Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support API key authentication #1778

Merged
merged 2 commits into from
Sep 14, 2023
Merged

Support API key authentication #1778

merged 2 commits into from
Sep 14, 2023

Conversation

pquentin
Copy link
Member

Closes #1777, relates #1757

Most of the work is done in the Elasticsearch Python client, so we do only three things:

  • document the option,
  • mask the API key in logs,
  • and log that it is enabled or not.

However:

  • We don't catch the case where api_key, basic_auth_user and basic_auth_password are all set, since we get a traceback with ValueError: Can only set one of 'api_key', 'basic_auth', and 'bearer_auth' in this case.
  • We don't try to support the combination of create_api_key_per_client with api_key: basic_auth is still required for that use case, as documented.

@pquentin pquentin added the enhancement Improves the status quo label Sep 13, 2023
@pquentin pquentin added this to the 2.10.0 milestone Sep 13, 2023
@pquentin pquentin self-assigned this Sep 13, 2023
@@ -717,6 +717,7 @@ Here are a few common examples:

* Enable HTTP compression: ``--client-options="http_compress:true"``
* Enable basic authentication: ``--client-options="basic_auth_user:'user',basic_auth_password:'password'"``. Avoid the characters ``'``, ``,`` and ``:`` in user name and password as Rally's parsing of these options is currently really simple and there is no possibility to escape characters.
* Enable API key authentication: ``--client-options="api_key:'a0V...2dw=='"``
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we add a note suggesting only one authentication mechanism should be used?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great point, thanks. Done in 4f73902 (#1778), can you please take another look?

Copy link
Member

@inqueue inqueue left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just one comment, the rest LGTM.

2023-09-13 16:05:39,325 ActorAddr-(T|:37685)/PID:2257 esrally.client.factory INFO Creating ES client connected to [{'host': 'target.host', 'port': 443}] with option
s [{'api_key': '*****', 'use_ssl': True, 'verify_certs': False, 'retry_on_timeout': True}]

@pquentin pquentin requested a review from inqueue September 13, 2023 17:03
Copy link
Member

@inqueue inqueue left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks much!

Copy link
Contributor

@gbanasiak gbanasiak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

Note: API key and other sensitive information can still leak through the following DEBUG log, but as we do not use DEBUG log level by default I think that is acceptable.

logger.debug("Command line arguments: %s", args)

@pquentin pquentin merged commit 79f7b5c into elastic:master Sep 14, 2023
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement Improves the status quo
Projects
None yet
Development

Successfully merging this pull request may close these issues.

All users to specify API key in a place other than a header
3 participants