Skip to content
Merged
Show file tree
Hide file tree
Changes from 12 commits
Commits
Show all changes
37 commits
Select commit Hold shift + click to select a range
dd523dc
wip
battermann Mar 15, 2024
96c108f
wip
battermann Mar 18, 2024
db56fd1
wip
battermann Mar 18, 2024
9021159
tmp tracing
battermann Mar 18, 2024
ad83f89
wip
battermann Mar 18, 2024
1520c06
wip
battermann Mar 18, 2024
d9d8b4b
use credentials from integration config locally
battermann Mar 19, 2024
0b68437
credentials for additional write index
battermann Mar 19, 2024
f60b9e0
changelog
battermann Mar 19, 2024
4d8fb4d
make local federation v0 test work
battermann Mar 20, 2024
9221250
docs
battermann Mar 20, 2024
6589704
Update docs/src/developer/reference/config-options.md
battermann Mar 20, 2024
dcf6fcf
little clean up
battermann Mar 20, 2024
a5c3863
enable ES security on CI
battermann Mar 20, 2024
df86aa2
add credential support for elasticsearch chart
battermann Mar 20, 2024
9ee8965
Revert "enable ES security on CI"
battermann Mar 20, 2024
0d7757d
mount secret volumes
battermann Mar 20, 2024
52b4017
wip
battermann Mar 20, 2024
4170565
blank secret
battermann Mar 20, 2024
e1b84ba
This reverts commit 9ee8965e4cb1bd803b814541f8fb5323d7725a8b.
battermann Mar 20, 2024
437a3c4
charts/elasticsearch-index: Deal with lack of creds
akshaymankar Mar 20, 2024
6260982
Revert "This reverts commit 9ee8965e4cb1bd803b814541f8fb5323d7725a8b."
akshaymankar Mar 20, 2024
ca5caac
Revert "Revert "This reverts commit 9ee8965e4cb1bd803b814541f8fb5323d…
akshaymankar Mar 20, 2024
9cec195
add ES credentials to wire-server CI values
battermann Mar 20, 2024
7e20309
make value a string instead of map
battermann Mar 20, 2024
6458345
wip
battermann Mar 20, 2024
72e0947
added secrets to elasticserach-index
battermann Mar 21, 2024
07b20c6
added pre-install annotation to es secret
battermann Mar 21, 2024
2a94f42
updated docs
battermann Mar 21, 2024
a8d4a4e
set password for elastic user for CI
battermann Mar 21, 2024
ff4facc
added auth for migrate data cmd
battermann Mar 22, 2024
d08fd6c
ES credentials for integration
battermann Mar 25, 2024
93c38f0
fix test
battermann Mar 25, 2024
34dcb4c
move credentials to es opts
battermann Mar 25, 2024
9d12a78
wip config as yaml
battermann Mar 25, 2024
e2ec95e
updated brig template and simplified
battermann Mar 25, 2024
6ea4086
updated docs
battermann Mar 25, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 6 additions & 6 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -294,9 +294,9 @@ db-reset: c
./dist/gundeck-schema --keyspace gundeck_test2 --replication-factor 1 --reset
./dist/spar-schema --keyspace spar_test2 --replication-factor 1 --reset
./integration/scripts/integration-dynamic-backends-db-schemas.sh --replication-factor 1 --reset
./dist/brig-index reset --elasticsearch-index-prefix directory --elasticsearch-server http://localhost:9200 > /dev/null
./dist/brig-index reset --elasticsearch-index-prefix directory2 --elasticsearch-server http://localhost:9200 > /dev/null
./integration/scripts/integration-dynamic-backends-brig-index.sh --elasticsearch-server http://localhost:9200 > /dev/null
./dist/brig-index reset --elasticsearch-index-prefix directory --elasticsearch-server http://localhost:9200 --elasticsearch-credentials ./services/brig/test/resources/elasticsearch-credentials.yaml > /dev/null
./dist/brig-index reset --elasticsearch-index-prefix directory2 --elasticsearch-server http://localhost:9200 --elasticsearch-credentials ./services/brig/test/resources/elasticsearch-credentials.yaml > /dev/null
./integration/scripts/integration-dynamic-backends-brig-index.sh --elasticsearch-server http://localhost:9200 --elasticsearch-credentials ./services/brig/test/resources/elasticsearch-credentials.yaml > /dev/null



