Fixed "Using Client Certificate for Elastic Search Authentication" #1139
Conversation
clyang82
requested review from
black-adder,
jpkrohling,
pavolloffay,
vprithvi and
yurishkuro
as code owners
Codecov Report
@@ Coverage Diff @@
## master #1139 +/- ##
======================================
Coverage 100% 100%
======================================
Files 144 144
Lines 6779 6804 +25
======================================
+ Hits 6779 6804 +25
Continue to review full report at Codecov.
|
pkg/es/config/config.go
Outdated
| } | ||
|
|
||
| // LoadPrivateKeyFrom is used to load the private certificate and key for TLS | ||
| func (c *Configuration) LoadPrivateKeyFrom() (*tls.Certificate, error) { |
There was a problem hiding this comment.
Perhaps remove the "From" from the function name?
There was a problem hiding this comment.
Thanks for your comments. I will update
pkg/es/config/config.go
Outdated
| return nil | ||
| } | ||
| httpClient := &http.Client{ | ||
| Timeout: c.Timeout, |
There was a problem hiding this comment.
Seems like this is something extra, but I think it's ok to have it here.
There was a problem hiding this comment.
This is only being applied when TLS is enabled. Can you make it available for every case?
There was a problem hiding this comment.
@pavolloffay Yes. This is only being applied for httpclient which is being used by TLS case. I cannot find where to add for every case. we use BulkProcessorService which allows to easily process bulk requests. There is no interface to set timeout. Could you point me out more specifically? Thanks.
There was a problem hiding this comment.
So the driver does not use the client when tls is disabled?
Something like this would not work?
// GetConfigs wraps the configs to feed to the ElasticSearch client init
func (c *Configuration) GetConfigs(logger *zap.Logger) []elastic.ClientOptionFunc {
options := []elastic.ClientOptionFunc{elastic.SetURL(c.Servers...), elastic.SetSniff(c.Sniffer)}
httpClient := &http.Client{
Timeout: c.Timeout,
}
if c.TLS.Enabled {
ctlsConfig, err := c.TLS.createTLSConfig(logger)
if err != nil {
return nil
}
httpClient.Transport = &http.Transport{
TLSClientConfig:ctlsConfig,
}
} else {
options = append(options, elastic.SetBasicAuth(c.Username, c.Password))
}
options = append(options, elastic.SetHttpClient(httpClient))
return options
}
There was a problem hiding this comment.
for elastic v5, if no HttpClient is configured, then http.DefaultClient is used. so your suggestion should be working. I will have a test later. Thanks.
pkg/es/config/config.go
Outdated
| options[0] = elastic.SetURL(c.Servers...) | ||
| options[1] = elastic.SetBasicAuth(c.Username, c.Password) | ||
| options[2] = elastic.SetSniff(c.Sniffer) | ||
| return options | ||
| } | ||
|
|
||
| // CreateTLSConfig creates TLS Configuration to connect with ES Cluster. | ||
| func (c *Configuration) CreateTLSConfig(logger *zap.Logger) (*tls.Config, error) { |
There was a problem hiding this comment.
I think all these new functions can be private. Also, can they be on the TLS config object instead of the top-level Configuration type?
There was a problem hiding this comment.
Yes. Agree with your point. I will make changes accordingly.
|
Does this address the same issue as #1036 ? |
clyang82
force-pushed
the
es-client-certificate
branch
from
7ef1a58
to
d01b5df
Compare
|
@jpkrohling Document issue logged - #1144 |
|
@yurishkuro it is similar with #1036. both need pass httpclient to elasticsearch client. but AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. that need to call AWS api to do authentication, that means need to pass a aws http client instance to elasticsearch client. |
clyang82
force-pushed
the
es-client-certificate
branch
from
d01b5df
to
e981b19
Compare
|
@jpkrohling & @yurishkuro Could you please help to merge my pull request if you have no further comments? Thanks. |
pkg/es/config/config.go
Outdated
| return nil | ||
| } | ||
| httpClient := &http.Client{ | ||
| Timeout: c.Timeout, |
There was a problem hiding this comment.
