HPCC-32968 Add ElasticSearch server security configuration values #19310
Conversation
|
Jira Issue: https://hpccsystems.atlassian.net//browse/HPCC-32698 Jirabot Action Result: |
b145e1b to
20b4ea5
Compare
20b4ea5 to
625b88f
Compare
helm/examples/metrics/README.md
Outdated
|
|
||
| **Authentication** | ||
|
|
||
| A child of the host configuration where authentication settings are defined. The settings are: |
There was a problem hiding this comment.
it's not clear if the authentication section is required or optional. It seems the type is optional, but if authentication is provided, the type seems necessary.
There was a problem hiding this comment.
Added wording to indicate it's optional
helm/examples/metrics/README.md
Outdated
| A child of the host configuration where authentication settings are defined. The settings are: | ||
|
|
||
| * type - Authentication type used to connect to the ElasticSearch server. Value defines the remaining settings. | ||
| The allowed values are (optional) |
There was a problem hiding this comment.
based on above comment, type should be required if authentication is specified. otherwise if authentication is required, there should be a none option here
There was a problem hiding this comment.
Changed wording to indicate that type is required
|
|
||
| // Get authentication settings, if present | ||
| Owned<IPropertyTree> pAuthConfigTree = pSettingsTree->getPropTree("authentication"); | ||
| if (pAuthConfigTree) |
There was a problem hiding this comment.
if !pAuthConfigTree could be handled the same way pAuthConfigTree handles it in L153
There was a problem hiding this comment.
If the tree is null, then no processing is needed. It seemed easier to read the positive case where the tree exists
There was a problem hiding this comment.
in terms of readability, returning false if !pAuthConfigTree is easier to read. as it stands, we don't know how that case is handled until the end of the if block
There was a problem hiding this comment.
I changed and pushed a new commit. However, if the auth config tree is missing, true is returned, not false since it's not an error.
| if (secretTree == nullptr) | ||
| { | ||
| WARNLOG("ElasticMetricSink: Unable to load secret tree '%s', from vault '%s'", credentialsSecretKey.str(), | ||
| !credentialsVaultId.isEmpty() ? credentialsVaultId.str() : "n/a"); |
There was a problem hiding this comment.
the n/a seems fine, but it seems to differ from other similar cases where and empty string is provided in the output.
There was a problem hiding this comment.
I felt that an empty string was not sufficient because it required knowledge that absence of a value implies that no vault ID was provided. It could be confusing. Using "n/a" tells the user that the vault ID is not applicable.
There was a problem hiding this comment.
IF the error is that the vault id is empty, the single quoted empty string is most appropriate.
Update:
Unless, you're saying the vaultID doesn't matter in this scenario
There was a problem hiding this comment.
Absence of a vault ID is not an error. Absence of username and/or password is the error. The vault ID is informational to tell the user if attempting to retrieve from a vault (and which vault of course)
There was a problem hiding this comment.
ok, that seems more confusing to me. I wish we had a usability team to weigh in on these types of issues developers are typically not the best to judge.
There was a problem hiding this comment.
The API to retrieve the secret has an optional vault parameter. If present, the secret is retrieved from the vault. If absent, the secret is treated as a regular Kubernetes secret. Two different APIs would have been better. So, the vault is included in the log message to indicate if the retrieval was from a vault or not, 'n/a' in the latter case.
d80deec to
b4abfb1
Compare
|
@rpastrana I have amended the last commit with changes as discussed. |
|
@ghalliday Please merge |
b4abfb1 to
6566d44
Compare
helm/examples/metrics/README.md
Outdated
| <Environment> | ||
| <Software> | ||
| <metrics name="mymetricsconfig"> | ||
| <sinks name="myelasticsink" type="elastic"> | ||
| <settings period="30" ignoreZeroMetrics="1"> | ||
| <host name="<hostname>" port="<port>" protocol="http|htps"/> | ||
| <host domain="<domainname>" port="<port>" protocol="http|htps"> |
| # settings.host.authentication - authentication settings if authentication is enabled (optional) | ||
| # settings.host.authentication.type - authentication type (determines remaining settings) (only 'basic' is supported) | ||
| # settings.host.authentication.username - username for basic authentication (if not stored in a secret) | ||
| # settings.host.authentication.password - password for basic authentication (if not stored in a secret) |
There was a problem hiding this comment.
Why is this supported? The password would be accessible in plain test.
There was a problem hiding this comment.
The code treats the password as encrypted using the same mechanism as when read from the environment.xml. If you feel the containerized version should always have the value in a secret then I can remove it. Should it be decided it can be provided directly, I updated the comment to reflect that it is encrypted.
Please advise if it should be removed in favor of always being a secret (see comment below on always loading as a secret)
| # settings.host.authentication.username - username for basic authentication (if not stored in a secret) | ||
| # settings.host.authentication.password - password for basic authentication (if not stored in a secret) | ||
| # settings.host.authentication.credentialsSecret - name of secret containing username and password for basic authentication | ||
| # settings.host.authentication.credentialsVaultId - vault id for secret containing username password for basic authentication |
| } | ||
| else | ||
| { | ||
| WARNLOG("ElasticMetricSink: Host configuration missing or invalid"); | ||
| // if basic auth, username and password are stored directly in the configuration |
There was a problem hiding this comment.
should require configuration via a secret
There was a problem hiding this comment.
If a secret is required for the username and password, how would that work in a bare metal environment? Is it possible to load secrets for bare metal?
There was a problem hiding this comment.
Yes secrets can be supplied in bare-metal environments, either by placing a file in the correct directory, or by using hashicorp vault.
Added new configuration values for ElasticSearch server security Signed-Off-By: Kenneth Rowland [email protected]
a90db54 to
400d590
Compare
|
@ghalliday squashed. Please merge |
Added new configuration values for ElasticSearch server security
Signed-Off-By: Kenneth Rowland [email protected]
Type of change:
Checklist:
Smoketest:
Testing: