Class KeyStoreWrapper
org.elasticsearch.common.settings.KeyStoreWrapper
- All Implemented Interfaces:
,
,
SecureSettings
A disk based container for sensitive settings in Elasticsearch.
Loading a keystore has 2 phases. First, call
load(Path)
. Then call
decrypt(char[])
with the keystore password, or an empty char array if
hasPassword()
is false
. Loading and decrypting should happen
in a single thread. Once decrypted, settings may be read in multiple threads.-
Field Summary
-
Method Summary
Modifier and TypeMethodDescriptionstatic void
addBootstrapSeed(KeyStoreWrapper wrapper)
Add the bootstrap seed setting, which may be used as a unique, secure, random value by the nodevoid
close()
static KeyStoreWrapper
create()
Constructs a new keystore with the given password.void
decrypt(char[] password)
Decrypts the underlying keystore data.setting)
Return a file setting.int
Get the metadata format version for the keystore<>
It is possible to retrieve the setting names even if the keystore is closed.byte[]
setting)
Returns the SHA256 digest for the setting's value, even after#close()
has been called.setting)
Return a string setting.boolean
Return true iff callingdecrypt(char[])
requires a non-empty password.boolean
isLoaded()
Returns true iff the settings are loaded and retrievable.static
configDir)
Returns a path representing the ES keystore in the given config dir.static KeyStoreWrapper
configDir)
Loads information about the Elasticsearch keystore from the provided config directory.void
configDir, char[] password)
Write the keystore to the given config directory.static void
upgrade(KeyStoreWrapper wrapper, configDir, char[] password)
Upgrades the format of the keystore, if necessary.static void
setting)
Ensure the given setting name is allowed.Methods inherited from class java.lang.
, , , , , , , , , ,
-
Field Details
-
SEED_SETTING
-
-
Method Details
-
getFormatVersion
public int getFormatVersion()Get the metadata format version for the keystore -
keystorePath
public static keystorePath( configDir)Returns a path representing the ES keystore in the given config dir. -
create
Constructs a new keystore with the given password. -
addBootstrapSeed
Add the bootstrap seed setting, which may be used as a unique, secure, random value by the node -
load
public static configDir) throwsLoads information about the Elasticsearch keystore from the provided config directory.decrypt(char[])
must be called before reading or writing any entries. Returnsnull
if no keystore exists.- Throws:
-
upgrade
Upgrades the format of the keystore, if necessary.- Throws:
-
isLoaded
public boolean isLoaded()Description copied from interface:SecureSettings
Returns true iff the settings are loaded and retrievable.- Specified by:
isLoaded
in interfaceSecureSettings
-
hasPassword
public boolean hasPassword()Return true iff callingdecrypt(char[])
requires a non-empty password. -
decrypt
public void decrypt(char[] password) throws ,Decrypts the underlying keystore data. This may only be called once.- Throws:
-
save
public void save( configDir, char[] password) throwsWrite the keystore to the given config directory.- Throws:
-
getSettingNames
public <> getSettingNames()It is possible to retrieve the setting names even if the keystore is closed. This allowsSecureSetting
to correctly determine that a entry exists even though it cannot be read. Thus attempting to read a secure setting after the keystore is closed will generate a "keystore is closed" exception rather than using the fallback setting.- Specified by:
getSettingNames
in interfaceSecureSettings
-
getString
public setting)Description copied from interface:SecureSettings
Return a string setting. TheSecureString
should be closed once it is used.- Specified by:
getString
in interfaceSecureSettings
-
getFile
public getFile( setting)Description copied from interface:SecureSettings
Return a file setting. The should be closed once it is used.- Specified by:
getFile
in interfaceSecureSettings
-
getSHA256Digest
public byte[] getSHA256Digest( setting)Returns the SHA256 digest for the setting's value, even after#close()
has been called. The setting must exist. The digest is used to check for value changes without actually storing the value.- Specified by:
getSHA256Digest
in interfaceSecureSettings
-
validateSettingName
public static void validateSettingName( setting)Ensure the given setting name is allowed.- Throws:
- if the setting name is not valid
-
close
public void close()- Specified by:
in interface
- Specified by:
in interface
- Specified by:
close
in interfaceSecureSettings
-