Expand All @@ -312,9 +312,9 @@ db-migrate: c
./dist/gundeck-schema --keyspace gundeck_test2 --replication-factor 1 > /dev/null
./dist/spar-schema --keyspace spar_test2 --replication-factor 1 > /dev/null
./integration/scripts/integration-dynamic-backends-db-schemas.sh --replication-factor 1 > /dev/null
./dist/brig-index reset --elasticsearch-index-prefix directory --elasticsearch-server http://localhost:9200 > /dev/null
./dist/brig-index reset --elasticsearch-index-prefix directory2 --elasticsearch-server http://localhost:9200 > /dev/null
./integration/scripts/integration-dynamic-backends-brig-index.sh --elasticsearch-server http://localhost:9200 > /dev/null
./dist/brig-index reset --elasticsearch-index-prefix directory --elasticsearch-server http://localhost:9200 --elasticsearch-credentials ./services/brig/test/resources/elasticsearch-credentials.yaml > /dev/null
./dist/brig-index reset --elasticsearch-index-prefix directory2 --elasticsearch-server http://localhost:9200 --elasticsearch-credentials ./services/brig/test/resources/elasticsearch-credentials.yaml > /dev/null
./integration/scripts/integration-dynamic-backends-brig-index.sh --elasticsearch-server http://localhost:9200 --elasticsearch-credentials ./services/brig/test/resources/elasticsearch-credentials.yaml > /dev/null

#################################
## dependencies
Expand Down
1 change: 1 addition & 0 deletions changelog.d/2-features/WPB-6717
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Support for Elasticsearch password authentication
6 changes: 6 additions & 0 deletions charts/brig/templates/configmap.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -330,5 +330,11 @@ data:
{{- if .setOAuthMaxActiveRefreshTokens }}
setOAuthMaxActiveRefreshTokens: {{ .setOAuthMaxActiveRefreshTokens }}
{{- end }}
{{- if $.Values.secrets.elasticsearch }}
setElasticsearchCredentials: /etc/wire/brig/secrets/elasticsearch-credentials.yaml
{{- end }}
{{- if $.Values.secrets.elasticsearchAdditional }}
setElasticsearchAdditionalCredentials: /etc/wire/brig/secrets/elasticsearch-additional-credentials.yaml
{{- end }}
{{- end }}
{{- end }}
6 changes: 6 additions & 0 deletions charts/brig/templates/secret.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -35,4 +35,10 @@ data:
rabbitmqUsername: {{ .rabbitmq.username | b64enc | quote }}
rabbitmqPassword: {{ .rabbitmq.password | b64enc | quote }}
{{- end }}
{{- if .elasticsearch }}
elasticsearch-credentials.yaml: {{ .elasticsearch | b64enc | quote }}
{{- end }}
{{- if .elasticsearchAdditional }}
elasticsearch-additional-credentials.yaml: {{ .elasticsearchAdditional | b64enc | quote }}
{{- end }}
{{- end }}
16 changes: 9 additions & 7 deletions deploy/dockerephemeral/docker-compose.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -159,10 +159,13 @@ services:

elasticsearch:
container_name: demo_wire_elasticsearch
#image: elasticsearch:5.6
image: julialongtin/elasticsearch:0.0.9-amd64
# https://hub.docker.com/_/elastic is deprecated, but 6.2.4 did not work without further changes.
# image: docker.elastic.co/elasticsearch/elasticsearch:6.2.4
build:
context: .
dockerfile_inline: |
FROM julialongtin/elasticsearch:0.0.9-amd64
RUN /usr/share/elasticsearch/bin/elasticsearch-plugin install x-pack -b
# this seems to be necessary to run X-Pack on Alpine (https://discuss.elastic.co/t/elasticsearch-failing-to-start-due-to-x-pack/85125/7)
RUN rm -rf /usr/share/elasticsearch/plugins/x-pack/platform/linux-x86_64
ulimits:
nofile:
soft: 65536
Expand All @@ -171,10 +174,9 @@ services:
- "127.0.0.1:9200:9200"
- "127.0.0.1:9300:9300"
environment:
- "xpack.ml.enabled=false"
- "xpack.security.enabled=true"
- "bootstrap.system_call_filter=false"
# ES_JVM_OPTIONS is reserved, so...
# what's present in the jvm.options file by default.
# - "JVM_OPTIONS_ES=-Xmx2g -Xms2g"
- "JVM_OPTIONS_ES=-Xmx512m -Xms512m"
- "discovery.type=single-node"
networks:
Expand Down
3 changes: 2 additions & 1 deletion deploy/dockerephemeral/federation-v0/brig.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,8 @@ cassandra:
# filterNodesByDatacentre: datacenter1

