New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Standardised SSL settings #42
Standardised SSL settings #42
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I really appreciate how you provided an adapter for the backward-compatibility to reduce noise from the core options. That separation will make it easy for new plugins to rely on this mixin without accumulating already-deprecated options.
I like this approach, but I think that it may need to change slightly.
As of Logstash 8.9.0 we currently have three logstash-bundled plugins that depend on this mixin, and unfortunately two of them are defined in a way that does not prevent them from resolving to version 8.x of this plugin:
logstash-filter-http (1.4.3)
requireslogstash-mixin-http_client (>= 7.2.0, < 9.0.0)
logstash-input-http_poller (5.4.0)
requireslogstash-mixin-http_client (>= 7.2.0)
logstash-output-http (5.5.0)
requireslogstash-mixin-http_client (>= 7.2.0, < 8.0.0)
This means that as soon as we release a logstash-output-http
that is capable of using 8.x of this mixin, upgrading it on an existing Logstash installation would irreversibly break the others -- we don't have a way to "downgrade" non-plugin dependencies.
It also means that all three have to cross the 7.x-8.x boundary of this mixin together.
I think we can achieve the separation you were going for without breaking changes:
- Move bulk of functionality to new private module
LogStash::PluginMixins::HttpClient::Implementation
including standardized options, the client building, etc. - Add new private module
LogStash::PluginMixins::HttpClient::StandardizedOnly
whoseself.included(base)
only includes theImplementation
module into the providedbase
- Add new private module
LogStash::PluginMixins::HttpClient::StandardizedAndDeprecated
whoseself.included(base)
includes theImplementation
module and the deprecation support into the providedbase
, activating it if necessary. - Add a new public method
LogStash::PluginMixins::HttpClient(with_deprecated:)
as the new public API for including this mixin that returns eitherStandardizedAndDeprecated
orStandardizedOnly
so that:include LogStash::PluginMixins::HttpClient(with_deprecated: true)
causesStandardizedAndDeprecated
to be included, andinclude LogStash::PluginMixins::HttpClient(with_deprecated: false)
causesStandardizedOnly
to be included
- Make the
LogStash::PluginMixins::HttpClient#included(base)
emit a deprecation warning before includingStandardizedAndDeprecated
into the providedbase
to ensure that currently-released plugins that include the module directly continue to support all of the options they already support.
This approach would ensure that:
- any released version of a plugin that does an
include LogStash::PluginMixins::HttpClient
will continue to get support for all of the now-deprecated options from previous releases of this mixin, plus the new standardized options and all of the deprecation handling - new plugins can opt directly into the standardized options without bearing the burden of the deprecated options that they never needed
- at some point we can deprecate the legacy pre-standardized options by adding the deprecation log to
StandardizedAndDeprecated#included
, providing a path for its eventual removal. - as a non-breaking change-set, we can keep the 7.x for this mixin ad eliminate the complexity of upgrading plugins that rely on it.
Hi @yaauie! Thank you very much for your detailed review, I really appreciated it. I've pushed the changes I made based on your suggestions. I still testing it, but I think it's good enough to be reviewed. The main differences are:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- Considering the default behaviour is using deprecated settings, the
SslDeprecatedConfigs
is not logging any deprecation warnings yet, so the existing plugins won't be affected by the deprecation logs.
The deprecated settings are all flagged with deprecated
and relevant guidance about the standardized counterparts, which is not relevant to a plugin that does not have the other settings yet. This is likely because in order to use the normalization support adapter, they must be deprecated.
I don't think that there is harm in a plugin getting the standardized settings "for free" (along with the deprecation of the old bespoke ones), and there is a lot of overhead in implementing this in such a way that the availability of standardized settings is entirely opt-in by the developer. For example, making this implementation conditionally flag the bespoke options as deprecated based on the availability of the standardized counterparts would be complex.
The way I see API stability is that a plugin that is configured with any combination of the bespoke non-standardized settings should continue to operate exactly as it does at runtime. I don't see the logging of a deprecation warning or the acceptance of an alternate to be a breaking change. Therefore, from my perspective we should have:
include HttpClient[with_deprecated: false]
: explicitly include only standardized (for new plugins)include HttpClient[with_deprecated: true]
: explicitly include standardized + deprecated mappings (for existing plugins)include HttpClient
directly (deprecated path to standardized + deprecated), ensures no changes necessary in downstream code-bases.
Using your code, I spiked a reference implementation in #43 that does not port your tests or other validation, but largely follows the guidance from my first review borrowing heavily from your PR.
I would also like to consider pulling ssl_enabled
from the requirements because its use is a consumer concern; there is no way for this plugin to use ssl_enabled => true
as a safeguard as we do in other plugins.
Edit: Just saw how you implemented it on the spike PR. It looks good to me :) |
9175a7c
to
65695d2
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Largely on-track. Certainly the interface is stable enough now to be able to draft PR's for the plugins that rely on it.
I would prefer to not inject the normalized values into params
unless we truly have a reason for doing so (since we already guarantee that we set the relevant ivars, which have accessors).
Other minor nitpicks and fixes in-line.
when 'none' | ||
c[:ssl][:verify] = :disable | ||
end | ||
options[:verify] = @ssl_verification_mode == 'full' ? :strict : :disable |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Likely should file a separate issue, but :strict
is deprecated and the poorly-named :default
is the modern RFC-compliant strict verifier (see: logstash-plugins/logstash-output-elasticsearch#1139)
Co-authored-by: Ry Biesemeyer <yaauie@users.noreply.github.com>
e9c95f5
to
70ebd4a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 🎉
Thank you for working with my complicated and poorly-communicated ideas on this one. It took some iteration, but I'm confident we now have a non-breaking approach that the plugins that use this mixin can get "for free" once this mixin is upgraded. Now, if only the docs for all of these options could share a common source-of-truth 😂
What this PR does?
cacert
in favor ofssl_certificate_authorities
client_cert
in favor ofssl_certificate
client_key
in favor ofssl_key
keystore
in favor ofssl_keystore_path
keystore_password
in favor ofssl_keystore_password
keystore_type
in favor ofssl_keystore_type
truststore
in favor ofssl_truststore_path
truststore_password
in favor ofssl_truststore_password
truststore_type
in favor ofssl_truststore_type
:with_deprecated
ssl_cipher_suites
optionCloses elastic/logstash#15191