[Fix #4280] Introduce new endpoint _plugins/_security/api/certificates #4299
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
3 tasks
willyborankin
changed the title
willyborankin
requested review from
DarshitChanpura,
RyanL1997,
cliu123,
cwperks,
peternied,
reta and
stephen-crawford
as code owners
willyborankin
force-pushed
the
certs-new-endpoint
branch
from
bb574e0 to
6808230
Compare
Member
DarshitChanpura
left a comment
DarshitChanpura
left a comment
There was a problem hiding this comment.
Took an initial pass. This approach looks great. Left some comments. I do see changes from #4252, was that accidental?
src/integrationTest/java/org/opensearch/security/api/AbstractApiIntegrationTest.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/security/dlic/rest/api/SecuritySSLCertsApiAction.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/security/dlic/rest/api/ssl/CertificatesNodesResponse.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/security/dlic/rest/api/ssl/CertificatesNodesResponse.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/security/dlic/rest/api/CertificatesApiAction.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/security/dlic/rest/api/ssl/CertificatesActionType.java
Show resolved
Hide resolved
Collaborator
Author
|
willyborankin
force-pushed
the
certs-new-endpoint
branch
3 times, most recently
from
6b6502c to
67645ed
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #4299 +/- ##
==========================================
- Coverage 66.02% 65.45% -0.57%
==========================================
Files 302 310 +8
Lines 21762 21986 +224
Branches 3523 3552 +29
==========================================
+ Hits 14368 14391 +23
- Misses 5626 5825 +199
- Partials 1768 1770 +2
|
willyborankin
force-pushed
the
certs-new-endpoint
branch
from
67645ed to
1a01482
Compare
Member
DarshitChanpura
left a comment
DarshitChanpura
left a comment
There was a problem hiding this comment.
Thank you for addressing all the comments @willyborankin . This looks close to me, left a few final comments from my end.
src/main/java/org/opensearch/security/dlic/rest/api/CertificatesApiAction.java
Show resolved
Hide resolved
src/main/java/org/opensearch/security/dlic/rest/api/SecuritySSLCertsApiAction.java
Show resolved
Hide resolved
src/main/java/org/opensearch/security/dlic/rest/api/SecuritySSLCertsApiAction.java
Outdated
Show resolved
Hide resolved
cwperks
reviewed
May 3, 2024
src/main/java/org/opensearch/security/dlic/rest/api/CertificatesApiAction.java
Show resolved
Hide resolved
cwperks
reviewed
May 3, 2024
src/integrationTest/java/org/opensearch/security/api/CertificatesRestApiIntegrationTest.java
Show resolved
Hide resolved
willyborankin
force-pushed
the
certs-new-endpoint
branch
5 times, most recently
from
09917ea to
2c07bfb
Compare
cwperks
reviewed
May 6, 2024
src/main/java/org/opensearch/security/dlic/rest/api/CertificatesApiAction.java
Show resolved
Hide resolved
cwperks
reviewed
May 6, 2024
src/main/java/org/opensearch/security/dlic/rest/api/CertificatesApiAction.java
Show resolved
Hide resolved
cwperks
previously approved these changes
May 7, 2024
DarshitChanpura
previously approved these changes
May 7, 2024
Collaborator
|
@willyborankin Great work! A couple of questions- what would the behavior be when-
|
Collaborator
Author
An example of failure response: {
"_nodes": {
"total": 5,
"successful": 1,
"failed": 4,
"failures": [
{
"type": "failed_node_exception",
"reason": "Failed node [meWIrv__T_-3_hR0AAAAAA]",
"node_id": "meWIrv__T_-3_hR0AAAAAA",
"caused_by": {
"type": "illegal_argument_exception",
"reason": "some reason"
}
},
{
"type": "failed_node_exception",
"reason": "Failed node [ierwfAAAQAC_luT5_____w]",
"node_id": "ierwfAAAQAC_luT5_____w",
"caused_by": {
"type": "illegal_argument_exception",
"reason": "some reason"
}
},
{
"type": "failed_node_exception",
"reason": "Failed node [tRcffAAAQACcRK-n_____w]",
"node_id": "tRcffAAAQACcRK-n_____w",
"caused_by": {
"type": "illegal_argument_exception",
"reason": "some reason"
}
},
{
