in src/main/java/org/opensearch/security/tools/SecurityAdmin.java [191:819]
public static int execute(final String[] args) throws Exception {
System.out.println("Security Admin v7");
System.setProperty("security.nowarn.client","true");
System.setProperty("jdk.tls.rejectClientInitiatedRenegotiation","true");
final HelpFormatter formatter = new HelpFormatter();
Options options = new Options();
options.addOption( "nhnv", "disable-host-name-verification", false, "Disable hostname verification" );
options.addOption( "nrhn", "disable-resolve-hostname", false, "Disable DNS lookup of hostnames" );
options.addOption(Option.builder("ts").longOpt("truststore").hasArg().argName("file").desc("Path to truststore (JKS/PKCS12 format)").build());
options.addOption(Option.builder("ks").longOpt("keystore").hasArg().argName("file").desc("Path to keystore (JKS/PKCS12 format").build());
options.addOption(Option.builder("tst").longOpt("truststore-type").hasArg().argName("type").desc("JKS or PKCS12, if not given we use the file extension to dectect the type").build());
options.addOption(Option.builder("kst").longOpt("keystore-type").hasArg().argName("type").desc("JKS or PKCS12, if not given we use the file extension to dectect the type").build());
options.addOption(Option.builder("tspass").longOpt("truststore-password").hasArg().argName("password").desc("Truststore password").build());
options.addOption(Option.builder("kspass").longOpt("keystore-password").hasArg().argName("password").desc("Keystore password").build());
options.addOption(Option.builder("cd").longOpt("configdir").hasArg().argName("directory").desc("Directory for config files").build());
options.addOption(Option.builder("h").longOpt("hostname").hasArg().argName("host").desc("OpenSearch host (default: localhost)").build());
options.addOption(Option.builder("p").longOpt("port").hasArg().argName("port").desc("OpenSearch transport port (default: 9300)").build());
options.addOption(Option.builder("cn").longOpt("clustername").hasArg().argName("clustername").desc("Clustername (do not use together with -icl)").build());
options.addOption( "sniff", "enable-sniffing", false, "Enable client.transport.sniff" );
options.addOption( "icl", "ignore-clustername", false, "Ignore clustername (do not use together with -cn)" );
options.addOption(Option.builder("r").longOpt("retrieve").desc("retrieve current config").build());
options.addOption(Option.builder("f").longOpt("file").hasArg().argName("file").desc("file").build());
options.addOption(Option.builder("t").longOpt("type").hasArg().argName("file-type").desc("file-type").build());
options.addOption(Option.builder("tsalias").longOpt("truststore-alias").hasArg().argName("alias").desc("Truststore alias").build());
options.addOption(Option.builder("ksalias").longOpt("keystore-alias").hasArg().argName("alias").desc("Keystore alias").build());
options.addOption(Option.builder("ec").longOpt("enabled-ciphers").hasArg().argName("cipers").desc("Comma separated list of enabled TLS ciphers").build());
options.addOption(Option.builder("ep").longOpt("enabled-protocols").hasArg().argName("protocols").desc("Comma separated list of enabled TLS protocols").build());
//TODO mark as deprecated and replace it with "era" if "era" is mature enough
options.addOption(Option.builder("us").longOpt("update_settings").hasArg().argName("number of replicas").desc("Update the number of Security index replicas, reload configuration on all nodes and exit").build());
options.addOption(Option.builder("i").longOpt("index").hasArg().argName("indexname").desc("The index OpenSearch Security uses to store the configuration").build());
options.addOption(Option.builder("era").longOpt("enable-replica-autoexpand").desc("Enable replica auto expand and exit").build());
options.addOption(Option.builder("dra").longOpt("disable-replica-autoexpand").desc("Disable replica auto expand and exit").build());
options.addOption(Option.builder("rl").longOpt("reload").desc("Reload the configuration on all nodes, flush all Security caches and exit").build());
options.addOption(Option.builder("ff").longOpt("fail-fast").desc("fail-fast if something goes wrong").build());
options.addOption(Option.builder("dg").longOpt("diagnose").desc("Log diagnostic trace into a file").build());
