-
Notifications
You must be signed in to change notification settings - Fork 286
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] 2.18 requires both configs for PKCS setup plugins.security.ssl.transport.keystore_password and ...keystore_keypassword #4961
Comments
Error when plugins.security.ssl.transport.keystore_password option is missing
Error when plugins.security.ssl.transport.keystore_keypassword option is missing
|
[Triage] @willyborankin Can you take a look at this issue? |
@willyborankin I haven't dug into this in great depth, but is this because of the default value here? https://github.com/opensearch-project/security/blob/main/src/main/java/org/opensearch/security/ssl/config/SslCertificatesLoader.java#L77 Edit: nvm it appears to be the same in 2.17 Edit 2: Ok, I see why this is the case now. Prior to 2.18 the default for the keypassword, would take the value from the keystore password setting. Code pointers:
By setting During the refactor, @willyborankin wdyt? I actually think the previous behavior makes sense because the keystore password and key password are the same by default unless otherwise specified. |
@cwperks, you’re right—this is the root cause. Refactoring unfortunately breaks backward compatibility. |
Fix issue opensearch-project#4961 by defaulting the keystore_keypassword setting to the same value as the keystore_password Signed-off-by: Andrey Pleskach <[email protected]>
Addressed in #4999. This will revert to pre-2.18 behavior in 2.19. |
What is the bug?
OS 2.18 requires both configs for PKCS setup plugins.security.ssl.transport.keystore_password and ...keystore_keypassword
How can one reproduce the bug?
Remove one of the 2 lines (keystore_password or keystore_keypassword) and try to start the cluster:
`plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.transport.keystore_filepath: opensearch-node.jks
plugins.security.ssl.transport.keystore_alias: opensearch-node
plugins.security.ssl.transport.keystore_password:
plugins.security.ssl.transport.keystore_keypassword: #This is required option in 2.18.0
plugins.security.ssl.transport.truststore_filepath: opensearch-truststore.jks
plugins.security.ssl.transport.truststore_alias: root-ca
plugins.security.ssl.transport.truststore_password: truststorepassword
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.keystore_filepath: opensearch-node.jks
plugins.security.ssl.http.keystore_alias: opensearch-node
plugins.security.ssl.http.keystore_password:
plugins.security.ssl.http.keystore_keypassword: #This is required option in 2.18.0
plugins.security.ssl.http.truststore_filepath: opensearch-truststore.jks
plugins.security.ssl.http.truststore_alias: root-ca
plugins.security.ssl.http.truststore_password: truststorepassword`
What is the expected behavior?
Only one of these configuration is required
What is your host/environment?
The text was updated successfully, but these errors were encountered: