Package org.elasticsearch.common.settings

Class KeyStoreWrapper

  • All Implemented Interfaces:
    Closeable, AutoCloseable, SecureSettings
    public class KeyStoreWrapper
extends Object
implements SecureSettings
    A disk based container for sensitive settings in Elasticsearch. Loading a keystore has 2 phases. First, call load(Path). Then call decrypt(char[]) with the keystore password, or an empty char array if hasPassword() is false. Loading and decrypting should happen in a single thread. Once decrypted, settings may be read in multiple threads.

    • Method Detail

      • getFormatVersion

        public int getFormatVersion()
        Get the metadata format version for the keystore

      • keystorePath

        public static Path keystorePath​(Path configDir)
        Returns a path representing the ES keystore in the given config dir.

      • create

        public static KeyStoreWrapper create()
        Constructs a new keystore with the given password.

      • addBootstrapSeed

        public static void addBootstrapSeed​(KeyStoreWrapper wrapper)
        Add the bootstrap seed setting, which may be used as a unique, secure, random value by the node

      • load

        public static KeyStoreWrapper load​(Path configDir)
                            throws IOException
        Loads information about the Elasticsearch keystore from the provided config directory. decrypt(char[]) must be called before reading or writing any entries. Returns null if no keystore exists.
        Throws:
        IOException

      • upgrade

        public static void upgrade​(KeyStoreWrapper wrapper,
                           Path configDir,
                           char[] password)
                    throws Exception
        Upgrades the format of the keystore, if necessary.
        Throws:
        Exception

      • isLoaded

        public boolean isLoaded()
        Description copied from interface: SecureSettings
        Returns true iff the settings are loaded and retrievable.
        Specified by:
        isLoaded in interface SecureSettings

      • hasPassword

        public boolean hasPassword()
        Return true iff calling decrypt(char[]) requires a non-empty password.

      • save

        public void save​(Path configDir,
                 char[] password)
          throws Exception
        Write the keystore to the given config directory.
        Throws:
        Exception

      • getSettingNames

        public Set<String> getSettingNames()
        It is possible to retrieve the setting names even if the keystore is closed. This allows SecureSetting to correctly determine that a entry exists even though it cannot be read. Thus attempting to read a secure setting after the keystore is closed will generate a "keystore is closed" exception rather than using the fallback setting.
        Specified by:
        getSettingNames in interface SecureSettings

      • getSHA256Digest

        public byte[] getSHA256Digest​(String setting)
        Returns the SHA256 digest for the setting's value, even after #close() has been called. The setting must exist. The digest is used to check for value changes without actually storing the value.
        Specified by:
        getSHA256Digest in interface SecureSettings

      • validateSettingName

        public static void validateSettingName​(String setting)
        Ensure the given setting name is allowed.
        Throws:
        IllegalArgumentException - if the setting name is not valid