Class KeyStoreWrapper
- java.lang.Object
-
- org.elasticsearch.common.settings.KeyStoreWrapper
-
- All Implemented Interfaces:
java.io.Closeable
,java.lang.AutoCloseable
,SecureSettings
public class KeyStoreWrapper extends java.lang.Object implements SecureSettings
A disk based container for sensitive settings in Elasticsearch. Loading a keystore has 2 phases. First, callload(Path)
. Then calldecrypt(char[])
with the keystore password, or an empty char array ifhasPassword()
isfalse
. Loading and decrypting should happen in a single thread. Once decrypted, settings may be read in multiple threads.
-
-
Field Summary
Fields Modifier and Type Field Description static Setting<SecureString>
SEED_SETTING
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description static void
addBootstrapSeed(KeyStoreWrapper wrapper)
Add the bootstrap seed setting, which may be used as a unique, secure, random value by the nodevoid
close()
static KeyStoreWrapper
create()
Constructs a new keystore with the given password.void
decrypt(char[] password)
Decrypts the underlying keystore data.java.io.InputStream
getFile(java.lang.String setting)
Return a file setting.int
getFormatVersion()
Get the metadata format version for the keystorejava.util.Set<java.lang.String>
getSettingNames()
It is possible to retrieve the setting names even if the keystore is closed.SecureString
getString(java.lang.String setting)
Return a string setting.boolean
hasPassword()
Return true iff callingdecrypt(char[])
requires a non-empty password.boolean
isLoaded()
Returns true iff the settings are loaded and retrievable.static java.nio.file.Path
keystorePath(java.nio.file.Path configDir)
Returns a path representing the ES keystore in the given config dir.static KeyStoreWrapper
load(java.nio.file.Path configDir)
Loads information about the Elasticsearch keystore from the provided config directory.void
save(java.nio.file.Path configDir, char[] password)
Write the keystore to the given config directory.static void
upgrade(KeyStoreWrapper wrapper, java.nio.file.Path configDir, char[] password)
Upgrades the format of the keystore, if necessary.static void
validateSettingName(java.lang.String setting)
Ensure the given setting name is allowed.
-
-
-
Field Detail
-
SEED_SETTING
public static final Setting<SecureString> SEED_SETTING
-
-
Method Detail
-
getFormatVersion
public int getFormatVersion()
Get the metadata format version for the keystore
-
keystorePath
public static java.nio.file.Path keystorePath(java.nio.file.Path configDir)
Returns a path representing the ES keystore in the given config dir.
-
create
public static KeyStoreWrapper create()
Constructs a new keystore with the given password.
-
addBootstrapSeed
public static void addBootstrapSeed(KeyStoreWrapper wrapper)
Add the bootstrap seed setting, which may be used as a unique, secure, random value by the node
-
load
public static KeyStoreWrapper load(java.nio.file.Path configDir) throws java.io.IOException
Loads information about the Elasticsearch keystore from the provided config directory.decrypt(char[])
must be called before reading or writing any entries. Returnsnull
if no keystore exists.- Throws:
java.io.IOException
-
upgrade
public static void upgrade(KeyStoreWrapper wrapper, java.nio.file.Path configDir, char[] password) throws java.lang.Exception
Upgrades the format of the keystore, if necessary.- Throws:
java.lang.Exception
-
isLoaded
public boolean isLoaded()
Description copied from interface:SecureSettings
Returns true iff the settings are loaded and retrievable.- Specified by:
isLoaded
in interfaceSecureSettings
-
hasPassword
public boolean hasPassword()
Return true iff callingdecrypt(char[])
requires a non-empty password.
-
decrypt
public void decrypt(char[] password) throws java.security.GeneralSecurityException, java.io.IOException
Decrypts the underlying keystore data. This may only be called once.- Throws:
java.security.GeneralSecurityException
java.io.IOException
-
save
public void save(java.nio.file.Path configDir, char[] password) throws java.lang.Exception
Write the keystore to the given config directory.- Throws:
java.lang.Exception
-
getSettingNames
public java.util.Set<java.lang.String> getSettingNames()
It is possible to retrieve the setting names even if the keystore is closed. This allowsSecureSetting
to correctly determine that a entry exists even though it cannot be read. Thus attempting to read a secure setting after the keystore is closed will generate a "keystore is closed" exception rather than using the fallback setting.- Specified by:
getSettingNames
in interfaceSecureSettings
-
getString
public SecureString getString(java.lang.String setting)
Description copied from interface:SecureSettings
Return a string setting. TheSecureString
should be closed once it is used.- Specified by:
getString
in interfaceSecureSettings
-
getFile
public java.io.InputStream getFile(java.lang.String setting)
Description copied from interface:SecureSettings
Return a file setting. TheInputStream
should be closed once it is used.- Specified by:
getFile
in interfaceSecureSettings
-
validateSettingName
public static void validateSettingName(java.lang.String setting)
Ensure the given setting name is allowed.- Throws:
java.lang.IllegalArgumentException
- if the setting name is not valid
-
close
public void close()
- Specified by:
close
in interfacejava.lang.AutoCloseable
- Specified by:
close
in interfacejava.io.Closeable
- Specified by:
close
in interfaceSecureSettings
-
-