-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixed "Using Client Certificate for Elastic Search Authentication" #1139
Fixed "Using Client Certificate for Elastic Search Authentication" #1139
Conversation
Codecov Report
@@ Coverage Diff @@
## master #1139 +/- ##
======================================
Coverage 100% 100%
======================================
Files 144 144
Lines 6779 6804 +25
======================================
+ Hits 6779 6804 +25
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have only a couple of minor comments, LGTM otherwise.
Would you mind opening an issue to add documentation to this new option?
pkg/es/config/config.go
Outdated
} | ||
|
||
// LoadPrivateKeyFrom is used to load the private certificate and key for TLS | ||
func (c *Configuration) LoadPrivateKeyFrom() (*tls.Certificate, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perhaps remove the "From" from the function name?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for your comments. I will update
pkg/es/config/config.go
Outdated
return nil | ||
} | ||
httpClient := &http.Client{ | ||
Timeout: c.Timeout, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems like this is something extra, but I think it's ok to have it here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is only being applied when TLS is enabled. Can you make it available for every case?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@pavolloffay Yes. This is only being applied for httpclient which is being used by TLS case. I cannot find where to add for every case. we use BulkProcessorService
which allows to easily process bulk requests. There is no interface to set timeout. Could you point me out more specifically? Thanks.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So the driver does not use the client when tls is disabled?
Something like this would not work?
// GetConfigs wraps the configs to feed to the ElasticSearch client init
func (c *Configuration) GetConfigs(logger *zap.Logger) []elastic.ClientOptionFunc {
options := []elastic.ClientOptionFunc{elastic.SetURL(c.Servers...), elastic.SetSniff(c.Sniffer)}
httpClient := &http.Client{
Timeout: c.Timeout,
}
if c.TLS.Enabled {
ctlsConfig, err := c.TLS.createTLSConfig(logger)
if err != nil {
return nil
}
httpClient.Transport = &http.Transport{
TLSClientConfig:ctlsConfig,
}
} else {
options = append(options, elastic.SetBasicAuth(c.Username, c.Password))
}
options = append(options, elastic.SetHttpClient(httpClient))
return options
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
for elastic v5, if no HttpClient is configured, then http.DefaultClient is used. so your suggestion should be working. I will have a test later. Thanks.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for contributing.
Looks awesome overall! I only have minor nits.
Could you explain how you tested this, maybe post some evidence / examples.
pkg/es/config/config.go
Outdated
options[0] = elastic.SetURL(c.Servers...) | ||
options[1] = elastic.SetBasicAuth(c.Username, c.Password) | ||
options[2] = elastic.SetSniff(c.Sniffer) | ||
return options | ||
} | ||
|
||
// CreateTLSConfig creates TLS Configuration to connect with ES Cluster. | ||
func (c *Configuration) CreateTLSConfig(logger *zap.Logger) (*tls.Config, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think all these new functions can be private. Also, can they be on the TLS config object instead of the top-level Configuration type?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes. Agree with your point. I will make changes accordingly.
Does this address the same issue as #1036 ? |
7ef1a58
to
d01b5df
Compare
@jpkrohling Document issue logged - #1144 |
@yurishkuro it is similar with #1036. both need pass httpclient to elasticsearch client. but AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. that need to call AWS api to do authentication, that means need to pass a aws http client instance to elasticsearch client. |
d01b5df
to
e981b19
Compare
@jpkrohling & @yurishkuro Could you please help to merge my pull request if you have no further comments? Thanks. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the timeout should be configurable for all cases.
pkg/es/config/config.go
Outdated
return nil | ||
} | ||
httpClient := &http.Client{ | ||
Timeout: c.Timeout, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is only being applied when TLS is enabled. Can you make it available for every case?
