Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support application default credentials (ADC) for Google Pub/Sub #15668

Merged
merged 9 commits into from
Apr 17, 2020

Conversation

mwasilew2
Copy link
Contributor

@mwasilew2 mwasilew2 commented Jan 18, 2020

What does this PR do?

Update the Google Pub/Sub input to support reading Application Default Credentials
(ADC) in addition to the credentials_file and credentials_json config options.

If neither config option is set then it will attempt to search for the default credentials.
Generally this means reading the GOOGLE_APPLICATION_CREDENTIALS environment
variable plus searching a few other well known locations.

The googlecloud module was updates to support all three authentication mechanisms.

Why is it important?

Without this change, Filebeat requires a path to a file with credentials to be provided in its config and is unable to use for example a default service account.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works

Author's Checklist

  • [ ]

How to test this PR locally

  1. Upload the Filebeat binary to a GCP instance created with default config
  2. Run the binary configured to read from PubSub, but do not provide any credentials
  3. Filebeat should be able to detect that it's on GCP and use ADC (get a token for the default service account for the VM from the metadata server)

Related issues

Use cases

Sending logs to Elastic from PubSub queue

Screenshots

Logs

@elasticmachine
Copy link
Collaborator

Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually?

1 similar comment
@elasticmachine
Copy link
Collaborator

Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually?

@blakerouse
Copy link
Contributor

@elastic/siem Can you take a look at this change?

@andrewkroh
Copy link
Member

jenkins, test this please

@andrewkroh
Copy link
Member

The integration tests is failing due to this change. https://travis-ci.org/elastic/beats/jobs/638704764#L9301-L9327

Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it would be good to enable the use of ADC. But I'd prefer to still have up-front validation that the ADC is available this way it can throw an error when filebeat check config runs.

So the validation would check that one of the options is available - ADC, credential_file exists, or JSON credentials is non-empty. Google has some sample code showing how to check for ADC at https://cloud.google.com/docs/authentication/production#obtaining_credentials_on_compute_engine_kubernetes_engine_app_engine_flexible_environment_and_cloud_functions. Perhaps you can try using the google.FindDefaultCredentials from that example to implement this validation.

@mwasilew2
Copy link
Contributor Author

@andrewkroh

So the validation would check that one of the options is available - ADC, credential_file exists, or JSON credentials is non-empty.

yea, it definitely makes sense

I took another stab at it, let me know if this approach is better

I also tried running the integration tests locally but they seem to fail on netflow:

$ make -C x-pack/filebeat testsuite
make: Entering directory '/home/michal/go/src/github.com/elastic/beats/x-pack/filebeat'
Installing mage v1.9.0 from vendor dir.
go install -mod=vendor -ldflags="-X github.com/magefile/mage/mage.gitTag=v1.9.0" github.com/magefile/mage
/home/michal/.magefile cleaned
rm -f build/TEST-go-integration.out
mage update build unitTest integTest || ( cat build/TEST-go-integration.out && false )
No fields files for module azureeventhub
No fields files for module cloudfoundry
No fields files for module googlepubsub
No fields files for module httpjson
No fields files for module o365audit
Generated fields.yml for filebeat to /home/michal/go/src/github.com/elastic/beats/x-pack/filebeat/fields.yml
>> Building filebeat.yml for linux/amd64
>> Building filebeat.reference.yml for linux/amd64
>> Building filebeat.docker.yml for linux/amd64
exec: go list -m
>> build: Building filebeat
>> go test: Unit Testing
FAILURES:
Package: github.com/elastic/beats/v7/x-pack/filebeat/input/netflow
Test:    [build failed]
----
SUMMARY:
  Fail:     1
  Skip:     7
  Pass:     453
  Packages: 21
  Duration: 26.73016531s
  JUnit Report: /home/michal/go/src/github.com/elastic/beats/x-pack/filebeat/build/TEST-go-unit.xml
  Output File:  /home/michal/go/src/github.com/elastic/beats/x-pack/filebeat/build/TEST-go-unit.out
>> go test: Unit Test Failed
Error: go test failed: 1 test failures
cat: build/TEST-go-integration.out: No such file or directory
make: *** [../../dev-tools/make/xpack.mk:48: testsuite] Error 1
make: Leaving directory '/home/michal/go/src/github.com/elastic/beats/x-pack/filebeat'
[1]    59958 exit 2     make -C x-pack/filebeat testsuite

let me know if there's anything else I can help with

@mwasilew2 mwasilew2 requested a review from a team as a code owner April 16, 2020 23:43
mwasilew2 and others added 5 commits April 16, 2020 19:44
Signed-off-by: Michal Wasilewski <[email protected]>
Signed-off-by: Michal Wasilewski <[email protected]>
Signed-off-by: Michal Wasilewski <[email protected]>
I added a test case. I updated the documenation for the google-pubsub input to mention that Application Default Credentials (ADC) can be used.

And I update the googlecloud modules to support all three authentication methods.
@andrewkroh
Copy link
Member

I update the PR to add:

  • unit test for the config validation
  • updated google-pubsub doc to mention ADC can be used
  • update googlecloud modules to support ADC and credentials_json

@andrewkroh
Copy link
Member

run tests

Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@andrewkroh andrewkroh merged commit 058de35 into elastic:master Apr 17, 2020
@andrewkroh andrewkroh changed the title use ADC on GCP instances Support application default credentials (ADC) for Google Pub/Sub Apr 17, 2020
@andrewkroh andrewkroh added the needs_backport PR is waiting to be backported to other branches. label Apr 17, 2020
sayden pushed a commit to sayden/beats that referenced this pull request Apr 17, 2020
…stic#15668)

Update the Google Pub/Sub input to support reading Application Default Credentials
(ADC) in addition to the credentials_file and credentials_json config options.

If neither config option is set then it will attempt to search for the default credentials.
Generally this means reading the GOOGLE_APPLICATION_CREDENTIALS environment
variable plus search a few other well known locations.

The googlecloud module was updates to support all three authentication mechanisms.

Co-authored-by: Michal Wasilewski <[email protected]>
Co-authored-by: Andrew Kroh <[email protected]>
(cherry picked from commit 058de35)
@sayden sayden added v7.8.0 and removed needs_backport PR is waiting to be backported to other branches. labels Apr 17, 2020
andrewkroh pushed a commit to andrewkroh/beats that referenced this pull request May 2, 2020
…stic#15668)

Update the Google Pub/Sub input to support reading Application Default Credentials
(ADC) in addition to the credentials_file and credentials_json config options.

If neither config option is set then it will attempt to search for the default credentials.
Generally this means reading the GOOGLE_APPLICATION_CREDENTIALS environment
variable plus search a few other well known locations.

The googlecloud module was updates to support all three authentication mechanisms.

Co-authored-by: Michal Wasilewski <[email protected]>
Co-authored-by: Andrew Kroh <[email protected]>
(cherry picked from commit 058de35)
andrewkroh pushed a commit to andrewkroh/beats that referenced this pull request May 2, 2020
…stic#15668)

Update the Google Pub/Sub input to support reading Application Default Credentials
(ADC) in addition to the credentials_file and credentials_json config options.

If neither config option is set then it will attempt to search for the default credentials.
Generally this means reading the GOOGLE_APPLICATION_CREDENTIALS environment
variable plus search a few other well known locations.

The googlecloud module was updates to support all three authentication mechanisms.

Co-authored-by: Michal Wasilewski <[email protected]>
Co-authored-by: Andrew Kroh <[email protected]>
(cherry picked from commit 058de35)
andrewkroh added a commit that referenced this pull request May 4, 2020
) (#17790)

Update the Google Pub/Sub input to support reading Application Default Credentials
(ADC) in addition to the credentials_file and credentials_json config options.

If neither config option is set then it will attempt to search for the default credentials.
Generally this means reading the GOOGLE_APPLICATION_CREDENTIALS environment
variable plus search a few other well known locations.

The googlecloud module was updates to support all three authentication mechanisms.

Co-authored-by: Michal Wasilewski <[email protected]>
Co-authored-by: Andrew Kroh <[email protected]>

(cherry picked from commit 058de35)
andrewkroh added a commit that referenced this pull request May 13, 2020
) (#17791)

Update the Google Pub/Sub input to support reading Application Default Credentials
(ADC) in addition to the credentials_file and credentials_json config options.

If neither config option is set then it will attempt to search for the default credentials.
Generally this means reading the GOOGLE_APPLICATION_CREDENTIALS environment
variable plus search a few other well known locations.

The googlecloud module was updates to support all three authentication mechanisms.

Co-authored-by: Michal Wasilewski <[email protected]>
Co-authored-by: Andrew Kroh <[email protected]>
(cherry picked from commit 058de35)

Co-authored-by: Michal <[email protected]>
leweafan pushed a commit to leweafan/beats that referenced this pull request Apr 28, 2023
…stic#15668) (elastic#17791)

Update the Google Pub/Sub input to support reading Application Default Credentials
(ADC) in addition to the credentials_file and credentials_json config options.

If neither config option is set then it will attempt to search for the default credentials.
Generally this means reading the GOOGLE_APPLICATION_CREDENTIALS environment
variable plus search a few other well known locations.

The googlecloud module was updates to support all three authentication mechanisms.

Co-authored-by: Michal Wasilewski <[email protected]>
Co-authored-by: Andrew Kroh <[email protected]>
(cherry picked from commit e3175aa)

Co-authored-by: Michal <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Filebeat doesn't use ADC on GCP instances
5 participants