in src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java [251:374]
public OpenSearchSecurityPlugin(final Settings settings, final Path configPath) {
super(settings, configPath, isDisabled(settings));
disabled = isDisabled(settings);
sslCertReloadEnabled = isSslCertReloadEnabled(settings);
transportPassiveAuthSetting = new TransportPassiveAuthSetting(settings);
if (disabled) {
this.sslCertReloadEnabled = false;
log.warn("OpenSearch Security plugin installed but disabled. This can expose your configuration (including passwords) to the public.");
return;
}
if (SSLConfig.isSslOnlyMode()) {
this.sslCertReloadEnabled = false;
log.warn("OpenSearch Security plugin run in ssl only mode. No authentication or authorization is performed");
return;
}
demoCertHashes.add("54a92508de7a39d06242a0ffbf59414d7eb478633c719e6af03938daf6de8a1a");
demoCertHashes.add("742e4659c79d7cad89ea86aab70aea490f23bbfc7e72abd5f0a5d3fb4c84d212");
demoCertHashes.add("db1264612891406639ecd25c894f256b7c5a6b7e1d9054cbe37b77acd2ddd913");
demoCertHashes.add("2a5398e20fcb851ec30aa141f37233ee91a802683415be2945c3c312c65c97cf");
demoCertHashes.add("33129547ce617f784c04e965104b2c671cce9e794d1c64c7efe58c77026246ae");
demoCertHashes.add("c4af0297cc75546e1905bdfe3934a950161eee11173d979ce929f086fdf9794d");
demoCertHashes.add("7a355f42c90e7543a267fbe3976c02f619036f5a34ce712995a22b342d83c3ce");
demoCertHashes.add("a9b5eca1399ec8518081c0d4a21a34eec4589087ce64c04fb01a488f9ad8edc9");
//new certs 04/2018
demoCertHashes.add("d14aefe70a592d7a29e14f3ff89c3d0070c99e87d21776aa07d333ee877e758f");
demoCertHashes.add("54a70016e0837a2b0c5658d1032d7ca32e432c62c55f01a2bf5adcb69a0a7ba9");
demoCertHashes.add("bdc141ab2272c779d0f242b79063152c49e1b06a2af05e0fd90d505f2b44d5f5");
demoCertHashes.add("3e839e2b059036a99ee4f742814995f2fb0ced7e9d68a47851f43a3c630b5324");
demoCertHashes.add("9b13661c073d864c28ad7b13eda67dcb6cbc2f04d116adc7c817c20b4c7ed361");
final SecurityManager sm = System.getSecurityManager();
if (sm != null) {
sm.checkPermission(new SpecialPermission());
}
AccessController.doPrivileged(new PrivilegedAction<Object>() {
@Override
public Object run() {
if(Security.getProvider("BC") == null) {
Security.addProvider(new BouncyCastleProvider());
}
return null;
}
});
final String advancedModulesEnabledKey = ConfigConstants.SECURITY_ADVANCED_MODULES_ENABLED;
if (settings.hasValue(advancedModulesEnabledKey)) {
deprecationLogger.deprecate("Setting {} is ignored.", advancedModulesEnabledKey);
}
log.info("Clustername: {}", settings.get("cluster.name","opensearch"));
if (!transportSSLEnabled && !SSLConfig.isSslOnlyMode()) {
throw new IllegalStateException(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED+" must be set to 'true'");
}
if(!client) {
final List<Path> filesWithWrongPermissions = AccessController.doPrivileged(new PrivilegedAction<List<Path>>() {
@Override
public List<Path> run() {
final Path confPath = new Environment(settings, configPath).configFile().toAbsolutePath();
if(Files.isDirectory(confPath, LinkOption.NOFOLLOW_LINKS)) {
try (Stream<Path> s = Files.walk(confPath)) {
return s.distinct().filter(p -> checkFilePermissions(p)).collect(Collectors.toList());
} catch (Exception e) {
log.error(e.toString());
return null;
}
}
return Collections.emptyList();
}
});
if(filesWithWrongPermissions != null && filesWithWrongPermissions.size() > 0) {
for(final Path p: filesWithWrongPermissions) {
if(Files.isDirectory(p, LinkOption.NOFOLLOW_LINKS)) {
log.warn("Directory {} has insecure file permissions (should be 0700)", p);
} else {
log.warn("File {} has insecure file permissions (should be 0600)", p);
}
}
}
}
if(!client && !settings.getAsBoolean(ConfigConstants.SECURITY_ALLOW_UNSAFE_DEMOCERTIFICATES, false)) {
//check for demo certificates
final List<String> files = AccessController.doPrivileged(new PrivilegedAction<List<String>>() {
@Override
public List<String> run() {
final Path confPath = new Environment(settings, configPath).configFile().toAbsolutePath();
if(Files.isDirectory(confPath, LinkOption.NOFOLLOW_LINKS)) {
try (Stream<Path> s = Files.walk(confPath)) {
return s.distinct().map(p -> sha256(p)).collect(Collectors.toList());
} catch (Exception e) {
log.error(e.toString());
return null;
}
}
return Collections.emptyList();
}
});
if(files != null) {
demoCertHashes.retainAll(files);
if(!demoCertHashes.isEmpty()) {
log.error("Demo certificates found but "+ConfigConstants.SECURITY_ALLOW_UNSAFE_DEMOCERTIFICATES+" is set to false.");
throw new RuntimeException("Demo certificates found "+demoCertHashes);
}
} else {
throw new RuntimeException("Unable to look for demo certificates");
}
}
}