elasticsearch:
url: http://demo_wire_elasticsearch:9200
# FUTUREWORK: use separate ES v0 instance
url: http://elastic:changeme@demo_wire_elasticsearch:9200
index: directory_test

rabbitmq:
Expand Down
22 changes: 22 additions & 0 deletions docs/src/developer/reference/config-options.md
Original file line number Diff line number Diff line change
Expand Up @@ -853,3 +853,25 @@ accessible to services (and not the private key.)

The corresponding Cassandra options are described in Cassandra's documentation:
[client_encryption_options](https://cassandra.apache.org/doc/stable/cassandra/configuration/cass_yaml_file.html#client_encryption_options)

## Configure Elasticsearch basic authentication

When the Wire backend is configured to work against a custom Elasticsearch instance, it may be desired to enable basic authentication for the internal communication between the Wire backend and the ES instance. To do so the Elasticsearch credentials can be set in wire-server's secrets as follows:

```yaml
brig:
secrets:
elasticsearch:
username: elastic
password: changeme
```

In some cases an additional Elasticsearch instance is needed (e.g. for index migrations). To configure credentials for the additional ES instance add the secret as follows:

```yaml
brig:
secrets:
elasticsearchAdditional:
username: elastic
password: changeme
```
31 changes: 31 additions & 0 deletions libs/types-common/src/Data/Credentials.hs
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
-- This file is part of the Wire Server implementation.
--
-- Copyright (C) 2024 Wire Swiss GmbH <opensource@wire.com>
--
-- This program is free software: you can redistribute it and/or modify it under
-- the terms of the GNU Affero General Public License as published by the Free
-- Software Foundation, either version 3 of the License, or (at your option) any
-- later version.
--
-- This program is distributed in the hope that it will be useful, but WITHOUT
-- ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
-- FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
-- details.
--
-- You should have received a copy of the GNU Affero General Public License along
-- with this program. If not, see <https://www.gnu.org/licenses/>.

module Data.Credentials where

import Data.Aeson (FromJSON)
import Data.Text
import Imports

-- | Generic credentials for authenticating a user. Usually used for deserializing from a secret yaml file.
data Credentials = Credentials
{ username :: Text,
password :: Text
}
deriving stock (Generic)

instance FromJSON Credentials
7 changes: 6 additions & 1 deletion libs/types-common/src/Util/Options.hs
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,12 @@ urlPort u = do
makeLenses ''AWSEndpoint

newtype FilePathSecrets = FilePathSecrets FilePath
deriving (Eq, Show, FromJSON)
deriving (Eq, Show, FromJSON, IsString)

initCredentials :: (FromJSON a) => FilePathSecrets -> IO a
Comment thread
battermann marked this conversation as resolved.
Outdated
initCredentials secretFile = do
dat <- loadSecret secretFile
pure $ either (\e -> error $ "Could not load secrets from " ++ show secretFile ++ ": " ++ e) id dat

loadSecret :: FromJSON a => FilePathSecrets -> IO (Either String a)
loadSecret (FilePathSecrets p) = do
Expand Down
1 change: 1 addition & 0 deletions libs/types-common/types-common.cabal
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ library
exposed-modules:
Data.Code
Data.CommaSeparatedList
Data.Credentials
Data.Domain
Data.ETag
Data.Handle
Expand Down
2 changes: 2 additions & 0 deletions services/brig/brig.integration.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -216,6 +216,8 @@ optSettings:
setOAuthEnabled: true
setOAuthRefreshTokenExpirationTimeSecs: 14515200 # 24 weeks
setOAuthMaxActiveRefreshTokens: 10
setElasticsearchCredentials: test/resources/elasticsearch-credentials.yaml
setElasticsearchAdditionalCredentials: test/resources/elasticsearch-credentials.yaml