options.addOption(Option.builder("dci").longOpt("delete-config-index").desc("Delete '.opendistro_security' config index and exit.").build());
options.addOption(Option.builder("esa").longOpt("enable-shard-allocation").desc("Enable all shard allocation and exit.").build());
options.addOption(Option.builder("arc").longOpt("accept-red-cluster").desc("Also operate on a red cluster. If not specified the cluster state has to be at least yellow.").build());
options.addOption(Option.builder("cacert").hasArg().argName("file").desc("Path to trusted cacert (PEM format)").build());
options.addOption(Option.builder("cert").hasArg().argName("file").desc("Path to admin certificate in PEM format").build());
options.addOption(Option.builder("key").hasArg().argName("file").desc("Path to the key of admin certificate").build());
options.addOption(Option.builder("keypass").hasArg().argName("password").desc("Password of the key of admin certificate (optional)").build());
options.addOption(Option.builder("noopenssl").longOpt("no-openssl").desc("Do not use OpenSSL even if available (default: use it if available)").build());
options.addOption(Option.builder("si").longOpt("show-info").desc("Show system and license info").build());
options.addOption(Option.builder("w").longOpt("whoami").desc("Show information about the used admin certificate").build());
options.addOption(Option.builder("prompt").longOpt("prompt-for-password").desc("Prompt for password if not supplied").build());
options.addOption(Option.builder("er").longOpt("explicit-replicas").hasArg().argName("number of replicas").desc("Set explicit number of replicas or autoexpand expression for .opendistro_security index").build());
options.addOption(Option.builder("backup").hasArg().argName("folder").desc("Backup configuration to folder").build());
options.addOption(Option.builder("migrate").hasArg().argName("folder").desc("Migrate and use folder to store migrated files").build());
options.addOption(Option.builder("rev").longOpt("resolve-env-vars").desc("Resolve/Substitute env vars in config with their value before uploading").build());
options.addOption(Option.builder("vc").numberOfArgs(1).optionalArg(true).argName("version").longOpt("validate-configs").desc("Validate config for version 6 or 7 (default 7)").build());
options.addOption(Option.builder("mo").longOpt("migrate-offline").hasArg().argName("folder").desc("Migrate and use folder to store migrated files").build());
//when adding new options also adjust validate(CommandLine line)
String hostname = "localhost";
int port = 9300;
String kspass = System.getenv(OPENDISTRO_SECURITY_KS_PASS);
String tspass = System.getenv(OPENDISTRO_SECURITY_TS_PASS);
String cd = ".";
String ks = null;
String ts = null;
String kst = null;
String tst = null;
boolean nhnv = false;
boolean nrhn = false;
boolean sniff = false;
boolean icl = false;
String clustername = "opensearch";
String file = null;
String type = null;
boolean retrieve = false;
String ksAlias = null;
String tsAlias = null;
String[] enabledProtocols = new String[0];
String[] enabledCiphers = new String[0];
Integer updateSettings = null;
String index = ConfigConstants.OPENDISTRO_SECURITY_DEFAULT_CONFIG_INDEX;
Boolean replicaAutoExpand = null;
boolean reload = false;
boolean failFast = false;
boolean diagnose = false;
boolean deleteConfigIndex = false;
boolean enableShardAllocation = false;
boolean acceptRedCluster = false;
String keypass = System.getenv(OPENDISTRO_SECURITY_KEYPASS);
boolean useOpenSSLIfAvailable = true;
//boolean simpleAuth = false;
String cacert = null;
String cert = null;
String key = null;
boolean si;
boolean whoami;
final boolean promptForPassword;
String explicitReplicas = null;
String backup = null;
String migrate = null;
final boolean resolveEnvVars;
Integer validateConfig = null;
String migrateOffline = null;
CommandLineParser parser = new DefaultParser();
try {
CommandLine line = parser.parse( options, args );
validate(line);
hostname = line.getOptionValue("h", hostname);
port = Integer.parseInt(line.getOptionValue("p", String.valueOf(port)));
promptForPassword = line.hasOption("prompt");
if(kspass == null || kspass.isEmpty()) {
kspass = line.getOptionValue("kspass",promptForPassword?null:"changeit");
}
if(tspass == null || tspass.isEmpty()) {
tspass = line.getOptionValue("tspass",promptForPassword?null:kspass);
}
cd = line.getOptionValue("cd", cd);
