-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support application default credentials (ADC) for Google Pub/Sub #15668
Conversation
Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually? |
1 similar comment
Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually? |
@elastic/siem Can you take a look at this change? |
jenkins, test this please |
The integration tests is failing due to this change. https://travis-ci.org/elastic/beats/jobs/638704764#L9301-L9327 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it would be good to enable the use of ADC. But I'd prefer to still have up-front validation that the ADC is available this way it can throw an error when filebeat check config
runs.
So the validation would check that one of the options is available - ADC, credential_file exists, or JSON credentials is non-empty. Google has some sample code showing how to check for ADC at https://cloud.google.com/docs/authentication/production#obtaining_credentials_on_compute_engine_kubernetes_engine_app_engine_flexible_environment_and_cloud_functions. Perhaps you can try using the google.FindDefaultCredentials
from that example to implement this validation.
yea, it definitely makes sense I took another stab at it, let me know if this approach is better I also tried running the integration tests locally but they seem to fail on netflow: $ make -C x-pack/filebeat testsuite
make: Entering directory '/home/michal/go/src/github.com/elastic/beats/x-pack/filebeat'
Installing mage v1.9.0 from vendor dir.
go install -mod=vendor -ldflags="-X github.com/magefile/mage/mage.gitTag=v1.9.0" github.com/magefile/mage
/home/michal/.magefile cleaned
rm -f build/TEST-go-integration.out
mage update build unitTest integTest || ( cat build/TEST-go-integration.out && false )
No fields files for module azureeventhub
No fields files for module cloudfoundry
No fields files for module googlepubsub
No fields files for module httpjson
No fields files for module o365audit
Generated fields.yml for filebeat to /home/michal/go/src/github.com/elastic/beats/x-pack/filebeat/fields.yml
>> Building filebeat.yml for linux/amd64
>> Building filebeat.reference.yml for linux/amd64
>> Building filebeat.docker.yml for linux/amd64
exec: go list -m
>> build: Building filebeat
>> go test: Unit Testing
FAILURES:
Package: github.com/elastic/beats/v7/x-pack/filebeat/input/netflow
Test: [build failed]
----
SUMMARY:
Fail: 1
Skip: 7
Pass: 453
Packages: 21
Duration: 26.73016531s
JUnit Report: /home/michal/go/src/github.com/elastic/beats/x-pack/filebeat/build/TEST-go-unit.xml
Output File: /home/michal/go/src/github.com/elastic/beats/x-pack/filebeat/build/TEST-go-unit.out
>> go test: Unit Test Failed
Error: go test failed: 1 test failures
cat: build/TEST-go-integration.out: No such file or directory
make: *** [../../dev-tools/make/xpack.mk:48: testsuite] Error 1
make: Leaving directory '/home/michal/go/src/github.com/elastic/beats/x-pack/filebeat'
[1] 59958 exit 2 make -C x-pack/filebeat testsuite let me know if there's anything else I can help with |
Signed-off-by: Michal Wasilewski <[email protected]>
Signed-off-by: Michal Wasilewski <[email protected]>
Signed-off-by: Michal Wasilewski <[email protected]>
Signed-off-by: Michal Wasilewski <[email protected]>
I added a test case. I updated the documenation for the google-pubsub input to mention that Application Default Credentials (ADC) can be used. And I update the googlecloud modules to support all three authentication methods.
I update the PR to add:
|
run tests |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
…stic#15668) Update the Google Pub/Sub input to support reading Application Default Credentials (ADC) in addition to the credentials_file and credentials_json config options. If neither config option is set then it will attempt to search for the default credentials. Generally this means reading the GOOGLE_APPLICATION_CREDENTIALS environment variable plus search a few other well known locations. The googlecloud module was updates to support all three authentication mechanisms. Co-authored-by: Michal Wasilewski <[email protected]> Co-authored-by: Andrew Kroh <[email protected]> (cherry picked from commit 058de35)
…stic#15668) Update the Google Pub/Sub input to support reading Application Default Credentials (ADC) in addition to the credentials_file and credentials_json config options. If neither config option is set then it will attempt to search for the default credentials. Generally this means reading the GOOGLE_APPLICATION_CREDENTIALS environment variable plus search a few other well known locations. The googlecloud module was updates to support all three authentication mechanisms. Co-authored-by: Michal Wasilewski <[email protected]> Co-authored-by: Andrew Kroh <[email protected]> (cherry picked from commit 058de35)
…stic#15668) Update the Google Pub/Sub input to support reading Application Default Credentials (ADC) in addition to the credentials_file and credentials_json config options. If neither config option is set then it will attempt to search for the default credentials. Generally this means reading the GOOGLE_APPLICATION_CREDENTIALS environment variable plus search a few other well known locations. The googlecloud module was updates to support all three authentication mechanisms. Co-authored-by: Michal Wasilewski <[email protected]> Co-authored-by: Andrew Kroh <[email protected]> (cherry picked from commit 058de35)
) (#17790) Update the Google Pub/Sub input to support reading Application Default Credentials (ADC) in addition to the credentials_file and credentials_json config options. If neither config option is set then it will attempt to search for the default credentials. Generally this means reading the GOOGLE_APPLICATION_CREDENTIALS environment variable plus search a few other well known locations. The googlecloud module was updates to support all three authentication mechanisms. Co-authored-by: Michal Wasilewski <[email protected]> Co-authored-by: Andrew Kroh <[email protected]> (cherry picked from commit 058de35)
) (#17791) Update the Google Pub/Sub input to support reading Application Default Credentials (ADC) in addition to the credentials_file and credentials_json config options. If neither config option is set then it will attempt to search for the default credentials. Generally this means reading the GOOGLE_APPLICATION_CREDENTIALS environment variable plus search a few other well known locations. The googlecloud module was updates to support all three authentication mechanisms. Co-authored-by: Michal Wasilewski <[email protected]> Co-authored-by: Andrew Kroh <[email protected]> (cherry picked from commit 058de35) Co-authored-by: Michal <[email protected]>
…stic#15668) (elastic#17791) Update the Google Pub/Sub input to support reading Application Default Credentials (ADC) in addition to the credentials_file and credentials_json config options. If neither config option is set then it will attempt to search for the default credentials. Generally this means reading the GOOGLE_APPLICATION_CREDENTIALS environment variable plus search a few other well known locations. The googlecloud module was updates to support all three authentication mechanisms. Co-authored-by: Michal Wasilewski <[email protected]> Co-authored-by: Andrew Kroh <[email protected]> (cherry picked from commit e3175aa) Co-authored-by: Michal <[email protected]>
What does this PR do?
Update the Google Pub/Sub input to support reading Application Default Credentials
(ADC) in addition to the credentials_file and credentials_json config options.
If neither config option is set then it will attempt to search for the default credentials.
Generally this means reading the GOOGLE_APPLICATION_CREDENTIALS environment
variable plus searching a few other well known locations.
The googlecloud module was updates to support all three authentication mechanisms.
Why is it important?
Without this change, Filebeat requires a path to a file with credentials to be provided in its config and is unable to use for example a default service account.
Checklist
I have commented my code, particularly in hard-to-understand areasI have made corresponding changes to the documentationI have made corresponding change to the default configuration filesI have added tests that prove my fix is effective or that my feature worksAuthor's Checklist
How to test this PR locally
Related issues
Use cases
Sending logs to Elastic from PubSub queue
Screenshots
Logs