Elasticsearch plugin settings encryption

We are writing a repository plugin, and few of the settings in that plugin must be encrypted or at-least not shown in GET API. I could not find good example of such a setting. Right now we are using the following
Setting AUTHINFO =
Setting.simpleString("authinfo", Setting.Property.Filtered);
But even in this case, the authinfo is returned back in plain text when we query for the repository(GET _snapshot/my_repo).
Is the only choice in such cases is to store the details in elasticsearch keystore as explained here - https://www.elastic.co/guide/en/elasticsearch/reference/current/secure-settings.html or do we have any other choice. If we create a keystore, the same command has to be replicated in all the members of the cluster or will the keystore be transferred automatically?

The keystore must exist on each node at startup. That is the intended way to have a secure setting. This would mean loading your secure settings at plugin initialization, instead of during repository creation. See for example the repository-s3 plugin.

Somehow I feel this is really not docker friendly as it will mean that we will need separate images for test/production if separate credentials are to be used. And putting the credential at docker build time seems a bit weird, I think we will need to mount the keystore file while using docker rather than hard-coding it inside the container.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.