Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add SearchGuard conf for Jaeger to ES image #1500

Merged
merged 1 commit into from
Feb 12, 2019
Merged

Add SearchGuard conf for Jaeger to ES image #1500

merged 1 commit into from
Feb 12, 2019

Conversation

pavolloffay
Copy link
Member

@pavolloffay pavolloffay commented Jan 29, 2019
edited
Loading

@openshift-ci-robot openshift-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jan 29, 2019
@openshift-ci-robot
Copy link

Hi @pavolloffay. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@pavolloffay
Copy link
Member Author

cc @ewolinetz

@pavolloffay pavolloffay changed the title Make it work with Jaeger Add SearchGuard conf for Jaeger to ES image Jan 30, 2019
@ewolinetz
Copy link
Contributor

/ok-to-test

@openshift-ci-robot openshift-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jan 30, 2019
@ewolinetz
Copy link
Contributor

ewolinetz commented Jan 30, 2019
edited
Loading

lgtm @jcantrill can you confirm this is all thats required on our side?

edit: asked for a change to restrict the index pattern

@jcantrill
Copy link
Contributor

/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Jan 30, 2019
@ewolinetz
Copy link
Contributor

/hold

@openshift-ci-robot openshift-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 30, 2019
@objectiser
Copy link

@ewolinetz Just wanted to check the implications for multitenancy, to protect one tenants data from another.

One approach is that the index prefix is specific to the tenant - as we would need to make sure the index patterns in SG supports that. However this assumes the Jaeger server is configured by something that controls the valid index prefix. Which maybe fine when used with Istio (service mesh), but not sure if Jaeger is configured for standalone usage outside of Istio.

Are there any other ways that searchguard would need to be configured to ensure that the data from one tenant is protected from another? For example, if each tenant used a different client certificate, but possibly the same index prefix, would it be possible to still restrict access to the information generated by the separate tenants?

@openshift-ci-robot openshift-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed lgtm Indicates that a PR is ready to be merged. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Jan 31, 2019
@jcantrill
Copy link
Contributor

Are there any other ways that searchguard would need to be configured to ensure that the data from one tenant is protected from another? For example, if each tenant used a different client certificate, but possibly the same index prefix, would it be possible to still restrict access to the information generated by the separate tenants?

No, because access is restricted based on the index and not something like the document type or field. Searchguard is capable of document and field level security but those are enterprise licensed features. Client certificates do not make a difference because SG resolves permissions to the index and the matches that to a user or group. Even if you declared separate roles and rolemappings the permissions will resolve to the same set of indices.

@ewolinetz
Copy link
Contributor

/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Jan 31, 2019
@ewolinetz
Copy link
Contributor

/retest

1 similar comment
@ewolinetz
Copy link
Contributor

/retest

@pavolloffay pavolloffay mentioned this pull request Feb 1, 2019
Merged
4 tasks
@openshift-ci-robot openshift-ci-robot removed the lgtm Indicates that a PR is ready to be merged. label Feb 5, 2019
pavolloffay
pavolloffay commented Feb 8, 2019
View reviewed changes
elasticsearch/run.sh Outdated Show resolved Hide resolved
@ewolinetz
Copy link
Contributor

can you squash your commits?

@pavolloffay
Copy link
Member Author

@ewolinetz done

@ewolinetz
Copy link
Contributor

/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Feb 11, 2019
@jcantrill
Copy link
Contributor

/hold cancel

@openshift-ci-robot openshift-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 12, 2019
@jcantrill
Copy link
Contributor

/retest

@openshift-merge-robot openshift-merge-robot merged commit 35700ce into openshift:master Feb 12, 2019
@openshift-ci-robot
Copy link

@pavolloffay: The following tests failed, say /retest to rerun them all:

Test name Commit Details Rerun command
ci/prow/rhel-images 21b704c link /test rhel-images
ci/prow/full-integ-aws 21b704c link /test full-integ-aws
ci/prow/e2e-aws 21b704c link /test e2e-aws

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@richm richm richm left review comments

@ewolinetz ewolinetz ewolinetz approved these changes

@jcantrill jcantrill Awaiting requested review from jcantrill

@lukas-vlcek lukas-vlcek Awaiting requested review from lukas-vlcek

Assignees

@ewolinetz ewolinetz

@jcantrill jcantrill

Labels
lgtm Indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@pavolloffay @openshift-ci-robot @ewolinetz @jcantrill @objectiser @richm @openshift-merge-robot