Encode API key as base64 in common code #18945
Conversation
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
Steps errorsExpand to view the steps failures
|
|
From my checking, the APM Server code is not directly calling |
ycombinator
added
bug
Team:Services
|
Pinging @elastic/integrations-services (Team:Services) |
ycombinator
added
[zube]: In Review
needs_backport
|
Thanks for the ping, the APM Server will not be affected by this change. |
| @@ -436,7 +437,8 @@ func (conn *Connection) execHTTPRequest(req *http.Request) (int, []byte, error) | |||
| } | |||
|
|
|||
| if conn.APIKey != "" { | |||
| req.Header.Add("Authorization", "ApiKey "+conn.APIKey) | |||
| encoded := base64.StdEncoding.EncodeToString([]byte(conn.APIKey)) | |||
| req.Header.Add("Authorization", "ApiKey "+encoded) | |||
There was a problem hiding this comment.
would it make sense to cache the result in a private variable like conn.encodedAPIKey ?
There was a problem hiding this comment.
Yes, it would. No need to encode it each time we make a request to ES. Thanks for the suggestion, will implement!
There was a problem hiding this comment.
Done in c3e5b43.
| @@ -75,6 +76,8 @@ type ConnectionSettings struct { | |||
|
|
|||
| Timeout time.Duration | |||
| IdleConnTimeout time.Duration | |||
|
|
|||
| encodedAPIKey string // Base64-encoded API key | |||
There was a problem hiding this comment.
Maybe we want to move the field to Connection ?
There was a problem hiding this comment.
Sure, I guess because you want to keep ConnectionSettings just as the public settings API?
There was a problem hiding this comment.
Done in dc4e921.
There was a problem hiding this comment.
Sure, I guess because you want to keep ConnectionSettings just as the public settings API?
yep.
|
On a related not I think our Beat docs are not clear on the expected format for the From elasticsearch output:
|
|
Thanks for pointing that out, @andrewkroh. I agree that the example value in the doc is incorrect (it looks already base64-encoded). I will add the doc update to this PR. |
|
Documentation for |
| @@ -37,13 +37,14 @@ output.elasticsearch: | |||
| password: "{pwd}" | |||
| ------------------------------------------------------------------------------ | |||
|
|
|||
| To use an API key to connect to {es}, use `api_key`. | |||
| To use an API key to connect to {es}, use `api_key`. The value must be the ID of | |||
| the API key and the API key joined by a colon. | |||
There was a problem hiding this comment.
This info would be good down on line 137 with the api_key.
There was a problem hiding this comment.
Done in 42d288616.
| if conn.APIKey != "" { | ||
| req.Header.Add("Authorization", "ApiKey "+conn.APIKey) | ||
| if conn.encodedAPIKey != "" { | ||
| req.Header.Add("Authorization", "ApiKey "+conn.encodedAPIKey) |
There was a problem hiding this comment.
nit: We still have an unnecessary alloc + copy here. If we initialize encodedAPIKey = "ApiKey " + ..., then we can just pass it to Header as is.
There was a problem hiding this comment.
Changed in 47c9aacaaa04e9cc1e304d517144386a77483e02.
ycombinator
force-pushed
the
lb-mon-es-b64
branch
from
47c9aac
to
9982b8d
Compare
* Encode API key as base64 in common code * Adding comment on API key field * Adding CHANGELOG entries * Adding test * Base64-encode API key in constructor * Move encodedAPIKey field to Connection * Update doc on `api_key` setting value * Adding API key format to setting section * Compute entire API key auth header value up front
* Encode API key as base64 in common code * Adding comment on API key field * Adding CHANGELOG entries * Adding test * Base64-encode API key in constructor * Move encodedAPIKey field to Connection * Update doc on `api_key` setting value * Adding API key format to setting section * Compute entire API key auth header value up front
* Encode API key as base64 in common code * Adding comment on API key field * Adding CHANGELOG entries * Adding test * Base64-encode API key in constructor * Move encodedAPIKey field to Connection * Update doc on `api_key` setting value * Adding API key format to setting section * Compute entire API key auth header value up front
What does this PR do?
Encodes the API key supplied to the Elasticsearch client with base64 encoding right before setting it in the
Authorizationrequest header.Why is it important?
The Elasticsearch client is shared by the Elasticsearch output as well as the Elasticsearch monitoring reporter. Rather than base64-encoding the API key in each of these places, it is better to base64-encode it within the client code itself.
In fact, prior to this PR, we were base64-encoding the key in the Elasticsearch output but not in the Elasticsearch monitoring reporter.
Checklist
I have made corresponding changes to the documentationI have made corresponding change to the default configuration filesCHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.Related issues