@clyang82 do you want to fix it in this PR or in a follow-up PR? |
pkg/es/config/config.go
Outdated
options[2] = elastic.SetSniff(c.Sniffer) | ||
func (c *Configuration) GetConfigs(logger *zap.Logger) []elastic.ClientOptionFunc { | ||
options := make([]elastic.ClientOptionFunc, 0) | ||
options = append(options, elastic.SetURL(c.Servers...), elastic.SetSniff(c.Sniffer)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can combine
options := []elastic.ClientOptionFunc{ elastic.SetURL(c.Servers...), elastic.SetSniff(c.Sniffer) }
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks
pkg/es/config/config.go
Outdated
if err != nil { | ||
logger.Fatal("Couldn't load root certificate", zap.Error(err)) | ||
} | ||
if len(tlsConfig.CertPath) > 0 && len(tlsConfig.KeyPath) > 0 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why is this check needed? If it fails you return nil, so shouldn't it be an error to set c.TLS.Enabled
and not provide the other 3 params?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
removed
pkg/es/config/config.go
Outdated
} | ||
|
||
// loadPrivateKeyFrom is used to load the private certificate and key for TLS | ||
func (tlsConfig *TLSConfig) loadPrivateKeyFrom() (*tls.Certificate, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: remove "From" suffix
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK
Is it necessary to use IAM with AWS ES? Can your approach be used and have some other script retrieve the credentials from IAM? If we can use your approach then I think it's better than #1036 since it does not introduce additional dependencies aside from std lib. |
These changes are a bit orthogonal from using IAM credentials IMO, as in the IAM case you need to provide a custom http client. That being said, the client cert approach for authentication may be a reasonable tradeoff over IAM. Looking more into that now. |
e981b19
to
061c460
Compare
@jpkrohling We could link the blog post in the newsletter. |
0e7605f
to
51919a4
Compare
@pavolloffay the latest code changes have passed my testing. Thanks. |
If this approach is orthogonal to IAM we could go forward and merge. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, the fatal logging looks a bit weird. We usually log at error level and propagate the errors.
pkg/es/config/config.go
Outdated
@@ -64,7 +78,7 @@ func (c *Configuration) NewClient(logger *zap.Logger, metricsFactory metrics.Fac | |||
if len(c.Servers) < 1 { | |||
return nil, errors.New("No servers specified") | |||
} | |||
rawClient, err := elastic.NewClient(c.GetConfigs()...) | |||
rawClient, err := elastic.NewClient(c.GetConfigs(logger)...) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can we do this without logging?
options, err := c.getConfigOptions() // note name change, no logger
if err != nil {
return nil, err
}
rawClient, err := elastic.NewClient(options...)
pkg/es/config/config.go
Outdated
return &tls.Config{ | ||
RootCAs: rootCerts, | ||
Certificates: []tls.Certificate{*clientPrivateKey}, | ||
}, err |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
}, nil
Signed-off-by: Chun Lin Yang <[email protected]>
Signed-off-by: Chun Lin Yang <[email protected]>
Signed-off-by: Chun Lin Yang <[email protected]>
Signed-off-by: Chun Lin Yang <[email protected]>
Signed-off-by: Chun Lin Yang <[email protected]>
Signed-off-by: Chun Lin Yang <[email protected]>
8db0cce
to
9b0050e
Compare
@jpkrohling & @yurishkuro Could you please help to merge my pull request? Thanks. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This LGTM and @pavolloffay has approved as well. As @yurishkuro had some comments before, I'll wait for a review from him before merging.
@@ -119,6 +124,10 @@ func addFlags(flagSet *flag.FlagSet, nsConfig *namespaceConfig) { | |||
nsConfig.namespace+suffixServerURLs, | |||
nsConfig.servers, | |||
"The comma-separated list of ElasticSearch servers, must be full url i.e. http://localhost:9200") | |||
flagSet.Duration( | |||
nsConfig.namespace+suffixTimeout, | |||
nsConfig.Timeout, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't see where a default value for this is set. I assume it's not becoming a required flag, correct? Maybe expand in the help string what happens if not set.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@yurishkuro Yes. It is not a required flag. the default value is 0. A Timeout of zero means no timeout. so how about change the help string from Timeout used for queries
to Timeout used for queries. A Timeout of zero means no timeout.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
new PR for this fix - #1171
Looks good to me, thanks! Had just one nit, but it can be done in another PR. |
Signed-off-by: Chun Lin Yang [email protected]
Which problem is this PR solving?
Resolves #678
Short description of the changes