntax inside... something like: ${prompt::text}. @clintongormley wdyt?

[clintongormley]

I'm good with that, and a strict YAML parser doesn't barf with this syntax, which is a bonus :)

[uboness]

sorry :).. good with what? the original (i.e. __prompt:secret__) or the dollar sign option (i.e. ${prompt::text})?

[clintongormley]

the dollar sign option :)

[s1monw]

@jaymode I think we are good to go here now?

[jaymode]

@s1monw or @uboness can one you of do a once over on the commit I just pushed? I renamed the placeholder and that led to some special casing being needed so I want to make sure that part is reviewed. After that, I'll get this rebased and push it.

[uboness]

I can live with pushing this for 1.6, just to have the functionality. But I would love to see this cleaned up and basically have all the placeholder replacement consolidated in the `replacePropertyPlaceholders' method.

would love to see the system placeholders follow the same convention and be in the form: ${env::foobar}

We can also introduce a new setting: config.ignore_placeholders:

will ignore all placeholder settings:

config.ignore_placeholders: true

will only ignore env placeholders:

config.ignore_placeholders: env

will only ignore prompt placeholders:

config.ignore_placeholders: prompt

will ignore both the env and prompt settings:

config.ignore_placeholders: env, prompt

It's a breaking change, so something to consider for 2.0?

[jaymode]

opened #11455 as discussion for these settings cleanups