logLevel: Warn
logNetStrings: false
25 changes: 12 additions & 13 deletions services/brig/src/Brig/App.hs
Original file line number Diff line number Diff line change
Expand Up @@ -96,7 +96,7 @@ import Bilge.IO
import Bilge.RPC (HasRequestId (..))
import Brig.AWS qualified as AWS
import Brig.Calling qualified as Calling
import Brig.Options (Opts, Settings)
import Brig.Options (Opts, Settings (..))
import Brig.Options qualified as Opt
import Brig.Provider.Template
import Brig.Queue.Stomp qualified as Stomp
Expand All @@ -118,6 +118,7 @@ import Control.Lens hiding (index, (.=))
import Control.Monad.Catch
import Control.Monad.Trans.Resource
import Data.ByteString.Conversion
import Data.Credentials (Credentials (..))
import Data.Domain
import Data.Metrics (Metrics)
import Data.Metrics.Middleware qualified as Metrics
Expand All @@ -128,7 +129,6 @@ import Data.Text.Encoding (encodeUtf8)
import Data.Text.Encoding qualified as Text
import Data.Text.IO qualified as Text
import Data.Time.Clock
import Data.Yaml (FromJSON)
import Database.Bloodhound qualified as ES
import HTTP2.Client.Manager (Http2Manager, http2ManagerWithSSLCtx)
import Imports
Expand Down Expand Up @@ -259,6 +259,8 @@ newEnv o = do
kpLock <- newMVar ()
rabbitChan <- traverse (Q.mkRabbitMqChannelMVar lgr) o.rabbitmq
let allDisabledVersions = foldMap expandVersionExp (Opt.setDisabledAPIVersions sett)
mEsCreds <- for (Opt.setElasticsearchCredentials sett) initCredentials
mEsAddCreds <- for (Opt.setElasticsearchAdditionalCredentials sett) initCredentials

pure $!
Env
Expand Down Expand Up @@ -294,7 +296,7 @@ newEnv o = do
_zauthEnv = zau,
_digestMD5 = md5,
_digestSHA256 = sha256,
_indexEnv = mkIndexEnv o lgr mgr mtr (Opt.galley o),
_indexEnv = mkIndexEnv o lgr mgr mtr mEsCreds mEsAddCreds (Opt.galley o),
_randomPrekeyLocalLock = prekeyLocalLock,
_keyPackageLocalLock = kpLock,
_rabbitmqChannel = rabbitChan,
Expand All @@ -313,14 +315,16 @@ newEnv o = do
pure (Nothing, Just smtp)
mkEndpoint service = RPC.host (encodeUtf8 (service ^. host)) . RPC.port (service ^. port) $ RPC.empty

mkIndexEnv :: Opts -> Logger -> Manager -> Metrics -> Endpoint -> IndexEnv
mkIndexEnv o lgr mgr mtr galleyEp =
let bhe = ES.mkBHEnv (ES.Server (Opt.url (Opt.elasticsearch o))) mgr
mkIndexEnv :: Opts -> Logger -> Manager -> Metrics -> Maybe Credentials -> Maybe Credentials -> Endpoint -> IndexEnv
mkIndexEnv o lgr mgr mtr mCreds mAddCreds galleyEp =
let mkBhe url mcs =
let bhe = ES.mkBHEnv (ES.Server url) mgr
in maybe bhe (\creds -> bhe {ES.bhRequestHook = ES.basicAuthHook (ES.EsUsername creds.username) (ES.EsPassword creds.password)}) mcs
lgr' = Log.clone (Just "index.brig") lgr
mainIndex = ES.IndexName $ Opt.index (Opt.elasticsearch o)
additionalIndex = ES.IndexName <$> Opt.additionalWriteIndex (Opt.elasticsearch o)
additionalBhe = flip ES.mkBHEnv mgr . ES.Server <$> Opt.additionalWriteIndexUrl (Opt.elasticsearch o)
in IndexEnv mtr lgr' bhe Nothing mainIndex additionalIndex additionalBhe galleyEp mgr
additionalBhe = flip mkBhe mAddCreds <$> Opt.additionalWriteIndexUrl (Opt.elasticsearch o)
in IndexEnv mtr lgr' (mkBhe (Opt.url (Opt.elasticsearch o)) mCreds) Nothing mainIndex additionalIndex additionalBhe galleyEp mgr

initZAuth :: Opts -> IO ZAuth.Env
initZAuth o = do
Expand Down Expand Up @@ -409,11 +413,6 @@ initCassandra o g =
(Just schemaVersion)
g

initCredentials :: (FromJSON a) => FilePathSecrets -> IO a
initCredentials secretFile = do
dat <- loadSecret secretFile
pure $ either (\e -> error $ "Could not load secrets from " ++ show secretFile ++ ": " ++ e) id dat

userTemplates :: (MonadReader Env m) => Maybe Locale -> m (Locale, UserTemplates)
userTemplates l = forLocale l <$> view usrTemplates

