Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

beater/jaeger: introduce "auth_tag" configuration #3394

Merged
merged 2 commits into from
Feb 27, 2020
Merged

beater/jaeger: introduce "auth_tag" configuration #3394

merged 2 commits into from
Feb 27, 2020

Conversation

axw
Copy link
Member

@axw axw commented Feb 26, 2020

Motivation/summary

We introduce support for configuring the server to look for a specified Process tag in Jaeger batches, and use the value for authorization. The value is expected to have the same format as HTTP authorization headers that the Elastic APM agents support. By default Jaeger authorization is disabled, as there is no standard auth tag name.

This enables token-based auth as an alternative to client certificate auth.

Note for reviewers: an alternative approach to configuration would be to have a hard-coded auth tag, like "elastic_auth", and have that enabled by default (or enabled with a boolean). Since token-based auth isn't a native feature of Jaeger clients/agents, I thought it might be a bit non-intuitive, hence why I made it opt-in. Let me know what you think.

Checklist

  • I have signed the Contributor License Agreement.
  • My code follows the style guidelines of this project (run make check-full for static code checks and linting)
  • I have rebased my changes on top of the latest master branch
  • I have made corresponding changes to the documentation
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • I have updated CHANGELOG.asciidoc

How to test these changes

  1. Configure apm-server.jaeger.auth_tag: "authorization"
  2. Configure apm-server.secret_token: "foo"
  3. Run Jaeger Agent without any tags, run HotROD, and check the agent shows "not authorized" errors and nothing is indexed
  4. Run Jaeger Agent with --agent.tags authorization=foo, run HotROD
  5. Check it all works, and there is no "labels.authorization" field in any docs

Related issues

Closes #3339

@axw
beater/jaeger: introduce "auth_tag" configuration
e2addfb 
We introduce support for configuring the server to
look for a specified Process tag in Jaeger batches,
and use the value for authorization. The value is
expected to have the same format as HTTP Authorization
headers that the Elastic APM agents support.

By default Jaeger authorization is disabled, as there
is no standard auth tag name.
@axw axw requested a review from a team February 26, 2020 08:04
simitt
simitt reviewed Feb 26, 2020
View reviewed changes
beater/jaeger/server.go Outdated Show resolved Hide resolved
@axw
beater/jaeger: change auth_tag to be grpc-specific
3f285aa 
- Rename to "apm-server.jaeger.grpc.auth_tag"
- Remove auth from HTTP endpoint
- Update gRPC endpoint to return "Unauthenticated" code
simitt
simitt approved these changes Feb 27, 2020
View reviewed changes
Copy link
Contributor

@simitt simitt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Manually tested it with Bearer and ApiKey and all worked well.

@axw
Copy link
Member Author

axw commented Feb 27, 2020

Failing system tests are the ones I fixed in another PR - merging.

@axw axw merged commit ec9a3d7 into elastic:master Feb 27, 2020
@axw axw deleted the jaeger-auth branch February 27, 2020 09:28
axw added a commit to axw/apm-server that referenced this pull request Feb 27, 2020
@axw
beater/jaeger: introduce "auth_tag" configuration (elastic#3394)
d3d0da4 
* beater/jaeger: introduce "auth_tag" configuration

We introduce support for configuring the server to
look for a specified Process tag in Jaeger gRPC batches,
and use the value for authorization. The value is
expected to have the same format as HTTP Authorization
headers that the Elastic APM agents support.

By default Jaeger authorization is disabled, as there
is no standard auth tag name. This configuration only
applies to gRPC, and not HTTP, as Jaeger clients do
not support TLS/HTTPS.
@axw axw mentioned this pull request Feb 27, 2020
Merged
@axw
Copy link
Member Author

axw commented Feb 27, 2020

@bmorelli25 forgot to ask you to review the docs, sorry. Can you please take a look, and feel free to make adjustments.

axw added a commit that referenced this pull request Feb 27, 2020
@axw
beater/jaeger: introduce "auth_tag" configuration (#3394) (#3402)
4e1bbcf 
* beater/jaeger: introduce "auth_tag" configuration

We introduce support for configuring the server to
look for a specified Process tag in Jaeger gRPC batches,
and use the value for authorization. The value is
expected to have the same format as HTTP Authorization
headers that the Elastic APM agents support.

By default Jaeger authorization is disabled, as there
is no standard auth tag name. This configuration only
applies to gRPC, and not HTTP, as Jaeger clients do
not support TLS/HTTPS.
@axw axw mentioned this pull request Mar 4, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@simitt simitt simitt approved these changes

Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add support for Jaeger auth handling
2 participants
@axw @simitt