search

elastic / elasticsearch-cloud-aws

AWS Cloud Plugin for Elasticsearch
https://github.com/elastic/elasticsearch/tree/master/plugins/discovery-ec2
577 stars 181 forks source link

AWS credentials should not be exposed #184

Closed chrissnell closed 9 years ago

chrissnell commented 9 years ago 
% curl -XGET http://my-es-server:9200/_snapshot

Right there, in plaintext, my S3 credentials. Yes, I'm using IAM with tightly restricted permissions on a firewalled network but not everyone might be so careful. I'll bet if I scanned large blocks of AWS/Rackspace/etc, I would turn up a bunch of unrestricted AWS credentials.

This just seems like a bad idea. Can these be partially obscured?

davidski commented 9 years ago

Agree that obscuring these would be a good idea. Also want to point out if you are using IAM instance roles to provide access to S3, no inclusion of static credentials is required at all. Instance profiles FTW! :)

dadoonet commented 9 years ago

@chrissnell Where did you set your repo settings? In elasticsearch.yml or when you create the repository with PUT _snapshot/repo?

dadoonet commented 9 years ago

Answering to myself:

PUT /_snapshot/my_s3_repository
{
    "type": "s3",
    "settings": {
        "access_key": "XXX",
        "secret_key": "YYY"
    }
}

GET /_snapshot

It shows credentials. When credentials are defined in elasticsearch.yml you can't see them.

dadoonet commented 9 years ago

@imotov Any idea on how to obscur repository settings? I think that plugins can't do it by now. Could we add a method in BlobStoreRepository or anywhere else to filter settings? Should we support that?

imotov commented 9 years ago

@dadoonet to do that we need to add the settings filtering to get snapshot request

dadoonet commented 9 years ago

@imotov Did we change anything in core about this?

imotov commented 9 years ago

@dadoonet I thought there is an open issue for it in core, but apparently it's not there. I have created an issue elastic/elasticsearch#11265 for it.

nstott commented 9 years ago

I see that elastic/elasticsearch#11265 seems to be closed, but we're still seeing unfiltered key/secret in calls to _snapshot/, any recommendations to hide that data?

imotov commented 9 years ago

@nstott which version of elasticsearch are you using? Which keys are exposed and for which plugin? Which version of the plugin are you using?

nstott commented 9 years ago

we're using elasticsearch 1.7.0, version 2.7 of the plugin, and access_key, and secret_key are exposed

imotov commented 9 years ago

Yes, I was able to reproduce the issue. Since the keys appear in the repository settings on the top level (instead of inside cloud.aws.) they are not getting filtered out. So, the plugin needs to be modified to take advantage of elastic/elasticsearch#11265.

jipperinbham commented 9 years ago

any chance this will make it in soon?