This is only being applied when TLS is enabled. Can you make it available for every case?
|
@clyang82 do you want to fix it in this PR or in a follow-up PR? |
pkg/es/config/config.go
Outdated
| options[2] = elastic.SetSniff(c.Sniffer) | ||
| func (c *Configuration) GetConfigs(logger *zap.Logger) []elastic.ClientOptionFunc { | ||
| options := make([]elastic.ClientOptionFunc, 0) | ||
| options = append(options, elastic.SetURL(c.Servers...), elastic.SetSniff(c.Sniffer)) |
There was a problem hiding this comment.
can combine
options := []elastic.ClientOptionFunc{ elastic.SetURL(c.Servers...), elastic.SetSniff(c.Sniffer) }
pkg/es/config/config.go
Outdated
| if err != nil { | ||
| logger.Fatal("Couldn't load root certificate", zap.Error(err)) | ||
| } | ||
| if len(tlsConfig.CertPath) > 0 && len(tlsConfig.KeyPath) > 0 { |
There was a problem hiding this comment.
why is this check needed? If it fails you return nil, so shouldn't it be an error to set c.TLS.Enabled and not provide the other 3 params?
pkg/es/config/config.go
Outdated
| } | ||
|
|
||
| // loadPrivateKeyFrom is used to load the private certificate and key for TLS | ||
| func (tlsConfig *TLSConfig) loadPrivateKeyFrom() (*tls.Certificate, error) { |
Is it necessary to use IAM with AWS ES? Can your approach be used and have some other script retrieve the credentials from IAM? If we can use your approach then I think it's better than #1036 since it does not introduce additional dependencies aside from std lib. |
These changes are a bit orthogonal from using IAM credentials IMO, as in the IAM case you need to provide a custom http client. That being said, the client cert approach for authentication may be a reasonable tradeoff over IAM. Looking more into that now. |
clyang82
force-pushed
the
es-client-certificate
branch
from
e981b19
to
061c460
Compare
|
@jpkrohling We could link the blog post in the newsletter. |
clyang82
force-pushed
the
es-client-certificate
branch
from
0e7605f
to
51919a4
Compare
|
@pavolloffay the latest code changes have passed my testing. Thanks. |
|
If this approach is orthogonal to IAM we could go forward and merge. |
pkg/es/config/config.go
Outdated
| @@ -64,7 +78,7 @@ func (c *Configuration) NewClient(logger *zap.Logger, metricsFactory metrics.Fac | |||
| if len(c.Servers) < 1 { | |||
| return nil, errors.New("No servers specified") | |||
| } | |||
| rawClient, err := elastic.NewClient(c.GetConfigs()...) | |||
| rawClient, err := elastic.NewClient(c.GetConfigs(logger)...) | |||
There was a problem hiding this comment.
can we do this without logging?
options, err := c.getConfigOptions() // note name change, no logger
if err != nil {
return nil, err
}
rawClient, err := elastic.NewClient(options...)
pkg/es/config/config.go
Outdated
| return &tls.Config{ | ||
| RootCAs: rootCerts, | ||
| Certificates: []tls.Certificate{*clientPrivateKey}, | ||
| }, err |
Signed-off-by: Chun Lin Yang <[email protected]>
Signed-off-by: Chun Lin Yang <[email protected]>
Signed-off-by: Chun Lin Yang <[email protected]>
Signed-off-by: Chun Lin Yang <[email protected]>
Signed-off-by: Chun Lin Yang <[email protected]>
Signed-off-by: Chun Lin Yang <[email protected]>
clyang82
force-pushed
the
es-client-certificate
branch
from
8db0cce
to
9b0050e
Compare
|
@jpkrohling & @yurishkuro Could you please help to merge my pull request? Thanks. |
There was a problem hiding this comment.
This LGTM and @pavolloffay has approved as well. As @yurishkuro had some comments before, I'll wait for a review from him before merging.
| @@ -119,6 +124,10 @@ func addFlags(flagSet *flag.FlagSet, nsConfig *namespaceConfig) { | |||
| nsConfig.namespace+suffixServerURLs, | |||
| nsConfig.servers, | |||
| "The comma-separated list of ElasticSearch servers, must be full url i.e. http://localhost:9200") | |||
| flagSet.Duration( | |||
| nsConfig.namespace+suffixTimeout, | |||
| nsConfig.Timeout, | |||
There was a problem hiding this comment.
I don't see where a default value for this is set. I assume it's not becoming a required flag, correct? Maybe expand in the help string what happens if not set.
There was a problem hiding this comment.
@yurishkuro Yes. It is not a required flag. the default value is 0. A Timeout of zero means no timeout. so how about change the help string from Timeout used for queries to Timeout used for queries. A Timeout of zero means no timeout.
There was a problem hiding this comment.
new PR for this fix - #1171
|
Looks good to me, thanks! Had just one nit, but it can be done in another PR. |
ghost
assigned 
Signed-off-by: Chun Lin Yang [email protected]
Which problem is this PR solving?
Resolves #678
Short description of the changes