if(!cd.endsWith(File.separator)) {
cd += File.separator;
}
ks = line.getOptionValue("ks",ks);
ts = line.getOptionValue("ts",ts);
kst = line.getOptionValue("kst", kst);
tst = line.getOptionValue("tst", tst);
nhnv = line.hasOption("nhnv");
nrhn = line.hasOption("nrhn");
clustername = line.getOptionValue("cn", clustername);
sniff = line.hasOption("sniff");
icl = line.hasOption("icl");
file = line.getOptionValue("f", file);
type = line.getOptionValue("t", type);
retrieve = line.hasOption("r");
ksAlias = line.getOptionValue("ksalias", ksAlias);
tsAlias = line.getOptionValue("tsalias", tsAlias);
index = line.getOptionValue("i", index);
String enabledCiphersString = line.getOptionValue("ec", null);
String enabledProtocolsString = line.getOptionValue("ep", null);
if(enabledCiphersString != null) {
enabledCiphers = enabledCiphersString.split(",");
}
if(enabledProtocolsString != null) {
enabledProtocols = enabledProtocolsString.split(",");
}
updateSettings = line.hasOption("us")?Integer.parseInt(line.getOptionValue("us")):null;
reload = line.hasOption("rl");
if(line.hasOption("era")) {
replicaAutoExpand = true;
}
if(line.hasOption("dra")) {
replicaAutoExpand = false;
}
failFast = line.hasOption("ff");
diagnose = line.hasOption("dg");
deleteConfigIndex = line.hasOption("dci");
enableShardAllocation = line.hasOption("esa");
acceptRedCluster = line.hasOption("arc");
cacert = line.getOptionValue("cacert");
cert = line.getOptionValue("cert");
key = line.getOptionValue("key");
keypass = line.getOptionValue("keypass", keypass);
useOpenSSLIfAvailable = !line.hasOption("noopenssl");
si = line.hasOption("si");
whoami = line.hasOption("w");
explicitReplicas = line.getOptionValue("er", explicitReplicas);
backup = line.getOptionValue("backup");
migrate = line.getOptionValue("migrate");
resolveEnvVars = line.hasOption("rev");
validateConfig = !line.hasOption("vc")?null:Integer.parseInt(line.getOptionValue("vc", "7"));
if(validateConfig != null && validateConfig.intValue() != 6 && validateConfig.intValue() != 7) {
throw new ParseException("version must be 6 or 7");
}
migrateOffline = line.getOptionValue("mo");
}
catch( ParseException exp ) {
System.out.println("ERR: Parsing failed. Reason: " + exp.getMessage());
formatter.printHelp("securityadmin.sh", options, true);
return -1;
}
if(validateConfig != null) {
System.out.println("Validate configuration for Version "+validateConfig.intValue());
return validateConfig(cd, file, type, validateConfig.intValue());
}
if(migrateOffline != null) {
System.out.println("Migrate "+migrateOffline+" offline");
final boolean retVal = Migrater.migrateDirectory(new File(migrateOffline), true);
return retVal?0:-1;
}
if(port < 9300) {
System.out.println("WARNING: Seems you want connect to the OpenSearch HTTP port."+System.lineSeparator()
+ " securityadmin connects on the transport port which is normally 9300.");
}
System.out.print("Will connect to "+hostname+":"+port);
Socket socket = new Socket();
try {
socket.connect(new InetSocketAddress(hostname, port));
} catch (java.net.ConnectException ex) {
System.out.println();
System.out.println("ERR: Seems there is no OpenSearch running on "+hostname+":"+port+" - Will exit");
return (-1);
} finally {
try {
socket.close();
} catch (Exception e) {
//ignore
}
}
System.out.println(" ... done");
final Settings.Builder settingsBuilder = Settings
.builder()
.put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION, !nhnv)
.put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME, !nrhn)
.put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED, true)
.put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, OpenSearchSecuritySSLPlugin.OPENSSL_SUPPORTED && useOpenSSLIfAvailable)
.putList(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_CIPHERS, enabledCiphers)
.putList(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS, enabledProtocols)
.put("cluster.name", clustername)
.put("client.transport.ignore_cluster_name", icl)
.put("client.transport.sniff", sniff);
if(ksAlias != null) {
settingsBuilder.put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, ksAlias);
}
if(tsAlias != null) {
settingsBuilder.put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_ALIAS, tsAlias);
}
if(ks != null) {
settingsBuilder.put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, ks);
settingsBuilder.put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE, kst==null?(ks.endsWith(".jks")?"JKS":"PKCS12"):kst);
if(kspass == null && promptForPassword) {
kspass = promptForPassword("Keystore", "kspass", OPENDISTRO_SECURITY_KS_PASS);
}
if(kspass != null) {
settingsBuilder.put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD, kspass);
}
}
if(ts != null) {
settingsBuilder.put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, ts);
settingsBuilder.put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE, tst==null?(ts.endsWith(".jks")?"JKS":"PKCS12"):tst);
if(tspass == null && promptForPassword) {
tspass = promptForPassword("Truststore", "tspass", OPENDISTRO_SECURITY_TS_PASS);
}
if(tspass != null) {
settingsBuilder.put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, tspass);
}
}
if(cacert != null) {
settingsBuilder.put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, cacert);
}
if(cert != null) {
settingsBuilder.put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH, cert);
}
if(key != null) {
settingsBuilder.put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH, key);
if(keypass == null && promptForPassword) {
keypass = promptForPassword("Pemkey", "keypass", OPENDISTRO_SECURITY_KEYPASS);
}
if(keypass != null) {
settingsBuilder.put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD, keypass);
}
}
Settings settings = settingsBuilder.build();
try (@SuppressWarnings("resource")
TransportClient tc = new TransportClientImpl(settings, asCollection(Netty4Plugin.class, OpenSearchSecurityPlugin.class))
.addTransportAddress(new TransportAddress(new InetSocketAddress(hostname, port)))) {
final WhoAmIResponse whoAmIRes = tc.execute(WhoAmIAction.INSTANCE, new WhoAmIRequest()).actionGet();
System.out.println("Connected as "+whoAmIRes.getDn());
if(!whoAmIRes.isAdmin()) {
System.out.println("ERR: "+whoAmIRes.getDn()+" is not an admin user");
if(!whoAmIRes.isNodeCertificateRequest()) {
System.out.println("Seems you use a client certificate but this one is not registered as admin_dn");
System.out.println("Make sure opensearch.yml on all nodes contains:");
System.out.println("plugins.security.authcz.admin_dn:"+System.lineSeparator()+
" - \""+whoAmIRes.getDn()+"\"");
} else {
System.out.println("Seems you use a node certificate. This is not permitted, you have to use a client certificate and register it as admin_dn in opensearch.yml");
}
return (-1);
} else if(whoAmIRes.isNodeCertificateRequest()) {
System.out.println("ERR: Seems you use a node certificate which is also an admin certificate");
System.out.println(" That may have worked with older OpenSearch Security versions but it indicates");
System.out.println(" a configuration error and is therefore forbidden now.");
if (failFast) {
return (-1);
}
}
try {
if(issueWarnings(tc) != 0) {
return (-1);
}
} catch (Exception e1) {
System.out.println("Unable to check whether cluster is sane");
throw e1;
}
if(updateSettings != null) {
Settings indexSettings = Settings.builder().put("index.number_of_replicas", updateSettings).build();
ConfigUpdateResponse res = tc.execute(ConfigUpdateAction.INSTANCE, new ConfigUpdateRequest(getTypes(true))).actionGet();
if(res.hasFailures()) {
System.out.println("ERR: Unabe to reload config due to "+res.failures());
}
final AcknowledgedResponse response = tc.admin().indices().updateSettings((new UpdateSettingsRequest(index).settings(indexSettings))).actionGet();
System.out.println("Reload config on all nodes");
System.out.println("Update number of replicas to "+(updateSettings) +" with result: "+response.isAcknowledged());
return ((response.isAcknowledged() && !res.hasFailures())?0:-1);
}
if(reload) {
ConfigUpdateResponse res = tc.execute(ConfigUpdateAction.INSTANCE, new ConfigUpdateRequest(getTypes(false))).actionGet();
if(res.hasFailures()) {
System.out.println("ERR: Unabe to reload config due to "+res.failures());
return -1;
}
System.out.println("Reload config on all nodes");
return 0;
}
if(si) {
return (0);
}
if(whoami) {
System.out.println(whoAmIRes.toString());
return (0);
}
if(replicaAutoExpand != null) {
Settings indexSettings = Settings.builder()
.put("index.auto_expand_replicas", replicaAutoExpand?"0-all":"false")
.build();
ConfigUpdateResponse res = tc.execute(ConfigUpdateAction.INSTANCE, new ConfigUpdateRequest(getTypes(false))).actionGet();
if(res.hasFailures()) {
System.out.println("ERR: Unabe to reload config due to "+res.failures());
}
final AcknowledgedResponse response = tc.admin().indices().updateSettings((new UpdateSettingsRequest(index).settings(indexSettings))).actionGet();
System.out.println("Reload config on all nodes");
System.out.println("Auto-expand replicas "+(replicaAutoExpand?"enabled":"disabled"));
return ((response.isAcknowledged() && !res.hasFailures())?0:-1);
}
if(enableShardAllocation) {
final boolean successful = tc.admin().cluster()
.updateSettings(new ClusterUpdateSettingsRequest()
.transientSettings(ENABLE_ALL_ALLOCATIONS_SETTINGS)
.persistentSettings(ENABLE_ALL_ALLOCATIONS_SETTINGS))
.actionGet()
.isAcknowledged();
if(successful) {
System.out.println("Persistent and transient shard allocation enabled");
} else {
System.out.println("ERR: Unable to enable shard allocation");
}
return (successful?0:-1);
}
if(failFast) {
System.out.println("Fail-fast is activated");
}
if(diagnose) {
generateDiagnoseTrace(tc);
}
System.out.println("Contacting opensearch cluster '"+clustername+"'"+(acceptRedCluster?"":" and wait for YELLOW clusterstate")+" ...");
ClusterHealthResponse chr = null;
while(chr == null) {
try {
final ClusterHealthRequest chrequest = new ClusterHealthRequest().timeout(TimeValue.timeValueMinutes(5));
if(!acceptRedCluster) {
chrequest.waitForYellowStatus();
}
chr = tc.admin().cluster().health(chrequest).actionGet();
} catch (Exception e) {
Throwable rootCause = ExceptionUtils.getRootCause(e);
if(!failFast) {
System.out.println("Cannot retrieve cluster state due to: "+e.getMessage()+". This is not an error, will keep on trying ...");
System.out.println(" Root cause: "+rootCause+" ("+e.getClass().getName()+"/"+rootCause.getClass().getName()+")");
System.out.println(" * Try running securityadmin.sh with -icl (but no -cl) and -nhnv (If that works you need to check your clustername as well as hostnames in your TLS certificates)");
System.out.println(" * Make sure that your keystore or PEM certificate is a client certificate (not a node certificate) and configured properly in opensearch.yml");
System.out.println(" * If this is not working, try running securityadmin.sh with --diagnose and see diagnose trace log file)");
System.out.println(" * Add --accept-red-cluster to allow securityadmin to operate on a red cluster.");
} else {
System.out.println("ERR: Cannot retrieve cluster state due to: "+e.getMessage()+".");
System.out.println(" Root cause: "+rootCause+" ("+e.getClass().getName()+"/"+rootCause.getClass().getName()+")");
System.out.println(" * Try running securityadmin.sh with -icl (but no -cl) and -nhnv (If that works you need to check your clustername as well as hostnames in your TLS certificates)");
System.out.println(" * Make also sure that your keystore or PEM certificate is a client certificate (not a node certificate) and configured properly in opensearch.yml");
System.out.println(" * If this is not working, try running securityadmin.sh with --diagnose and see diagnose trace log file)");
System.out.println(" * Add --accept-red-cluster to allow securityadmin to operate on a red cluster.");
return (-1);
}
Thread.sleep(3000);
continue;
}
}
final boolean timedOut = chr.isTimedOut();
if (!acceptRedCluster && timedOut) {
System.out.println("ERR: Timed out while waiting for a green or yellow cluster state.");
System.out.println(" * Try running securityadmin.sh with -icl (but no -cl) and -nhnv (If that works you need to check your clustername as well as hostnames in your TLS certificates)");
System.out.println(" * Make also sure that your keystore or PEM certificate is a client certificate (not a node certificate) and configured properly in opensearch.yml");
System.out.println(" * If this is not working, try running securityadmin.sh with --diagnose and see diagnose trace log file)");
System.out.println(" * Add --accept-red-cluster to allow securityadmin to operate on a red cluster.");
return (-1);
}
System.out.println("Clustername: "+chr.getClusterName());
System.out.println("Clusterstate: "+chr.getStatus());
System.out.println("Number of nodes: "+chr.getNumberOfNodes());
System.out.println("Number of data nodes: "+chr.getNumberOfDataNodes());
GetIndexResponse securityIndex = null;
try {
securityIndex = tc.admin().indices().getIndex(new GetIndexRequest().indices(index).addFeatures(Feature.MAPPINGS)).actionGet();
