-
Notifications
You must be signed in to change notification settings - Fork 24.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Directly download commercial ip geolocation databases from providers #110844
Conversation
elastic#110675) Co-authored-by: Joe Gallo <[email protected]>
Some cluster state customs have singular nouns and some have plural, and I think plural is more natural for this case.
…f no database metadata is present
to work around a race condition on the first run (when there is no next run already scheduled).
From ingest.geoip.downloader.maxmind.default.license_key to just ingest.geoip.downloader.maxmind.license_key.
…arch into enterprise-downloader
In this version Maxmind is very much a hardcoded configuration -- I think we might want a NamedWriteable here rather than merely a Writeable, but this allows us to keep making progress.
…terprise-downloader
...main/java/org/elasticsearch/ingest/geoip/direct/TransportGetDatabaseConfigurationAction.java
Outdated
Show resolved
Hide resolved
try { | ||
this.cachedSecureSettings = extractSecureSettings(settings, List.of(MAXMIND_LICENSE_KEY_SETTING)); | ||
} catch (GeneralSecurityException e) { | ||
logger.error("Keystore exception while reloading enterprise geoip download task executor", e); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
pretty sure that you want to rethrow this (or wrap with better type and rethrow) so that the REST reload API also know that this failed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That makes sense, yeah. 95a820b
|
||
@Override | ||
public InputStream getFile(String setting) { | ||
throw new IllegalStateException("A NotificationService setting cannot be File."); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
NotificationService ?
Also, perhaps UnsupportedOperationException
instead of IllegalStateException
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed, 572991a
// get the secure settings out | ||
final SecureSettings sourceSecureSettings = Settings.builder().put(source, true).getSecureSettings(); | ||
// filter and cache them... | ||
final Map<String, Tuple<SecureString, byte[]>> cache = new HashMap<>(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
super nitpick (feel free to ignore)
- I think Records reads a lot nicer than Tuple's and are only 1 line of code difference (assuming you don't need to backport to 7.x).
- Cache is bit misleading since the SecureSettings returned here is what is cached, this is the just the
innerMap
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/** | ||
* Extracts the {@link SecureSettings}` out of the passed in {@link Settings} object. The {@code Setting} argument has to have the | ||
* {@code SecureSettings} open/available. Normally {@code SecureSettings} are available only under specific callstacks (eg. during node | ||
* initialization or during a `reload` call). The returned copy can be reused freely as it will never be closed (this is a bit of | ||
* cheating, but it is necessary in this specific circumstance). Only works for secure settings of type string (not file). | ||
* | ||
* @param source A {@code Settings} object with its {@code SecureSettings} open/available. | ||
* @param securePluginSettings The list of settings to copy. | ||
* @return A copy of the {@code SecureSettings} of the passed in {@code Settings} argument. | ||
*/ | ||
private static SecureSettings extractSecureSettings(Settings source, List<Setting<?>> securePluginSettings) | ||
throws GeneralSecurityException { | ||
// get the secure settings out | ||
final SecureSettings sourceSecureSettings = Settings.builder().put(source, true).getSecureSettings(); | ||
// filter and cache them... | ||
final Map<String, Tuple<SecureString, byte[]>> cache = new HashMap<>(); | ||
if (sourceSecureSettings != null && securePluginSettings != null) { | ||
for (final String settingKey : sourceSecureSettings.getSettingNames()) { | ||
for (final Setting<?> secureSetting : securePluginSettings) { | ||
if (secureSetting.match(settingKey)) { | ||
cache.put( | ||
settingKey, | ||
new Tuple<>(sourceSecureSettings.getString(settingKey), sourceSecureSettings.getSHA256Digest(settingKey)) | ||
); | ||
} | ||
} | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
only reviewed the secure settings bits, LGTM pending the outcome of the error handling (see comment above)
Pinging @elastic/es-data-management (Team:Data Management) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks for working through this with me
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SecureSetting bits LGTM
…lastic#110844) Co-authored-by: Keith Massey <[email protected]>
…viders (#110844) (#111077) Co-authored-by: Keith Massey <[email protected]>
…lastic#110844) Co-authored-by: Keith Massey <[email protected]>
…lastic#110844) Co-authored-by: Keith Massey <[email protected]>
Adds a feature for downloading commercial ip geolocation databases directly from different providers and exposing those databases to the
geoip
processor -- at present the only supported provider is MaxMind.