SSL client plugin requires "path.plugin" when it should not

I’m using version 5.5.0-22 of the SSL plugin with the transport client.

The code is like this:

Settings.Builder settingsBuilder =
Settings.builder()
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_FILEPATH,"<absolute/path/to/keystore>")
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, “<absolute/path/to/truststore>”)
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_PASSWORD, “<keystore_pasword>”)
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, “<truststore_password>”)

TransportClient tc = new PreBuiltTransportClient(settingsBuilder.build(), SearchGuardSSLPlugin.class);

Unfortunately this fails with the following exception (edited for brevity):

org.elasticsearch.ElasticsearchException: Failed to load plugin class [com.floragunn.searchguard.ssl.SearchGuardSSLPlugin]
at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:434) ~[elasticsearch-5.5.0.jar:5.5.0]

Caused by: java.lang.IllegalStateException: path.home is not configured
at org.elasticsearch.env.Environment.(Environment.java:130) ~[elasticsearch-5.5.0.jar:5.5.0]
at org.elasticsearch.env.Environment.(Environment.java:120) ~[elasticsearch-5.5.0.jar:5.5.0]
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:183) ~[search-guard-ssl-5.5.0-22.jar:5.5.0-22]

Now I can fix this by adding settingsBuilder.put(“path.home”, “/”) before transport construction but this is not sensible as my client is not a node and thus does not have a valid ES home directory.

It all boils down to having these lines in DefaultSearchGuardKeyStore.initSSLConfig:

final Environment env = new Environment(settings);

final String keystoreFilePath = env.configFile().resolve(settings.get(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_FILEPATH, “”)).toAbsolutePath().toString();

The docs here state that the file paths to keystore and trust store are absolute so having the option to make them relative to ES’s configuration is problematic. Can you fix it so that you only create an Environment object (and thus require path.home) if the file path is relative or remove the relative option completely since it appears to be undocumented.

Thanks,
Robin

Can you prepare a PR for that?

···

Am 17.07.2017 um 06:25 schrieb Robin Power <robinmpower@gmail.com>:

I'm using version 5.5.0-22 of the SSL plugin with the transport client.

The code is like this:

Settings.Builder settingsBuilder =
  Settings.builder()
  .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_FILEPATH,"<absolute/path/to/keystore>")
  .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, "<absolute/path/to/truststore>")
  .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_PASSWORD, "<keystore_pasword>")
  .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, "<truststore_password>")
  ...

TransportClient tc = new PreBuiltTransportClient(settingsBuilder.build(), SearchGuardSSLPlugin.class);

Unfortunately this fails with the following exception (edited for brevity):

org.elasticsearch.ElasticsearchException: Failed to load plugin class [com.floragunn.searchguard.ssl.SearchGuardSSLPlugin]
    at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:434) ~[elasticsearch-5.5.0.jar:5.5.0]
...
Caused by: java.lang.IllegalStateException: path.home is not configured
    at org.elasticsearch.env.Environment.<init>(Environment.java:130) ~[elasticsearch-5.5.0.jar:5.5.0]
    at org.elasticsearch.env.Environment.<init>(Environment.java:120) ~[elasticsearch-5.5.0.jar:5.5.0]
    at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:183) ~[search-guard-ssl-5.5.0-22.jar:5.5.0-22]

Now I can fix this by adding settingsBuilder.put("path.home", "/") before transport construction but this is not sensible as my client is not a node and thus does not have a valid ES home directory.

It all boils down to having these lines in DefaultSearchGuardKeyStore.initSSLConfig:

final Environment env = new Environment(settings);
...
final String keystoreFilePath = env.configFile().resolve(settings.get(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_FILEPATH, "")).toAbsolutePath().toString();

The docs here state that the file paths to keystore and trust store are absolute so having the option to make them relative to ES's configuration is problematic. Can you fix it so that you only create an Environment object (and thus require path.home) if the file path is relative or remove the relative option completely since it appears to be undocumented.

Thanks,
Robin

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/6438b47a-2743-4ac0-b8e5-32f641abdbe5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.