Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixed "Using Client Certificate for Elastic Search Authentication" #1139

Merged
merged 7 commits into from
Nov 9, 2018
Merged

Fixed "Using Client Certificate for Elastic Search Authentication" #1139

Changes from 1 commit
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
1786537
Fixed https://github.com/jaegertracing/jaeger/issues/678
clyang82 Oct 25, 2018
cb7fc0c
Fixed https://github.com/jaegertracing/jaeger/issues/678
clyang82 Oct 25, 2018
cb489f0
address review comments
clyang82 Oct 26, 2018
e299315
address review comments
clyang82 Oct 31, 2018
b915241
support timeout for non-tls-enabled case
clyang82 Nov 2, 2018
9b0050e
change method name
clyang82 Nov 5, 2018
1fe7a51
Merge branch 'master' into es-client-certificate
yurishkuro Nov 9, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
address review comments 
Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com>
  • Loading branch information
@clyang82
clyang82 committed Nov 5, 2018
commit cb489f0ebe890b10b2e6c752412d2201176afcef
45 changes: 21 additions & 24 deletions pkg/es/config/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,11 +50,11 @@ type Configuration struct {
TagsFilePath string
AllTagsAsFields bool
TagDotReplacement string
TLS TLS
TLS TLSConfig
}

// TLS Config
type TLS struct {
// TLSConfig describes the configuration properties to connect tls enabled ElasticSearch cluster
type TLSConfig struct {
Enabled bool
CertPath string
KeyPath string
Expand Down Expand Up @@ -203,37 +203,34 @@ func (c *Configuration) GetTagDotReplacement() string {

// GetConfigs wraps the configs to feed to the ElasticSearch client init
func (c *Configuration) GetConfigs(logger *zap.Logger) []elastic.ClientOptionFunc {
options := make([]elastic.ClientOptionFunc, 3)
options := make([]elastic.ClientOptionFunc, 0)
options = append(options, elastic.SetURL(c.Servers...), elastic.SetSniff(c.Sniffer))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can combine

options := []elastic.ClientOptionFunc{ elastic.SetURL(c.Servers...), elastic.SetSniff(c.Sniffer) }

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

if c.TLS.Enabled {
tlsConfig, err := c.CreateTLSConfig(logger)
ctlsConfig, err := c.TLS.createTLSConfig(logger)
if err != nil {
return nil
}
httpClient := &http.Client{
Timeout: c.Timeout,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems like this is something extra, but I think it's ok to have it here.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is only being applied when TLS is enabled. Can you make it available for every case?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pavolloffay Yes. This is only being applied for httpclient which is being used by TLS case. I cannot find where to add for every case. we use BulkProcessorService which allows to easily process bulk requests. There is no interface to set timeout. Could you point me out more specifically? Thanks.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So the driver does not use the client when tls is disabled?

Something like this would not work?

// GetConfigs wraps the configs to feed to the ElasticSearch client init
func (c *Configuration) GetConfigs(logger *zap.Logger) []elastic.ClientOptionFunc {
	options := []elastic.ClientOptionFunc{elastic.SetURL(c.Servers...), elastic.SetSniff(c.Sniffer)}
	httpClient := &http.Client{
		Timeout: c.Timeout,
	}
	if c.TLS.Enabled {
		ctlsConfig, err := c.TLS.createTLSConfig(logger)
		if err != nil {
			return nil
		}
		httpClient.Transport = &http.Transport{
			TLSClientConfig:ctlsConfig,
		}
	} else {
		options = append(options, elastic.SetBasicAuth(c.Username, c.Password))
	}
	options = append(options, elastic.SetHttpClient(httpClient))
	return options
}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

for elastic v5, if no HttpClient is configured, then http.DefaultClient is used. so your suggestion should be working. I will have a test later. Thanks.

Transport: &http.Transport{
TLSClientConfig: tlsConfig,
TLSClientConfig: ctlsConfig,
},
}
options[0] = elastic.SetHttpClient(httpClient)
options[1] = elastic.SetURL(c.Servers...)
options[2] = elastic.SetSniff(c.Sniffer)
return options
options = append(options, elastic.SetHttpClient(httpClient))
} else {
options = append(options, elastic.SetBasicAuth(c.Username, c.Password))
}
clyang82 marked this conversation as resolved.
Show resolved Hide resolved
options[0] = elastic.SetURL(c.Servers...)
options[1] = elastic.SetBasicAuth(c.Username, c.Password)
options[2] = elastic.SetSniff(c.Sniffer)
return options
}

// CreateTLSConfig creates TLS Configuration to connect with ES Cluster.
func (c *Configuration) CreateTLSConfig(logger *zap.Logger) (*tls.Config, error) {
rootCerts, err := c.LoadCertificatesFrom()
// createTLSConfig creates TLS Configuration to connect with ES Cluster.
func (tlsConfig *TLSConfig) createTLSConfig(logger *zap.Logger) (*tls.Config, error) {
rootCerts, err := tlsConfig.loadCertificate()
if err != nil {
logger.Fatal("Couldn't load root certificate", zap.Error(err))
clyang82 marked this conversation as resolved.
Show resolved Hide resolved
}
if len(c.TLS.CertPath) > 0 && len(c.TLS.KeyPath) > 0 {
clientPrivateKey, err := c.LoadPrivateKeyFrom()
if len(tlsConfig.CertPath) > 0 && len(tlsConfig.KeyPath) > 0 {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why is this check needed? If it fails you return nil, so shouldn't it be an error to set c.TLS.Enabled and not provide the other 3 params?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

removed

clientPrivateKey, err := tlsConfig.loadPrivateKeyFrom()
if err != nil {
logger.Fatal("Couldn't setup client authentication", zap.Error(err))
}
Expand All @@ -245,9 +242,9 @@ func (c *Configuration) CreateTLSConfig(logger *zap.Logger) (*tls.Config, error)
return nil, err
}

// LoadCertificatesFrom is used to load root certification
func (c *Configuration) LoadCertificatesFrom() (*x509.CertPool, error) {
caCert, err := ioutil.ReadFile(c.TLS.CaPath)
// loadCertificate is used to load root certification
func (tlsConfig *TLSConfig) loadCertificate() (*x509.CertPool, error) {
caCert, err := ioutil.ReadFile(tlsConfig.CaPath)
if err != nil {
return nil, err
}
Expand All @@ -256,9 +253,9 @@ func (c *Configuration) LoadCertificatesFrom() (*x509.CertPool, error) {
return certificates, nil
}

// LoadPrivateKeyFrom is used to load the private certificate and key for TLS
func (c *Configuration) LoadPrivateKeyFrom() (*tls.Certificate, error) {
privateKey, err := tls.LoadX509KeyPair(c.TLS.CertPath, c.TLS.KeyPath)
// loadPrivateKeyFrom is used to load the private certificate and key for TLS
func (tlsConfig *TLSConfig) loadPrivateKeyFrom() (*tls.Certificate, error) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: remove "From" suffix

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK

privateKey, err := tls.LoadX509KeyPair(tlsConfig.CertPath, tlsConfig.KeyPath)
if err != nil {
return nil, err
}
Expand Down