Updated ssl to true by default for core peer forwarder#1835
Updated ssl to true by default for core peer forwarder#1835asifsmohammed merged 5 commits intoopensearch-project:mainfrom
Conversation
dlvenable
left a comment
dlvenable
left a comment
There was a problem hiding this comment.
From what I can tell, this turns on SSL, but there is no configured certificate/key pair. So I expect Data Prepper will fail to start.
| private Integer maxPendingRequests = 1024; | ||
| private boolean ssl = false; | ||
| private boolean ssl = true; | ||
| private String sslCertificateFile; |
There was a problem hiding this comment.
I think we need to set this default value to the sample certificate. I believe it would be config/sample-certificate.pem or something similar.
There was a problem hiding this comment.
Yeah, it fails if sample certificates in config directory are not used. I thought we just provide the sample certs and user has to configure it using them.
But I can update sslCertificateFile and sslKeyFile to default certs file paths.
There was a problem hiding this comment.
I think it should be able to run by default. This is similar to how you can run OpenSearch by default with the default certificate.
There was a problem hiding this comment.
Hey @dlvenable, I tried adding the default paths to these configurations but it's challenging as we don't know the path at compile time. Because the system property DATA_PREPPER_HOME is not set.
If we hardcode the system property DATA_PREPPER_HOME then it can be changed at runtime using '-Ddata-prepper.dir=/app/data-prepper'.
Let me know if you have any suggestions? I think we can just leave it like this and ask the user to use the default certificates provided in /config directory but it's an additional step if ssl is enabled.
public static final String DEFAULT_CERTIFICATE_FILE_PATH = "config/default_certificate.pem";
public static final String DEFAULT_PRIVATE_KEY_FILE_PATH = "config/default_private_key.pem";
private static final String DATA_PREPPER_HOME = System.getProperty("data-prepper.dir");
private boolean ssl = true;
private String sslCertificateFile = Paths.get(DATA_PREPPER_HOME).resolve(DEFAULT_CERTIFICATE_FILE_PATH).toString();
private String sslKeyFile = Paths.get(DATA_PREPPER_HOME).resolve(DEFAULT_PRIVATE_KEY_FILE_PATH).toString();
One alternative is to pass in third argument to the ContextManager and make necessary changes in DataPrepperArgs. This approach is easier to implement if Data Prepper is run without arguments as we create the arguments in this approach.
final String dataPrepperPipelines = Paths.get(dataPrepperHome).resolve("pipelines/").toString();
final String dataPrepperConfig = Paths.get(dataPrepperHome).resolve("config/data-prepper-config.yaml").toString();
final String defaultSslCertificateFile = Paths.get(dataPrepperHome).resolve("config/default_certificate.pem").toString();
final String defaultSslPrivateKeyFile = Paths.get(dataPrepperHome).resolve("config/default_private_key.pem").toString();
contextManager = new ContextManager(dataPrepperPipelines, dataPrepperConfig, defaultSslCertificateFile, defaultSslPrivateKeyFile);
If user passes pipeline and Data Prepper config YAML files it would't be possible as arguments size can be dynamic.
There was a problem hiding this comment.
If we set the value to config/default-certificate would it not resolve correctly? It should resolve from the current directory which is the Data Prepper directory.
If this works for most scenarios, but not all, I'd be fine. We can improve it later.
There was a problem hiding this comment.
I'll try a POC for this and update here.
There was a problem hiding this comment.
I tried manual testing and config/defailt-cert-path works without configuring ssl, ssl_certificate_file, ssl_key_file.
| private boolean ssl = false; | ||
| private boolean ssl = true; | ||
| private String sslCertificateFile; | ||
| private String sslKeyFile; |
There was a problem hiding this comment.
This should also be set to the default key file.
Signed-off-by: Asif Sohail Mohammed <nsifmoh@amazon.com>
Signed-off-by: Asif Sohail Mohammed <nsifmoh@amazon.com>
Signed-off-by: Asif Sohail Mohammed <nsifmoh@amazon.com>
asifsmohammed
force-pushed
the
cpf-ssl-default
branch
from
262bf2d to
9fcc1be
Compare
| TestDataProvider.INVALID_PEER_FORWARDER_WITH_THREAD_COUNT_CONFIG_FILE, | ||
| TestDataProvider.INVALID_PEER_FORWARDER_WITH_CONNECTION_CONFIG_FILE, | ||
| TestDataProvider.INVALID_PEER_FORWARDER_WITH_SSL_CONFIG_FILE, | ||
| // TestDataProvider.INVALID_PEER_FORWARDER_WITH_SSL_CONFIG_FILE |
There was a problem hiding this comment.
Is this test still valid since the file doesn't exist? Or does the validation not yet happen?
| TestDataProvider.INVALID_PEER_FORWARDER_WITH_CLOUD_MAP_WITHOUT_REGION_CONFIG_FILE, | ||
| TestDataProvider.INVALID_PEER_FORWARDER_WITH_DNS_WITHOUT_DOMAIN_NAME_CONFIG_FILE, | ||
| TestDataProvider.INVALID_PEER_FORWARDER_WITH_SSL, | ||
| // TestDataProvider.INVALID_PEER_FORWARDER_WITH_SSL |
There was a problem hiding this comment.
Should this be removed? If so, let's remove the line entirely.
There was a problem hiding this comment.
These tests should be removed. They are invalid
Signed-off-by: Asif Sohail Mohammed <nsifmoh@amazon.com>
Signed-off-by: Asif Sohail Mohammed <nsifmoh@amazon.com>
3 participants
Signed-off-by: Asif Sohail Mohammed nsifmoh@amazon.com
Description
PeerForwarderServerProxy, so we don't need cert files for bean creation.ssl,ssl_certificate_file,ssl_key_fileand will use default certificates.Issues Resolved
resolves #1699
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.