Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CC-9314: Allow disabling hostname verification #410

Merged
merged 6 commits into from May 27, 2020
Merged

CC-9314: Allow disabling hostname verification #410

merged 6 commits into from May 27, 2020

Conversation

ncliang
Copy link
Contributor

@ncliang ncliang commented May 26, 2020

When elastic.https.ssl.endpoint.identification.algorithm is empty, instead
of default hostname verifier, use an all-trusting verifier.

Updated SecurityIT with testcase to verify

@ncliang
CC-9314: Allow disabling hostname verification
c062842 
When `elastic.https.ssl.endpoint.identification.algorithm` is empty, instead
of default hostname verifier, use an all-trusting verifier.

Updated SecurityIT with testcase to verify
@ncliang ncliang requested a review from a team May 26, 2020 21:23
@ncliang ncliang mentioned this pull request May 26, 2020
Open
levzem
levzem approved these changes May 27, 2020
View reviewed changes
Copy link
Contributor

@levzem levzem left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM on green build

Seems pretty straight forward to me.

One thing would be nice is if you updated the doc for the config SSL_ENDPOINT_ID_ALGO to mention that leaving it black will disable this feature.

wicknicks
wicknicks reviewed May 27, 2020
View reviewed changes
Copy link
Member

@wicknicks wicknicks left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

one comment, otherwise LGTM. one concern/question is if we are breaking backward compatibility in some way. before this change an empty value for a config will still try to verify hostnames: would that fail in all cases?

src/main/java/io/confluent/connect/elasticsearch/ElasticsearchSinkConnectorConfig.java Outdated
@@ -25,6 +25,8 @@

import static io.confluent.connect.elasticsearch.DataConverter.BehaviorOnNullValues;
import static io.confluent.connect.elasticsearch.bulk.BulkProcessor.BehaviorOnMalformedDoc;
import static org.apache.http.util.TextUtils.isBlank;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: import org.apache.commons.lang.StringUtils instead?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we currently pull in apache commons and I didn't think it is worth it to add the dependency just for this method.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

that's fair, but I'm not sure if this is intended to be a public API though, for the http library. given the complexity of the code, I'd be more inclined to simply make a copy of the function here.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I remove the use of this method and replace with simple isEmpty() check. The difference is that null and strings containing spaces will not trigger the feature, which I think is fine since our documentation explicitly says empty string.

@ncliang
Copy link
Contributor Author

ncliang commented May 27, 2020
edited

Thanks for review @wicknicks and @levzem . I think you are right that w.r.t. backwards compatibility, there is a risk that someone may have accidentally set this config to empty string and it would have been doing nothing before but now it will disable hostname verification for them. I think this would likely be fine though given that the default for this config is "https" and we have documentation that says setting ssl.endpoint.identification.algorithm to empty string will disable hostname verification 1. Users that have explicitly set this to empty string were likely trying to disable hostname verification and failing. They may have since worked around the issue by adding the hostname to their key/trust store but forgot to remove the setting from their config. In which case, this change would be doing them no harm.

The ConfigDef comes from AK SslConfigs so updating the doc there is none-trivial. I can update our website documentation 2 to add something talking about how empty string will disable hostname verification though.

@wicknicks
Copy link
Member

@ncliang that's fine to do as well but maybe not in a patch release, since it sounds like the intended behavior is to verify hosts (and seems like it was doing fine). so maybe change the base of the branch to master, if that's the path we want to take?

wicknicks
wicknicks approved these changes May 27, 2020
View reviewed changes
Copy link
Member

@wicknicks wicknicks left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looking more closely, looks like we are completely ignoring the setting for elastic.https.ssl.endpoint.identification.algorithm. The apache http client explicitly needs us to disable hostname verification as this PR does.

thanks very much for the fixes, @ncliang! LGTM.

@ncliang ncliang merged commit 9300e21 into confluentinc:5.2.x May 27, 2020
@ncliang ncliang deleted the CC-9314 branch May 27, 2020 22:40
@levzem levzem mentioned this pull request Nov 18, 2020
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wicknicks wicknicks wicknicks approved these changes

@levzem levzem levzem approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@ncliang @wicknicks @levzem