New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HPCC-30160 Automatic SOAPCALL secret credentials #17737
HPCC-30160 Automatic SOAPCALL secret credentials #17737
Conversation
https://track.hpccsystems.com/browse/HPCC-30160 |
@ghalliday this is a draft of how automatic replacement of URLs with secrets might work. Basically, starting with some ECL using a URL:
Note: I think having some parts readable will help operations be able to manage. But credentials, path, and parameters should not be visible due to possible exposure of sensitive information.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@afishbeck this looks really good. A few comments, many of which should be ignored for this PR.
system/jlib/jsecrets.cpp
Outdated
hashvalue = hashcz((const unsigned char *)userPasswordPair, hashvalue); | ||
} | ||
if (hashvalue) | ||
secretName.append('-').append(hashvalue); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
would the following be better than decimal?
appendf("-%08x", hashvalue)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree hex would be better, but I may leave off the leading 0's unless you think it would be beneficial in some way.
CriticalBlock block(persistentCrit); | ||
if (!persistentInitDone) | ||
CriticalBlock block(globalFeatureCrit); | ||
if (!globalFeaturesInitDone) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See https://github.com/hpcc-systems/HPCC-Platform/pull/17715/files for an alternative way of coding this that also allows the values to be updated when the configuration changes. You may want to adopt something similar, but may be better as a separate PR since this looks very close to ready
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes that would be a good follow on PR
common/thorhelper/thorsoapcall.cpp
Outdated
int maxPersistentRequests = conf->getPropInt("@maxHttpCallPersistentRequests", 0); | ||
#endif | ||
int maxPersistentRequests = 0; | ||
if (isContainerized()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think better to always use the containerized code, and have the configuration in the esp config.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ghalliday I'm not sure how best to make that work. But if we were going to do it for bare-metal now is the time otherwise the way it's configured would change over time.
The process this is running in wouldn't be esp, it would be roxie, or eclagent, or thor. I don't think when those are running on bare-metal they have a common way of getting at their config? I could be wrong but in a simple test I didn't see the componentConfig getting set.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok much better. It's now using the component config in both cloud and bare-metal.
common/thorhelper/thorsoapcall.cpp
Outdated
if (!secret) | ||
{ | ||
if (required) | ||
throw MakeStringException(0, "%sCALL %s SECRET not found", wscType == STsoap ? "SOAP" : "HTTP", secretName); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
trivial/unrelated.
static const char * queryCallName(WSCType wscType) { return wscType == STsoap ? "SOAPCALL" : "HTTPCALL"; }
would clean the code up.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
went ahead and cleaned this up while I was in there.
common/thorhelper/thorsoapcall.cpp
Outdated
url.getDynamicUrlSecretName(secretName); | ||
if (secretName.length()) | ||
{ | ||
if (loadConnectSecret(nullptr, secretName, tempArray, issuer, proxyAddress, false, wscType)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add an option to require all soapcalls use secrets (and pass true)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
@afishbeck I think Jake will probably want to implement his changes for https://track.hpccsystems.com/browse/HPCC-30259 on top of this, so worth finishing it and getting it merged. Is there anything I can do to help? |
@ghalliday updated, please review. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A couple of comments, but looks like it is very close to ready.
common/thorhelper/thorsoapcall.cpp
Outdated
@@ -885,21 +884,21 @@ bool loadConnectSecret(const char *vaultId, const char *secretName, UrlArray &ur | |||
if (!secret) | |||
{ | |||
if (required) | |||
throw MakeStringException(0, "%sCALL %s SECRET not found", wscType == STsoap ? "SOAP" : "HTTP", secretName); | |||
throw MakeStringException(0, "%sCALL %s SECRET not found", getWsCallTypeName(wscType), secretName); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
%sCALL will now become %s
@ghalliday updated json schema and log/exception text. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@afishbeck looks good, please squash
264bd8f
to
c97e506
Compare
@ghalliday squashed and resolved conflicts. |
Signed-off-by: Anthony Fishbeck <anthony.fishbeck@lexisnexis.com>
c97e506
to
875692d
Compare
71bc409
into
hpcc-systems:candidate-9.4.x
Type of change:
Checklist:
Smoketest:
Testing: