Remove keystore initial_md5sum#76835
Merged
jkakavas merged 3 commits intoelastic:masterfrom Aug 23, 2021
Merged
Conversation
Elasticsearch's keystore initial md5sum was added in elastic#28928 with the intention to allow us to remove the elasticsearch.keystore file upon package removal, if this hadn't been altered after installation. At that time this decision made perfect sense as the elasticsearch keystore only contains transient data by default ( keystore.seed ) that is meant to be useful for bootstrap related actions, and doesn't need to survive re-installations. With Security ON by default, we will be storing additional settings in the keystore upon installation(namely, the passwords for the PKCS#12 keystores used for TLS) and these have a more persistent nature. Since `remove` doesn't delete the configuration directories and files where said PKCS#12 keystores are stored, it makes sense to also not delete the elasticsearch.keystore which stores the passwords.
Collaborator
|
Pinging @elastic/es-delivery (Team:Delivery) |
Contributor
Author
This is my reading of the initial changes, let me know if I have missed something, or if the change doesn't make sense for some other reason, happy to discuss. This came up from test failures, while working on the (still in-progress) #75144 |
pugnascotia
reviewed
Aug 23, 2021
|
|
||
| // keystore was removed | ||
|
|
||
| assertPathsDoNotExist(installation.config("elasticsearch.keystore"), installation.config(".elasticsearch.keystore.initial_md5sum")); |
Contributor
There was a problem hiding this comment.
Should we update the statement above to check that they keystore still exists?
Contributor
Author
There was a problem hiding this comment.
Yes, makes sense - I was too quick to remove coverage :/
pugnascotia
approved these changes
Aug 23, 2021
wjp719
added a commit
to wjp719/elasticsearch
that referenced
this pull request
Aug 24, 2021
* master: (21 commits) [Test] More robust assertions for sorting and pagination (elastic#76654) [Test] Fix filename check on Windows (elastic#76807) Upgrade build scan plugin to 3.6.4 (elastic#76784) Remove keystore initial_md5sum (elastic#76835) Don't export docker images on assemble (elastic#76817) Fix testMasterStatsOnSuccessfulUpdate (elastic#76844) AwaitsFix for elastic#76840 Make Releasing Aggregation Buffers Safer (elastic#76741) Re-enable BWC tests after backport of elastic#76771 (elastic#76839) Dispatch large bulk requests to write thread (elastic#76736) Disable BWC tests for elastic#76771 Pull down beats artifacts when performing release tests Add timing stats to publication process (elastic#76771) Fix BanFailureLoggingTests some more (elastic#76668) Mention "warn threshold" in master service slowlog (elastic#76815) Fix DockerTests.test010Install Re-enable tests affected by elastic#75097 (elastic#76814) Fix testRecoveryIsCancelledAfterDeletingTheIndex (elastic#76644) Test fix -WildcardFieldMapperTests bad test data. (elastic#76819) Updating supported version after backporting the feature (elastic#76794) ... # Conflicts: # server/src/main/java/org/elasticsearch/action/bulk/TransportBulkAction.java
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Elasticsearch's keystore initial md5sum was added in #28928 with
the intention to allow us to remove the elasticsearch.keystore
file upon package removal, if this hadn't been altered after
installation. At that time this decision made perfect sense as
the elasticsearch keystore only contains transient data by
default ( keystore.seed ) that is meant to be useful for bootstrap
related actions, and doesn't need to survive re-installations.
With Security ON by default, we will be storing additional
settings in the keystore upon installation(namely, the passwords
for the PKCS#12 keystores used for TLS) and these have a more
persistent nature. Since
removedoesn't delete the configurationdirectories and files where said PKCS#12 keystores are stored, it
makes sense to also not delete the elasticsearch.keystore which
stores the passwords.