Expand Down
38 changes: 25 additions & 13 deletions services/brig/src/Brig/Index/Eval.hs
Original file line number Diff line number Diff line change
Expand Up @@ -32,37 +32,45 @@ import Control.Monad.Catch
import Control.Retry
import Data.Aeson (FromJSON)
import Data.Aeson qualified as Aeson
import Data.Credentials (Credentials (..))
import Data.Metrics qualified as Metrics
import Database.Bloodhound qualified as ES
import Imports
import Network.HTTP.Client as HTTP
import System.Logger qualified as Log
import System.Logger.Class (Logger, MonadLogger (..))
import Util.Options (initCredentials)

runCommand :: Logger -> Command -> IO ()
runCommand l = \case
Create es galley -> do
e <- initIndex es galley
mCreds <- for (es ^. esCredentials) initCredentials
e <- initIndex es mCreds galley
runIndexIO e $ createIndexIfNotPresent (mkCreateIndexSettings es)
Reset es galley -> do
e <- initIndex es galley
mCreds <- for (es ^. esCredentials) initCredentials
e <- initIndex es mCreds galley
runIndexIO e $ resetIndex (mkCreateIndexSettings es)
Reindex es cas galley -> do
e <- initIndex es galley
mCreds <- for (es ^. esCredentials) initCredentials
e <- initIndex es mCreds galley
c <- initDb cas
runReindexIO e c reindexAll
ReindexSameOrNewer es cas galley -> do
e <- initIndex es galley
mCreds <- for (es ^. esCredentials) initCredentials
e <- initIndex es mCreds galley
c <- initDb cas
runReindexIO e c reindexAllIfSameOrNewer
UpdateMapping esURI indexName galley -> do
e <- initIndex' esURI indexName galley
UpdateMapping esURI indexName mSecretPath galley -> do
mCreds <- for mSecretPath initCredentials
e <- initIndex' esURI indexName mCreds galley
runIndexIO e updateMapping
Migrate es cas galley -> do
migrate l es cas galley
ReindexFromAnotherIndex reindexSettings -> do
mgr <- newManager defaultManagerSettings
let bhEnv = initES (view reindexEsServer reindexSettings) mgr
mCreds <- for (view reindexCredentials reindexSettings) initCredentials
let bhEnv = initES (view reindexEsServer reindexSettings) mgr mCreds
ES.runBH bhEnv $ do
let src = view reindexSrcIndex reindexSettings
dest = view reindexDestIndex reindexSettings
Expand All @@ -85,22 +93,26 @@ runCommand l = \case
waitForTaskToComplete @ES.ReindexResponse timeoutSeconds taskNodeId
Log.info l $ Log.msg ("Finished reindexing" :: ByteString)
where
initIndex es gly =
initIndex' (es ^. esServer) (es ^. esIndex) gly
initIndex' esURI indexName galleyEndpoint = do
initIndex es mCreds gly =
initIndex' (es ^. esServer) (es ^. esIndex) mCreds gly

initIndex' esURI indexName mCreds galleyEndpoint = do
mgr <- newManager defaultManagerSettings
IndexEnv
<$> Metrics.metrics
<*> pure l
<*> pure (initES esURI mgr)
<*> pure (initES esURI mgr mCreds)
<*> pure Nothing
<*> pure indexName
<*> pure Nothing
<*> pure Nothing
<*> pure galleyEndpoint
<*> pure mgr
initES esURI mgr =
ES.mkBHEnv (toESServer esURI) mgr

initES esURI mgr mCreds =
let env = ES.mkBHEnv (toESServer esURI) mgr
in maybe env (\(creds :: Credentials) -> env {ES.bhRequestHook = ES.basicAuthHook (ES.EsUsername creds.username) (ES.EsPassword creds.password)}) mCreds

initDb cas = defInitCassandra (toCassandraOpts cas) l

waitForTaskToComplete :: forall a m. (ES.MonadBH m, MonadThrow m, FromJSON a) => Int -> ES.TaskNodeId -> m ()
Expand Down
Loading