Deprecate specifying credentials through env vars, sys props, and remove profile files #22567
Conversation
… props, and profile files This is a follow up to elastic#22479, where storing credentials secure way was added.
|
I'm not sure how to test this, since before we didn't have tests, and all of these methods rely on sys props or env vars. I've considered having special test tasks for each one of these within the repository-s3 plugin. It might work, it would just mean adding some test classes as excluded in the normal test run. Thoughts? |
|
I think your change will also "fix" somehow what we discussed in #21041. I know that we have infra tests that probably needs to be modified if we do that for ec2 as well. |
|
Ok I added tests as I described above, and this actually caught a bug in my new implementation (the aws providers all throw exception if they are not found, and the default chain handles this by wrapping in try/catch). |
|
Given #21041, which I had forgot about, I removed profile file support entirely in this change (it didn't work with the security manager). |
|
retest this please |
| credentials = new StaticCredentialsProvider(syspropCredentials); | ||
| } else { | ||
| logger.debug("Using instance profile credentials"); | ||
| credentials = new InstanceProfileCredentialsProvider(); |
There was a problem hiding this comment.
I think that using instance profile is a good thing actually and I have seen many people relying on that.
Basically credentials are only stored on AWS platform. Elasticsearch does not need to know them explicitly. So no one has to enter any access_key/secret_key either on elasticsearch.yml (in clear - which is not secured) or in elasticsearch keystore.
I'd not remove that option, at least, without speaking to the community/users.
There was a problem hiding this comment.
I did not deprecate instance profile. Notice it is different from the rest.
There was a problem hiding this comment.
But if we run your code without setting any key/secret in elasticsearch.yml (or in the vault), then we will print the deprecated notice you wrote in getDeprecatedCredentials, right?
I mean that when you are using instance profile, you don't have to add any key/secret as it is automatically provided by AWS platform.
There was a problem hiding this comment.
No, if it is using instance profile creds, no deprecation warning is given. Instance profile provider is not using getDeprecatedCredentials.
| logger.debug("Using instance profile credentials"); | ||
| credentials = new InstanceProfileCredentialsProvider(); | ||
| } | ||
| } | ||
| } else { | ||
| logger.debug("Using basic key/secret credentials"); | ||
| credentials = new StaticCredentialsProvider(new BasicAWSCredentials(key.toString(), secret.toString())); |
There was a problem hiding this comment.
With what I just said, I'd use here a ProviderChain with:
StaticCredentialsProviderInstanceProfileCredentialsProvider
There was a problem hiding this comment.
I don't see a reason to use a provider chain. We select exactly one set of credentials we are planning to use. I don't like having fallbacks (which a provider chain does, with its nasty blanket try/catch) when there are errors.
There was a problem hiding this comment.
Then you need to test if the user provided a key/secret pair and in that case use a StaticCredentialsProvider. If not, use a InstanceProfileCredentialsProvider. This is what a chain is doing behind the scene but I agree that you can write that part of the code yourself if you wish.
There was a problem hiding this comment.
What is there works, there are new tests that prove this. A provider chain would only obfuscate what is really happening. As it is now, it is very clear which methods are deprecated (env vars and sys props) and which are supported (instance profile). We check if env vars and sys props exist up front, instead of lazily like the provider chain would.
dadoonet
changed the title
|
@dadoonet Any more thoughts here? |
|
@rjernst I added a comment on the issue yesterday: #22567 (comment) |
* master: (117 commits) Add missing serialization BWC for disk usage estimates Expose disk usage estimates in nodes stats S3 repository: Deprecate specifying credentials through env vars, sys props, and remove profile files (elastic#22567) Fix Eclipse project generation Fix deprecation logging for lenient booleans Remove @Header we no longer need Make lexer abstract [Docs] Remove outdated info about enabling/disabling doc_values (elastic#22694) Move lexer hacks to EnhancedPainlessLexer Fix incorrect args order passed to createAggregator Improve painless's javadocs Add TestWithDependenciesPlugin to build (elastic#22646) Add parsing from xContent to SearchProfileShardResults and nested classes (elastic#22649) Add unit tests for FiltersAggregator (elastic#22678) Don't register search response listener in transport clients unmute FieldStatsIntegrationIT.testGeoPointNotIndexed, fix already pushed Mute FieldStatsIntegrationIT.testGeoPointNotIndexed, for now Painless: Add augmentation to string for base 64 (elastic#22665) Fix NPE on FieldStats with mixed cluster on version pre/post 5.2 (elastic#22688) Add parsing methods for UpdateResponse (elastic#22586) ...
clintongormley
changed the title
clintongormley
added
:Distributed Coordination/Snapshot/Restore
This is a follow up to #22479, where storing credentials secure way was
added.
closes #21041