Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support SSL and AUTH for redis #717

Open
wants to merge 21 commits into
base: master
Choose a base branch
from

Conversation

munishchouhan
Copy link
Member

This PR will add:

  1. enable ssl for redis rediss:// protocol
  2. and password if auth is enabled

Signed-off-by: munishchouhan <[email protected]>
@munishchouhan munishchouhan linked an issue Oct 24, 2024 that may be closed by this pull request
@munishchouhan munishchouhan self-assigned this Oct 24, 2024
Signed-off-by: munishchouhan <[email protected]>
Signed-off-by: munishchouhan <[email protected]>
import redis.clients.jedis.JedisClientConfig


class JedisUtils {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of re-inviting the wheel, look at DefaultJedisClientConfig

  protected JedisFactory(final URI uri, final int connectionTimeout, final int soTimeout,
      final int infiniteSoTimeout, final String clientName, final SSLSocketFactory sslSocketFactory,
      final SSLParameters sslParameters, final HostnameVerifier hostnameVerifier) {
    if (!JedisURIHelper.isValid(uri)) {
      throw new InvalidURIException(String.format(
          "Cannot open Redis connection due invalid URI. %s", uri.toString()));
    }
    this.clientConfig = DefaultJedisClientConfig.builder().connectionTimeoutMillis(connectionTimeout)
        .socketTimeoutMillis(soTimeout).blockingSocketTimeoutMillis(infiniteSoTimeout)
        .user(JedisURIHelper.getUser(uri)).password(JedisURIHelper.getPassword(uri))
        .database(JedisURIHelper.getDBIndex(uri)).clientName(clientName)
        .protocol(JedisURIHelper.getRedisProtocol(uri))
        .ssl(JedisURIHelper.isRedisSSLScheme(uri)).sslSocketFactory(sslSocketFactory)
        .sslParameters(sslParameters).hostnameVerifier(hostnameVerifier).build();
    this.jedisSocketFactory = new DefaultJedisSocketFactory(new HostAndPort(uri.getHost(), uri.getPort()), this.clientConfig);
  }

Signed-off-by: munishchouhan <[email protected]>
Signed-off-by: munishchouhan <[email protected]>
Signed-off-by: munishchouhan <[email protected]>
) {
log.info "Using redis $uri as storage for rate limit - pool minIdle: ${minIdle}; maxIdle: ${maxIdle}; maxTotal: ${maxTotal}"
boolean ssl = uri.startsWith("rediss")
DefaultJedisClientConfig clientConfig = DefaultJedisClientConfig.builder()
.password(password)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it safe if the password is null?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am making changes to use JedisURIHelper

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure it's needed because I think that tries to lookup for the password in the Redis URI, instead we need to specify independently

Copy link
Member Author

@munishchouhan munishchouhan Oct 24, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have added password in config and if its null then check in URI

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

password will be null if auth is not set, like currently we don't have that

should we make it compulsory?

@munishchouhan munishchouhan marked this pull request as draft October 24, 2024 08:59
Signed-off-by: munishchouhan <[email protected]>
Signed-off-by: munishchouhan <[email protected]>
Signed-off-by: munishchouhan <[email protected]>
Signed-off-by: munishchouhan <[email protected]>
Signed-off-by: munishchouhan <[email protected]>
Signed-off-by: munishchouhan <[email protected]>
Signed-off-by: munishchouhan <[email protected]>
@munishchouhan
Copy link
Member Author

Tested locally with ssl and auth and its working successfully
Testing now in dev

@munishchouhan
Copy link
Member Author

so after digging i found that, jedispool is working with ssl and auth, error is coming from SpillwayRateLimiter
I am looking into it

redis.clients.jedis.exceptions.JedisDataException: EXECABORT Transaction discarded because of: NOAUTH Authentication required.
	at redis.clients.jedis.Protocol.processError(Protocol.java:105)
	at redis.clients.jedis.Protocol.process(Protocol.java:162)
	at redis.clients.jedis.Protocol.read(Protocol.java:221)
	at redis.clients.jedis.Connection.readProtocolWithCheckingBroken(Connection.java:351)
	at redis.clients.jedis.Connection.getObjectMultiBulkReply(Connection.java:322)
	at redis.clients.jedis.TransactionBase.exec(TransactionBase.java:168)
	at redis.clients.jedis.Transaction.exec(Transaction.java:80)
	at com.coveo.spillway.storage.RedisStorage.addAndGet(RedisStorage.java:112)
	at com.coveo.spillway.Spillway.getExceededLimits(Spillway.java:215)
	at com.coveo.spillway.Spillway.tryCall(Spillway.java:154)
	at com.coveo.spillway.Spillway.tryCall(Spillway.java:142)
	at io.seqera.wave.ratelimit.impl.SpillwayRateLimiter.acquirePull(SpillwayRateLimiter.groovy:84)

@munishchouhan
Copy link
Member Author

munishchouhan commented Oct 24, 2024

so after digging i found that, jedispool is working with ssl and auth, error is coming from SpillwayRateLimiter I am looking into it

redis.clients.jedis.exceptions.JedisDataException: EXECABORT Transaction discarded because of: NOAUTH Authentication required.
	at redis.clients.jedis.Protocol.processError(Protocol.java:105)
	at redis.clients.jedis.Protocol.process(Protocol.java:162)
	at redis.clients.jedis.Protocol.read(Protocol.java:221)
	at redis.clients.jedis.Connection.readProtocolWithCheckingBroken(Connection.java:351)
	at redis.clients.jedis.Connection.getObjectMultiBulkReply(Connection.java:322)
	at redis.clients.jedis.TransactionBase.exec(TransactionBase.java:168)
	at redis.clients.jedis.Transaction.exec(Transaction.java:80)
	at com.coveo.spillway.storage.RedisStorage.addAndGet(RedisStorage.java:112)
	at com.coveo.spillway.Spillway.getExceededLimits(Spillway.java:215)
	at com.coveo.spillway.Spillway.tryCall(Spillway.java:154)
	at com.coveo.spillway.Spillway.tryCall(Spillway.java:142)
	at io.seqera.wave.ratelimit.impl.SpillwayRateLimiter.acquirePull(SpillwayRateLimiter.groovy:84)

solved it by injecting the JedisPool in SpillWayStorageFactory

@munishchouhan
Copy link
Member Author

Tested successfully with local redis and elasticcache redis with ssl and auth

Signed-off-by: munishchouhan <[email protected]>
@munishchouhan munishchouhan marked this pull request as ready for review October 24, 2024 16:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[Enhancement] - Redis Support encryption in transit
2 participants