"type": "failed_node_exception",
"reason": "Failed node [sWODKwAAQACeoJxjAAAAAA]",
"node_id": "sWODKwAAQACeoJxjAAAAAA",
"caused_by": {
"type": "illegal_argument_exception",
"reason": "some reason"
}
}
]
},
"cluster_name": "local_cluster_1",
"nodes": {
"YOYidQAAQACP5uIKAAAAAA" : {
"name" : "data_0",
"certificates" : {
"http" : [ {
"subject_dn" : "DC=de,L=test,O=node,OU=node,CN=node-3.example.com",
"san" : "[[8, 1.2.3.4.5.5], [2, node-3.example.com], [2, localhost], [7, 127.0.0.1]]",
"issuer_dn" : "DC=com,DC=example,O=Example Com Inc.,OU=Example Com Inc. Root CA,CN=Example Com Inc. Root CA",
"not_after" : "2025-04-28T09:23:47Z",
"not_before" : "2024-04-28T09:23:47Z"
} ],
"transport" : [ {
"subject_dn" : "DC=de,L=test,O=node,OU=node,CN=node-3.example.com",
"san" : "[[8, 1.2.3.4.5.5], [2, node-3.example.com], [2, localhost], [7, 127.0.0.1]]",
"issuer_dn" : "DC=com,DC=example,O=Example Com Inc.,OU=Example Com Inc. Root CA,CN=Example Com Inc. Root CA",
"not_after" : "2025-04-28T09:23:47Z",
"not_before" : "2024-04-28T09:23:47Z"
} ]
}
}
}
}
Same as above. |
willyborankin
force-pushed
the
certs-new-endpoint
branch
from
2c07bfb to
a0a89ba
Compare
Member
|
@shikharj05 Does @willyborankin's comment address your questions? Since we have 2 approvals we will be merging soon if there are no more questions. |
Collaborator
Thanks for the response @willyborankin. @DarshitChanpura - we should be good to merge, as we can see from the results above, the API doesn't fail in a mixed cluster. |
Member
|
@willyborankin Can you check the windows integration test CI failures once. They seem to be failing even after 3 retries. |
willyborankin
force-pushed
the
certs-new-endpoint
branch
from
a0a89ba to
00a0356
Compare
Collaborator
Author
|
Introduce 2 new endpoint:
`_plugins/_security/api/certificates`
`_plugins/_security/api/certificates/{nodeId}`
Query parameters:
- cert_type
- timeout
which provides information about SSL certificates for each node in the
cluster
Signed-off-by: Andrey Pleskach <ples@aiven.io>
willyborankin
dismissed stale reviews from DarshitChanpura and cwperks
via
9ab5e0c
willyborankin
force-pushed
the
certs-new-endpoint
branch
from
00a0356 to
9ab5e0c
Compare
DarshitChanpura
approved these changes
May 19, 2024
cwperks
approved these changes
May 21, 2024
willyborankin
pushed a commit
that referenced
this pull request
May 22, 2024
willyborankin
pushed a commit
that referenced
this pull request
May 22, 2024
willyborankin
pushed a commit
that referenced
this pull request
May 22, 2024
Member
|
@willyborankin We should document this API on https://opensearch.org/docs/latest. Would you mind opening a doc PR against https://github.com/opensearch-project/documentation-website/? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Introduce new endpoint:
_plugins/_security/api/certificates_plugins/_security/api/certificates/{nodeId}which provides information about SSL certificates for each node in the cluster. The endpoint works only with Default key store but not with external key store.
Path parameters:
nodeId- (Optional, string) The names of particular nodes in the cluster to target. For example,nodeId1,nodeId2Query string parameters:
cert_type- (Optional, string) The SSL certificate type. Expected values are:http,transportandall. The default value isalltimeout- node request timeoutHTTP Response:
{ "_nodes" : { "total" : 0, "successful" : 0, "failed" : 0 }, "cluster_name" : "...", "nodes" : { "..." : { "name" : "...", "certificates" : { "http" : [{ "issuer_dn" : "...", "not_after" : "...", "san" : "...", "subject_dn" : "...", "not_before" : "..." }, ...], "transport" : [{ "issuer_dn" : "...", "not_after" : "...", "san" : "...", "subject_dn" : "...", "not_before" : "..." }, ...] } } } }Example HTTP response:
{ "_nodes" : { "total" : 5, "successful" : 5, "failed" : 0 }, "cluster_name" : "local_cluster_1", "nodes" : { "fxxUhP__T_-hAn-A_____w" : { "name" : "cluster_manager_0", "certificates" : { "http" : [ { "issuer_dn" : "DC=com,DC=example,O=Example Com Inc.,OU=Example Com Inc. Root CA,CN=Example Com Inc. Root CA", "not_after" : "2025-04-28T09:23:47Z", "san" : "[[8, 1.2.3.4.5.5], [2, node-0.example.com], [2, localhost], [7, 127.0.0.1]]", "subject_dn" : "DC=de,L=test,O=node,OU=node,CN=node-0.example.com", "not_before" : "2024-04-28T09:23:47Z" } ], "transport" : [ { "issuer_dn" : "DC=com,DC=example,O=Example Com Inc.,OU=Example Com Inc. Root CA,CN=Example Com Inc. Root CA", "not_after" : "2025-04-28T09:23:47Z", "san" : "[[8, 1.2.3.4.5.5], [2, node-0.example.com], [2, localhost], [7, 127.0.0.1]]", "subject_dn" : "DC=de,L=test,O=node,OU=node,CN=node-0.example.com", "not_before" : "2024-04-28T09:23:47Z" } ] } }, "i7LgEwAAQACap1QkAAAAAA" : { "name" : "cluster_manager_1", "certificates" : { "http" : [ { "issuer_dn" : "DC=com,DC=example,O=Example Com Inc.,OU=Example Com Inc. Root CA,CN=Example Com Inc. Root CA", "not_after" : "2025-04-28T09:23:47Z", "san" : "[[8, 1.2.3.4.5.5], [2, node-1.example.com], [2, localhost], [7, 127.0.0.1]]", "subject_dn" : "DC=de,L=test,O=node,OU=node,CN=node-1.example.com", "not_before" : "2024-04-28T09:23:47Z" } ], "transport" : [ { "issuer_dn" : "DC=com,DC=example,O=Example Com Inc.,OU=Example Com Inc. Root CA,CN=Example Com Inc. Root CA", "not_after" : "2025-04-28T09:23:47Z", "san" : "[[8, 1.2.3.4.5.5], [2, node-1.example.com], [2, localhost], [7, 127.0.0.1]]", "subject_dn" : "DC=de,L=test,O=node,OU=node,CN=node-1.example.com", "not_before" : "2024-04-28T09:23:47Z" } ] } }, "58zZ5v__T_-GFzPu_____w" : { "name" : "cluster_manager_2", "certificates" : { "http" : [ { "issuer_dn" : "DC=com,DC=example,O=Example Com Inc.,OU=Example Com Inc. Root CA,CN=Example Com Inc. Root CA", "not_after" : "2025-04-28T09:23:47Z", "san" : "[[8, 1.2.3.4.5.5], [2, node-2.example.com], [2, localhost], [7, 127.0.0.1]]", "subject_dn" : "DC=de,L=test,O=node,OU=node,CN=node-2.example.com", "not_before" : "2024-04-28T09:23:47Z" } ], "transport" : [ { "issuer_dn" : "DC=com,DC=example,O=Example Com Inc.,OU=Example Com Inc. Root CA,CN=Example Com Inc. Root CA", "not_after" : "2025-04-28T09:23:47Z", "san" : "[[8, 1.2.3.4.5.5], [2, node-2.example.com], [2, localhost], [7, 127.0.0.1]]", "subject_dn" : "DC=de,L=test,O=node,OU=node,CN=node-2.example.com", "not_before" : "2024-04-28T09:23:47Z" } ] } }, "YOYidQAAQACP5uIKAAAAAA" : { "name" : "data_0", "certificates" : { "http" : [ { "subject_dn" : "DC=de,L=test,O=node,OU=node,CN=node-3.example.com", "san" : "[[8, 1.2.3.4.5.5], [2, node-3.example.com], [2, localhost], [7, 127.0.0.1]]", "issuer_dn" : "DC=com,DC=example,O=Example Com Inc.,OU=Example Com Inc. Root CA,CN=Example Com Inc. Root CA", "not_after" : "2025-04-28T09:23:47Z", "not_before" : "2024-04-28T09:23:47Z" } ], "transport" : [ { "subject_dn" : "DC=de,L=test,O=node,OU=node,CN=node-3.example.com", "san" : "[[8, 1.2.3.4.5.5], [2, node-3.example.com], [2, localhost], [7, 127.0.0.1]]", "issuer_dn" : "DC=com,DC=example,O=Example Com Inc.,OU=Example Com Inc. Root CA,CN=Example Com Inc. Root CA", "not_after" : "2025-04-28T09:23:47Z", "not_before" : "2024-04-28T09:23:47Z" } ] } }, "fcavYQAAQACJuOUMAAAAAA" : { "name" : "data_1", "certificates" : { "http" : [ { "issuer_dn" : "DC=com,DC=example,O=Example Com Inc.,OU=Example Com Inc. Root CA,CN=Example Com Inc. Root CA", "not_after" : "2025-04-28T09:23:47Z", "san" : "[[8, 1.2.3.4.5.5], [2, node-4.example.com], [2, localhost], [7, 127.0.0.1]]", "subject_dn" : "DC=de,L=test,O=node,OU=node,CN=node-4.example.com", "not_before" : "2024-04-28T09:23:47Z" } ], "transport" : [ { "issuer_dn" : "DC=com,DC=example,O=Example Com Inc.,OU=Example Com Inc. Root CA,CN=Example Com Inc. Root CA", "not_after" : "2025-04-28T09:23:47Z", "san" : "[[8, 1.2.3.4.5.5], [2, node-4.example.com], [2, localhost], [7, 127.0.0.1]]", "subject_dn" : "DC=de,L=test,O=node,OU=node,CN=node-4.example.com", "not_before" : "2024-04-28T09:23:47Z" } ] } } } }Issues Resolved
#4280
Testing
[Please provide details of testing done: unit testing, integration testing and manual testing]
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.