Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HPCC-32968 Add ElasticSearch server security configuration values #19310

Merged
merged 1 commit into from
Dec 18, 2024

Conversation

kenrowland
Copy link
Contributor

@kenrowland kenrowland commented Nov 21, 2024

Added new configuration values for ElasticSearch server security

Signed-Off-By: Kenneth Rowland [email protected]

Type of change:

  • This change is a bug fix (non-breaking change which fixes an issue).
  • This change is a new feature (non-breaking change which adds functionality).
  • This change improves the code (refactor or other change that does not change the functionality)
  • This change fixes warnings (the fix does not alter the functionality or the generated code)
  • This change is a breaking change (fix or feature that will cause existing behavior to change).
  • This change alters the query API (existing queries will have to be recompiled)

Checklist:

  • My code follows the code style of this project.
    • My code does not create any new warnings from compiler, build system, or lint.
  • The commit message is properly formatted and free of typos.
    • The commit message title makes sense in a changelog, by itself.
    • The commit is signed.
  • My change requires a change to the documentation.
    • I have updated the documentation accordingly, or...
    • I have created a JIRA ticket to update the documentation.
    • Any new interfaces or exported functions are appropriately commented.
  • I have read the CONTRIBUTORS document.
  • The change has been fully tested:
    • I have added tests to cover my changes.
    • All new and existing tests passed.
    • I have checked that this change does not introduce memory leaks.
    • I have used Valgrind or similar tools to check for potential issues.
  • I have given due consideration to all of the following potential concerns:
    • Scalability
    • Performance
    • Security
    • Thread-safety
    • Cloud-compatibility
    • Premature optimization
    • Existing deployed queries will not be broken
    • This change fixes the problem, not just the symptom
    • The target branch of this pull request is appropriate for such a change.
  • There are no similar instances of the same problem that should be addressed
    • I have addressed them here
    • I have raised JIRA issues to address them separately
  • This is a user interface / front-end modification
    • I have tested my changes in multiple modern browsers
    • The component(s) render as expected

Smoketest:

  • Send notifications about my Pull Request position in Smoketest queue.
  • Test my draft Pull Request.

Testing:

Copy link

Jira Issue: https://hpccsystems.atlassian.net//browse/HPCC-32698

Jirabot Action Result:
Changing assignee from: [email protected] to: [email protected]
Workflow Transition To: Merge Pending
Additional PR: #19310

@kenrowland kenrowland changed the title HPCC-32698 Add ElasticSearch server security configuration values HPCC-32968 Add ElasticSearch server security configuration values Nov 21, 2024
@kenrowland kenrowland requested a review from rpastrana November 22, 2024 14:59
Copy link
Member

@rpastrana rpastrana left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.


**Authentication**

A child of the host configuration where authentication settings are defined. The settings are:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it's not clear if the authentication section is required or optional. It seems the type is optional, but if authentication is provided, the type seems necessary.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added wording to indicate it's optional

A child of the host configuration where authentication settings are defined. The settings are:

* type - Authentication type used to connect to the ElasticSearch server. Value defines the remaining settings.
The allowed values are (optional)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

based on above comment, type should be required if authentication is specified. otherwise if authentication is required, there should be a none option here

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed wording to indicate that type is required


// Get authentication settings, if present
Owned<IPropertyTree> pAuthConfigTree = pSettingsTree->getPropTree("authentication");
if (pAuthConfigTree)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if !pAuthConfigTree could be handled the same way pAuthConfigTree handles it in L153

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the tree is null, then no processing is needed. It seemed easier to read the positive case where the tree exists

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in terms of readability, returning false if !pAuthConfigTree is easier to read. as it stands, we don't know how that case is handled until the end of the if block

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I changed and pushed a new commit. However, if the auth config tree is missing, true is returned, not false since it's not an error.

system/metrics/sinks/elastic/elasticSink.cpp Outdated Show resolved Hide resolved
system/metrics/sinks/elastic/elasticSink.cpp Outdated Show resolved Hide resolved
if (secretTree == nullptr)
{
WARNLOG("ElasticMetricSink: Unable to load secret tree '%s', from vault '%s'", credentialsSecretKey.str(),
!credentialsVaultId.isEmpty() ? credentialsVaultId.str() : "n/a");
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the n/a seems fine, but it seems to differ from other similar cases where and empty string is provided in the output.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I felt that an empty string was not sufficient because it required knowledge that absence of a value implies that no vault ID was provided. It could be confusing. Using "n/a" tells the user that the vault ID is not applicable.

