Added secure settings for ssl related passwords:

[chriswhite199]

Description

Migration of SSL certificate / keystore passwords to use secure configuration (opensearch keystore). Existing settings are marked as insecure and will require current deployments to set the opensearch.allow_insecure_setting: false setting to allow the use of insecure settings in opensearch.yml

Secure settings added for existing ssl settings, using a _secure suffix, to allow older settings to be marked as deprecated:

• plugins.security.ssl.http.pemkey_password_secure
• plugins.security.ssl.http.keystore_password_secure
• plugins.security.ssl.http.keystore_keypassword_secure
• plugins.security.ssl.http.truststore_password_secure
• plugins.security.ssl.transport.pemkey_password_secure
• plugins.security.ssl.transport.server.pemkey_password_secure
• plugins.security.ssl.transport.client.pemkey_password_secure
• plugins.security.ssl.transport.keystore_password_secure
• plugins.security.ssl.transport.keystore_keypassword_secure
• plugins.security.ssl.transport.server.keystore_keypassword_secure
• plugins.security.ssl.transport.client.keystore_keypassword_secure
• plugins.security.ssl.transport.truststore_password_secure

Issues Resolved

Resolves #1549

Is this a backport? If so, please add backport PR # and/or commits #

Testing

Updated unit tests, added new test for asserting the case where old insecure settings are used, and opensearch.allow_insecure_setting hasn't be set.

Check List

• New functionality includes testing
• New functionality has been documented
  • To be completed in another PR to the opensearch-website repo
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[codecov-commenter]

Codecov Report

Merging #2296 (e40d273) into main (cad7c72) will increase coverage by 0.06%.
The diff coverage is 95.65%.

@@             Coverage Diff              @@
##               main    #2296      +/-   ##
============================================
+ Coverage     61.04%   61.10%   +0.06%     
- Complexity     3268     3274       +6     
============================================
  Files           259      260       +1     
  Lines         18337    18363      +26     
  Branches       3248     3250       +2     
============================================
+ Hits          11193    11221      +28     
+ Misses         5559     5557       -2     
  Partials       1585     1585              

Impacted Files	Coverage Δ
...security/auditlog/sink/ExternalOpenSearchSink.java	59.25% <0.00%> (ø)
...ensearch/security/ssl/util/SSLConfigConstants.java	77.77% <ø> (ø)
...ic/auth/ldap/backend/LDAPAuthorizationBackend.java	57.81% <100.00%> (+0.07%)	⬆️
...amazon/dlic/util/SettingsBasedSSLConfigurator.java	62.30% <100.00%> (ø)
...azon/dlic/util/SettingsBasedSSLConfiguratorV4.java	59.06% <100.00%> (+0.21%)	⬆️
...opensearch/security/auditlog/sink/WebhookSink.java	76.74% <100.00%> (ø)
...ensearch/security/ssl/DefaultSecurityKeyStore.java	67.28% <100.00%> (-0.55%)	⬇️
...arch/security/ssl/OpenSearchSecuritySSLPlugin.java	78.82% <100.00%> (-1.29%)	⬇️
...org/opensearch/security/ssl/SecureSSLSettings.java	100.00% <100.00%> (ø)
...opensearch/security/ssl/util/SSLRequestHelper.java	65.71% <100.00%> (ø)
... and 5 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[peternied]

Thanks for the contribution! Great to see a clear improvement in the security posture. Had some ideas about how we could make it a more concise change, would love to know what you think.

[cwperks]

This is a great contribution @chriswhite199! Left a couple of comments around tests, but overall this looks good to me.

[peternied]

Looks great, I can go either way on the test cases for the enum class. Also added a nitpicky comment to use static imports, thanks for the great contribution!

[chriswhite199]

Still up for discussion is the use of SecureRestClientBuilder from commons-utils in other plugins, and how to best handle when the secure variants are used on a cluster hosting the plugin

[peternied]

Still up for discussion is the use of SecureRestClientBuilder from commons-utils in other plugins, and how to best handle when the secure variants are used on a cluster hosting the plugin

Is there an issue for this one, if not could you create one?

[peternied]

Looks like a commit missed the DCO signoff:

Commit sha: 6daf73e, Author: Chris White, Committer: Chris White; The sign-off is missing.

[DarshitChanpura]

@chriswhite199 thank you for adding the tests! Would you mind signing the commits?
Also you can you use ./gradlew spotlessApply to fix any formatting errors.

[DarshitChanpura]

@chriswhite199 Can you add a new-line at the end of SecureSSLSettingsTest.java to fix CodeHygiene check?

[DarshitChanpura]

LGTM! Thanks @chriswhite199 !

[cwperks]

Thank you for the great contribution!

[cwperks]

@chriswhite199 I just realized that this change was not backported into the 2.x release branch. I will add a backport 2.x label so that this change gets released.

[opensearch-trigger-bot]

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-2.x 2.x
# Navigate to the new working tree
cd .worktrees/backport-2.x
# Create a new branch
git switch --create backport/backport-2296-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 2c20be065775a02ef376abd273c1d5fc8976e8c7
# Push it to GitHub
git push --set-upstream origin backport/backport-2296-to-2.x
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport/backport-2296-to-2.x.

[chinawushuai]

Which version currently implements this feature？ @chriswhite199

[willyborankin]

Hi @chinawushuai, it looks like that documentation have not been updated yet. I found the property starting from 2.7.0.0 release.

[chinawushuai]

I have checked the release notes, (#2296) is not included in version 2.7.0 @willyborankin