} catch (IndexNotFoundException e1) {
//ignore
}
final boolean indexExists = securityIndex != null;
final NodesInfoResponse nodesInfo = tc.admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet();
if(deleteConfigIndex) {
return deleteConfigIndex(tc, index, indexExists);
}
if (!indexExists) {
System.out.print(index +" index does not exists, attempt to create it ... ");
final int created = createConfigIndex(tc, index, explicitReplicas);
if(created != 0) {
return created;
}
} else {
System.out.println(index+" index already exists, so we do not need to create one.");
try {
ClusterHealthResponse chrsg = tc.admin().cluster().health(new ClusterHealthRequest(index)).actionGet();
if (chrsg.isTimedOut()) {
System.out.println("ERR: Timed out while waiting for "+index+" index state.");
}
if (chrsg.getStatus() == ClusterHealthStatus.RED) {
System.out.println("ERR: "+index+" index state is RED.");
}
if (chrsg.getStatus() == ClusterHealthStatus.YELLOW) {
System.out.println("INFO: "+index+" index state is YELLOW, it seems you miss some replicas");
}
} catch (Exception e) {
if(!failFast) {
System.out.println("Cannot retrieve "+index+" index state state due to "+e.getMessage()+". This is not an error, will keep on trying ...");
} else {
System.out.println("ERR: Cannot retrieve "+index+" index state state due to "+e.getMessage()+".");
return (-1);
}
}
}
final boolean createLegacyMode = !indexExists && CREATE_AS_LEGACY;
if(createLegacyMode) {
System.out.println("We forcibly create the new index in legacy mode so that ES 6 config can be uploaded. To move to v7 configs youneed to migrate.");
}
final boolean legacy = createLegacyMode || (indexExists
&& securityIndex.getMappings() != null
&& securityIndex.getMappings().get(index) != null
&& securityIndex.getMappings().get(index).containsKey("security"));
if(legacy) {
System.out.println("Legacy index '"+index+"' (ES 6) detected (or forced). You should migrate the configuration!");
}
if(retrieve) {
String date = DATE_FORMAT.format(new Date());
boolean success = retrieveFile(tc, cd+"config_"+date+".yml", index, "config", legacy);
success = retrieveFile(tc, cd+"roles_"+date+".yml", index, "roles", legacy) && success;
success = retrieveFile(tc, cd+"roles_mapping_"+date+".yml", index, "rolesmapping", legacy) && success;
success = retrieveFile(tc, cd+"internal_users_"+date+".yml", index, "internalusers", legacy) && success;
success = retrieveFile(tc, cd+"action_groups_"+date+".yml", index, "actiongroups", legacy) && success;
success = retrieveFile(tc, cd+"audit_"+date+".yml", index, "audit", legacy) && success;
if(!legacy) {
success = retrieveFile(tc, cd+"security_tenants_"+date+".yml", index, "tenants", legacy) && success;
}
final boolean populateFileIfEmpty = true;
success = retrieveFile(tc, cd+"nodes_dn_"+date+".yml", index, "nodesdn", legacy, populateFileIfEmpty) && success;
success = retrieveFile(tc, cd+"whitelist_"+date+".yml", index, "whitelist", legacy, populateFileIfEmpty) && success;
return (success?0:-1);
}
if(backup != null) {
return backup(tc, index, new File(backup), legacy);
}
if(migrate != null) {
if(!legacy) {
System.out.println("ERR: Seems cluster is already migrated");
return -1;
}
return migrate(tc, index, new File(migrate), nodesInfo, resolveEnvVars);
}
boolean isCdAbs = new File(cd).isAbsolute();
System.out.println("Populate config from "+(isCdAbs?cd:new File(".", cd).getCanonicalPath()));
if(file != null) {
if(type != null) {
System.out.println("Force type: "+type);
} else {
type = readTypeFromFile(new File(file));
if(type == null) {
System.out.println("ERR: Unable to read type from file");
return (-1);
}
}
if(!CType.lcStringValues().contains(type)) {
System.out.println("ERR: Invalid type '"+type+"'");
return (-1);
}
boolean success = uploadFile(tc, file, index, type, legacy, resolveEnvVars);
if(!success) {
System.out.println("ERR: cannot upload configuration, see errors above");
return -1;
}
ConfigUpdateResponse cur = tc.execute(ConfigUpdateAction.INSTANCE, new ConfigUpdateRequest(new String[]{type})).actionGet();
success = checkConfigUpdateResponse(cur, nodesInfo, 1) && success;
System.out.println("Done with "+(success?"success":"failures"));
return (success?0:-1);
}
return upload(tc, index, cd, legacy, nodesInfo, resolveEnvVars);
}
// TODO audit changes to .opendistro_security index
}