Copy link
Member

@rpastrana rpastrana Dec 2, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IF the error is that the vault id is empty, the single quoted empty string is most appropriate.
Update:
Unless, you're saying the vaultID doesn't matter in this scenario

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Absence of a vault ID is not an error. Absence of username and/or password is the error. The vault ID is informational to tell the user if attempting to retrieve from a vault (and which vault of course)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok, that seems more confusing to me. I wish we had a usability team to weigh in on these types of issues developers are typically not the best to judge.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The API to retrieve the secret has an optional vault parameter. If present, the secret is retrieved from the vault. If absent, the secret is treated as a regular Kubernetes secret. Two different APIs would have been better. So, the vault is included in the log message to indicate if the retrieval was from a vault or not, 'n/a' in the latter case.

system/metrics/sinks/elastic/elasticSink.cpp Outdated Show resolved Hide resolved
system/metrics/sinks/elastic/elasticSink.cpp Show resolved Hide resolved
@kenrowland
Copy link
Contributor Author

@rpastrana I have amended the last commit with changes as discussed.

Copy link
Member

@rpastrana rpastrana left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

seems ok

@kenrowland
Copy link
Contributor Author

@ghalliday Please merge

Copy link
Member

@ghalliday ghalliday left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A couple of trivial comments. Main question is whether passwords provided in the configuration file should be supported at all. There is a danger of promoting bad practices.

<Environment>
<Software>
<metrics name="mymetricsconfig">
<sinks name="myelasticsink" type="elastic">
<settings period="30" ignoreZeroMetrics="1">
<host name="<hostname>" port="<port>" protocol="http|htps"/>
<host domain="<domainname>" port="<port>" protocol="http|htps">
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed

# settings.host.authentication - authentication settings if authentication is enabled (optional)
# settings.host.authentication.type - authentication type (determines remaining settings) (only 'basic' is supported)
# settings.host.authentication.username - username for basic authentication (if not stored in a secret)
# settings.host.authentication.password - password for basic authentication (if not stored in a secret)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is this supported? The password would be accessible in plain test.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The code treats the password as encrypted using the same mechanism as when read from the environment.xml. If you feel the containerized version should always have the value in a secret then I can remove it. Should it be decided it can be provided directly, I updated the comment to reflect that it is encrypted.

Please advise if it should be removed in favor of always being a secret (see comment below on always loading as a secret)

# settings.host.authentication.username - username for basic authentication (if not stored in a secret)
# settings.host.authentication.password - password for basic authentication (if not stored in a secret)
# settings.host.authentication.credentialsSecret - name of secret containing username and password for basic authentication
# settings.host.authentication.credentialsVaultId - vault id for secret containing username password for basic authentication
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

optional.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added optional

}
else
{
WARNLOG("ElasticMetricSink: Host configuration missing or invalid");
// if basic auth, username and password are stored directly in the configuration
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should require configuration via a secret

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If a secret is required for the username and password, how would that work in a bare metal environment? Is it possible to load secrets for bare metal?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes secrets can be supplied in bare-metal environments, either by placing a file in the correct directory, or by using hashicorp vault.

@kenrowland kenrowland requested a review from ghalliday December 9, 2024 19:17
Copy link
Member

@ghalliday ghalliday left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please squash. I will merge as is, but in general we should not bee supporting passwords in configuration.

Added new configuration values for ElasticSearch server security

Signed-Off-By: Kenneth Rowland [email protected]
@kenrowland
Copy link
Contributor Author

@ghalliday squashed. Please merge

@ghalliday ghalliday merged commit aeeb2f8 into hpcc-systems:master Dec 18, 2024
47 of 50 checks passed
Copy link

Jirabot Action Result:
Added fix version: 9.10.0
Workflow Transition: 'Resolve issue'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants