Upgrade to Elasticsearch 7.X enforced SonarQube to expose HTTP port without any authentication mechanism. Previously, SonarQube was using internal binary protocol of Elasticsearch over TCP.
On CE, DE and EE, the port is bound to localhost, so Elasticsearch port is by default not exposed.
However, for DCE, if configuration of the network between application and search nodes is not properly secured, Elasticsearch can be directly reachable.
We want to give our DCE users the possibility to activate authentication for Elasticsearch.
Authentication between SQ and Elasticsearch will be available only for DCE and it will be an optional configuration. SQ will use xpack.security package and a native Elasticsearch realm with a built-in elastic user to configure authentication. Authentication comes with TLS encryption between ES nodes as it is minimal requirement to enable ES authentication at all.
SQ will support PKCS#12 format only.
Elasticsearch’s elasticsearch-keystore utility will be used under the hood to configure required properties.
Below properties will be necessary to be added:
- sonar.cluster.search.password - password for Elasticsearch built-in user (elastic) which will be set in ES and used on the client site, if provided it enables authentication and additional properties are required to be set (optional)
- sonar.cluster.es.ssl.keystore - file URL to a keystore in PKCS#12 format, user running SQ must have READ permission to that file (mandatory if password set)
- sonar.cluster.es.ssl.truststore - file URL to a truststore in PKCS#12 format, user running SQ must have READ permission to that file (mandatory if password set)
- sonar.cluster.es.ssl.keystorePassword - password for the keystore (optional)
- sonar.cluster.es.ssl.truststorePassword - password for the truststore (optional)
When sonar.cluster.search.password has been provided, configuration of keystore and truststore are considered as required - this is a mandatory prerequisite for Elasticsearch when enabling authentication, otherwise SQ properties should be ignored. Furthermore following settings has to to be written to elasticsearch.yml file (see EsSettings.java):
- xpack.security.enabled = true
- xpack.security.transport.ssl.enabled = true
- xpack.security.transport.ssl.verification_mode = certificate
- xpack.security.transport.ssl.keystore.path = SQ’s ES_CONF location of where the keystore certificate will be copied (SQ_HOME/temp/conf/es)
*xpack.security.transport.ssl.truststore.path= SQ’s ES_CONF location of where the truststore certificate will be copied (SQ_HOME/temp/conf/es) - if same path as keystore copying it once will be enough
After writing to elasticsearch.yml and before starting Elasticsearch following will need to be done in order to properly setup authentication:
- Clean SQ’s ES_CONF location (SQ_HOME/temp/conf/es) - make sure to not broke other behaviour (writing elasticsearch.yml)
- Copy certificates from locations sonar.cluster.es.ssl.keystore and sonar.cluster.es.ssl.truststore to SQ’s ES_CONF location (SQ_HOME/temp/conf/es)
- Copy elasticsearch.keystore file from original distribution to SQ’s ES_CONF location (SQ_HOME/temp/conf/es)
- Execute as a java process elasticsearch-keystore add -x 'bootstrap.password'
- Pass to process value of sonar.cluster.search.password
- -x - flag enable to pass the settings values through standard input (stdin)
- If passwords for a keystore has been provided execute as a java process elasticsearch-keystore add -x 'xpack.security.transport.ssl.keystore.secure_password'
- Pass to process value of sonar.cluster.es.ssl.keystorePassword
- If passwords for a truststore has been provided execute as a java process elasticsearch-keystore add -x 'xpack.security.transport.ssl.truststore.secure_password'
- Pass to process value of sonar.cluster.es.ssl.truststorePassword
According to tool description it may be possible to execute tool once with multiple values, see more details here: elasticsearch-keystore
Other relevant resources:
- Describe new SQ properties
- Separate section for the properties
- Highlight that authentication configuration is optional
- Emphasis that network security should be enough and authentication is just an extra step