Display security auto-configuration with fancy unicode #82740
Conversation
|
FWIW here are some sample outputs, for the time being, with a large terminal width: Vanilla configuration (when no node enrollment token is generated): When the enrollment token is generated (because |
albertzaharovits
added
:Security/Security
albertzaharovits
changed the title
...ity/src/main/java/org/elasticsearch/xpack/security/InitialNodeSecurityAutoConfiguration.java
Outdated
Show resolved
Hide resolved
|
Looks good to me @albertzaharovits thanks! I think this moves the needle quite a bit, helping the output to stand out. I'd only suggest a few more (5?10?) empty lines before and after to make it more pronounced that this is a standalone section and not logs |
|
This is how it looks on my machine and with a darker background
|
|
Thanks Albert, looks good! |
I still need to implement a fallback for that, as per:
More exactly the issue is whether the JVM's character encoding that's used to print the information to the terminal "can encode" the special unicode code points (this is what I need to code still), eg UTF-8 can, Latin-1 can not. But even in the case that the JVM is favorably configured, there is still some potential for funny characters (ie boxes and question marks):
The above two we cannot detect. |
|
Pinging @elastic/es-security (Team:Security) |
|
Things I've noticed in the message, that maybe we could improve:
|
Agreed. I think that part of the struggle here is to add just enough information. We don't want to replicate the entirety of a relevant docs page but we do want to add some information that we believe is helpful. I was wary of adding anything related to docker but if we're not able to determine whether we're running in Docker and given the % of folks that will run this in Docker , I'm ++ to having something there. I agree with your suggestion to simplify the command though, maybe simply
Personally this falls into the too much information category for the startup message but I'm happy to change my mind.
Yes this is a tricky one. We could assume that if the initial node is bound to not localhost, then the other nodes will be on other hosts for sure and so they'd need to change |
@bytebilly had caught this in the feature assurance doc but we failed to address this. :doh: I think we should treat it as a bug and fix it. We get the transport addresses from the node we call out to during enrollment and we figure out all IP Addresses we can know of ( for the SANs ) so we could possibly set transport.host to site IF any of the IP addresses that we get as existing cluster members is not in the ones we figured out for the host. I'll open a small PR |
...ity/src/main/java/org/elasticsearch/xpack/security/InitialNodeSecurityAutoConfiguration.java
Outdated
Show resolved
Hide resolved
...ity/src/main/java/org/elasticsearch/xpack/security/InitialNodeSecurityAutoConfiguration.java
Outdated
Show resolved
Hide resolved
distribution/tools/ansi-console/src/main/java/org/elasticsearch/io/ansi/AnsiConsoleLoader.java
Show resolved
Hide resolved
| assertThat(console.width().get(), is(width)); | ||
| } | ||
| } | ||
|
|
There was a problem hiding this comment.
Is there a test we can write that would fail if tryExtractPrintCharset fails with a reflection related error ? Could be useful for upgrades
There was a problem hiding this comment.
Hmm, I don't have good ideas. The method would fail if the classes in the JANSI lib change structure, following an upgrade, but we can't simulate that in a test.
We do not have tests asserting the auto-configuration message to the terminal.
If we would, we could assert the unicode formatting on at least some platforms.
There was a problem hiding this comment.
We assert the message to the terminal in ArchiveGenerateInitialCredentialsTests for some simple things but we need to adjust and fix these tests ( currently muted ) and we can add additional cases for sure
There was a problem hiding this comment.
Good, I missed those!
There was a problem hiding this comment.
TBC, when those tests are unmuted, I believe we can assert there that the displayed information contains unicode chars (on some platforms, eg not Windows), which also implies that reflection worked.
|
Okay, this is what it looks like after the above suggestions: Unless @lockewritesdocs has other suggestions, I'm going to merge this as is. FWIW we also add color to the text. |
|
@elasticmachine run elasticsearch-ci/part-2-fips |
I agree with @jkakavas in his previous comment. I do think that we need a separate line for enrolling a new node in Docker, but just enough to get the user up and running. This is only a startup message, and we'll rely on the documentation for more instructive, how-to information.
I'm torn on this one. For many users, the current startup message will meet their needs -- they're able to start Elasticsearch with security enabled and can enroll additional nodes. I agree with @jkakavas that we don't want to clutter the startup message unnecessarily, but would we consider adding a link to the docs for Installing Kibana in Docker, which includes the necessary steps? For example: |
My personal preference would be to not add this. |
I'm 👍 with not adding the link. Just wanted to have the discussion and see where we landed. |
|
For test failure https://elasticsearch-ci.elastic.co/job/elastic+elasticsearch+pull-request+part-2-fips/361/ I've raised #82977 . Will be merging this after that. |
|
@elasticmachine update branch |
This PR slightly improves the format of the security auto-configuration information that is printed on the terminal when the initial cluster node first starts up. It uses eye-catching Unicode characters for bullet points. It also uses Unicode to display a continuous border, for the whole width of the terminal, before and after the information. In addition, it uses ANSI escape sequences to render some of the information in bold fonts. It will fallback to using regular characters if the JVM is set-up with a non-UTF encoding for the standard out.
|
I realized ( late enough :) ) that we might want to add some more whitespace after the unicode characters so that it looks better in many terminals. Easy to do in a short followup though : |
This PR slightly improves the format of the security auto-configuration information that is printed on the terminal when the initial cluster node first starts up. It uses eye-catching Unicode characters for bullet points. It also uses Unicode to display a continuous border, for the whole width of the terminal, before and after the information. In addition, it uses ANSI escape sequences to render some of the information in bold fonts. It will fallback to using regular characters if the JVM is set-up with a non-UTF encoding for the standard out.
TODO:* detect if the banner PrintStream encoding supports the fancy unicode codepoints (otherwise, fallback to simpler variants)* detect (expose) the terminal width, in order to construct the border to fill the width of the terminal* make sure information doesn't use jansi when it is disabled (there are multiple ways to disable jansi)Edited 24.01.2022
This PR slightly improves the format of the security auto-configuration information, which is printed on the terminal when
the initial cluster node first starts up.
It uses eye-catching Unicode characters for bullet points.
It also uses Unicode to display a continuous border, for the whole width of the terminal, before and after the information.
In addition, it uses ANSI escape sequences to render some of the information in bold fonts.
It will fallback to using regular characters if the JVM is set-up with a non-UTF encoding for the standard out.
Related: #82364