Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FLINK-34369][connectors/elasticsearch] Elasticsearch connector supports SSL context #91

Merged
merged 6 commits into from
May 3, 2024
Merged

[FLINK-34369][connectors/elasticsearch] Elasticsearch connector supports SSL context #91

merged 6 commits into from
May 3, 2024

Conversation

liuml07
Copy link
Member

@liuml07 liuml07 commented Feb 5, 2024
edited
Loading

https://issues.apache.org/jira/browse/FLINK-34369

02/05/2024

This is a preliminary PR that was tested locally with secure ES clusters. Plan is to get early feedback, add some tests, and test with deployed jobs.

@boring-cyborg boring-cyborg
Copy link

boring-cyborg bot commented Feb 5, 2024

Thanks for opening this pull request! Please check out our contributing guidelines. (https://flink.apache.org/contributing/how-to-contribute.html)

@liuml07 liuml07 force-pushed the FLINK-34369 branch 2 times, most recently from d5707c3 to ede5bb8 Compare February 5, 2024 20:21
@liuml07 liuml07 changed the title Support providing SSL context in sink builder [FLINK-34369][connectors/elasticsearch] Elasticsearch connector supports SSL context Feb 5, 2024
@liuml07 liuml07 marked this pull request as ready for review February 5, 2024 20:22
@reta
Copy link
Member

reta commented Mar 21, 2024
edited
Loading

@liuml07 could you please use the same configuration/API model as [1] does for SSL support in OpenSearch? Besides just having familiar configuration, the API is friendly to SQL connector (where providing hostname verifier could be challenging), thank you.

The idea basically is that NetworkClientConfig has a setting:

  • allowInsecure: boolean (uses trustall model in case of self-signed certs)
  • you could certainly also keep more elaborate configuration with SSLContext / SSLEngine / ... in case it is needed

Thank you.

[1] https://github.com/apache/flink-connector-opensearch/tree/main/flink-connector-opensearch

@liuml07
Copy link
Member Author

liuml07 commented Apr 16, 2024

@reta Thanks for the advice. I have updated the patch accordingly. I think the allowInsecure and the sslContextSupplier are mutually exclusive, so I added some validation and unit test for that. I can work on a separate on for table if this looks right.

@liuml07 liuml07 mentioned this pull request Apr 16, 2024
Open
@snuyanzin
Copy link
Contributor

@liuml07 thanks for the contribution
it seems the ci failed because of spotless
could you please apply spotless to the PR?

@snuyanzin
Copy link
Contributor

@reta may I ask you to have another review iteration please?

reta
reta reviewed Apr 22, 2024
View reviewed changes
...rc/main/java/org/apache/flink/connector/elasticsearch/sink/ElasticsearchSinkBuilderBase.java
*/
public B setAllowInsecure(boolean allowInsecure) {
this.allowInsecure = allowInsecure;
return self();
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since there is overlap between this setting and suppliers, you may just rely on SSL context supplier here:

this.allowInsecure = allowInsecure;
if (this.allowInsecure) {
    return setSslContextSupplier(SSLContexts.custom().loadTrustMaterial(TrustAllStrategy.INSTANCE)::build);
}

reta
reta reviewed Apr 22, 2024
View reviewed changes
...ch-base/src/main/java/org/apache/flink/connector/elasticsearch/sink/ElasticsearchWriter.java Outdated

final CredentialsProvider credentialsProvider = getCredentialsProvider(networkClientConfig);
if (credentialsProvider != null
|| networkClientConfig.isAllowInsecure().orElse(Boolean.FALSE)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think wiring allowInsecure through sslContextSupplier (here https://github.com/apache/flink-connector-elasticsearch/pull/91/files#r1574279683) would make the logic simpler

@liuml07
Copy link
Member Author

liuml07 commented May 3, 2024

Thanks for reviewing and your approval. Could you help merge this @reta?

@snuyanzin
Copy link
Contributor

Thanks for the contribution @liuml07
Thanks for the review @reta

@snuyanzin snuyanzin merged commit 5d1f8d0 into apache:main May 3, 2024
14 checks passed
@boring-cyborg boring-cyborg
Copy link

boring-cyborg bot commented May 3, 2024

Awesome work, congrats on your first merged pull request!

@liuml07 liuml07 deleted the FLINK-34369 branch May 3, 2024 07:40
@liuml07 liuml07 mentioned this pull request May 22, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@reta reta reta approved these changes

@snuyanzin snuyanzin snuyanzin approved these changes

Assignees
No one assigned
Labels
component=Connectors/Elasticsearch
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@liuml07 @reta @snuyanzin