From 784756833b36bbfe3ffb59fb93fa652de68c5de6 Mon Sep 17 00:00:00 2001 From: Zohar Elkayam <5897181+realmgic@users.noreply.github.com> Date: Wed, 27 Sep 2023 12:28:24 +0300 Subject: [PATCH 1/5] add support for pki auth --- README.md | 2 +- ape.toml | 2 +- ape.toml.template | 2 +- observer.go | 7 +++++-- tests/default_ape.toml | 2 +- tests/labels_ape.toml | 2 +- tests/ns_allowlist_ape.toml | 2 +- tests/ns_blocklist_ape.toml | 2 +- 8 files changed, 12 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index f87d829e..39a5fb41 100644 --- a/README.md +++ b/README.md @@ -223,7 +223,7 @@ make release-docker-multi-arch # database password password="" - # authentication mode: internal (for server), external (LDAP, etc.) + # authentication mode: internal (for server), external (LDAP, etc.), pki auth_mode="" ``` diff --git a/ape.toml b/ape.toml index 1a66ddd7..8d5207f1 100644 --- a/ape.toml +++ b/ape.toml @@ -96,7 +96,7 @@ user = "" # database password password = "" -# authentication mode: internal (for server), external (LDAP, etc.) +# authentication mode: internal (for server), external (LDAP, etc.), pki auth_mode = "" # timeout for sending commands to the server node in seconds diff --git a/ape.toml.template b/ape.toml.template index 86885e78..1f3428d7 100644 --- a/ape.toml.template +++ b/ape.toml.template @@ -96,7 +96,7 @@ user = "${AS_AUTH_USER}" # database password password = "${AS_AUTH_PASSWORD}" -# authentication mode: internal (for server), external (LDAP, etc.) +# authentication mode: internal (for server), external (LDAP, etc.), pki auth_mode = "${AS_AUTH_MODE}" # timeout for sending commands to the server node in seconds diff --git a/observer.go b/observer.go index 1a4dff06..43dc9f0c 100644 --- a/observer.go +++ b/observer.go @@ -82,8 +82,8 @@ func newObserver(server *aero.Host, user, pass string) (o *Observer, err error) // use all cpus in the system for concurrency authMode := strings.ToLower(strings.TrimSpace(config.Aerospike.AuthMode)) - if authMode != "internal" && authMode != "external" { - log.Fatalln("Invalid auth mode: only `internal` and `external` values are accepted.") + if authMode != "internal" && authMode != "external" && authMode != "pki" { + log.Fatalln("Invalid auth mode: only `internal`, `external`, `pki` values are accepted.") } // Get aerospike auth username @@ -101,8 +101,11 @@ func newObserver(server *aero.Host, user, pass string) (o *Observer, err error) clientPolicy := aero.NewClientPolicy() clientPolicy.User = string(username) clientPolicy.Password = string(password) + if authMode == "external" { clientPolicy.AuthMode = aero.AuthModeExternal + } else if authMode == "pki" { + clientPolicy.AuthMode = aero.AuthModePKI } // allow only ONE connection diff --git a/tests/default_ape.toml b/tests/default_ape.toml index 4f95d520..7595d40f 100644 --- a/tests/default_ape.toml +++ b/tests/default_ape.toml @@ -96,7 +96,7 @@ user = "" # database password password = "" -# authentication mode: internal (for server), external (LDAP, etc.) +# authentication mode: internal (for server), external (LDAP, etc.), pki auth_mode = "" # timeout for sending commands to the server node in seconds diff --git a/tests/labels_ape.toml b/tests/labels_ape.toml index 980e0b9d..b347bd02 100644 --- a/tests/labels_ape.toml +++ b/tests/labels_ape.toml @@ -96,7 +96,7 @@ user = "" # database password password = "" -# authentication mode: internal (for server), external (LDAP, etc.) +# authentication mode: internal (for server), external (LDAP, etc.), pki auth_mode = "" # timeout for sending commands to the server node in seconds diff --git a/tests/ns_allowlist_ape.toml b/tests/ns_allowlist_ape.toml index abd93e60..9252c487 100644 --- a/tests/ns_allowlist_ape.toml +++ b/tests/ns_allowlist_ape.toml @@ -96,7 +96,7 @@ user = "" # database password password = "" -# authentication mode: internal (for server), external (LDAP, etc.) +# authentication mode: internal (for server), external (LDAP, etc.), pki auth_mode = "" # timeout for sending commands to the server node in seconds diff --git a/tests/ns_blocklist_ape.toml b/tests/ns_blocklist_ape.toml index 3bcbee22..4d321f76 100644 --- a/tests/ns_blocklist_ape.toml +++ b/tests/ns_blocklist_ape.toml @@ -96,7 +96,7 @@ user = "" # database password password = "" -# authentication mode: internal (for server), external (LDAP, etc.) +# authentication mode: internal (for server), external (LDAP, etc.), pki auth_mode = "" # timeout for sending commands to the server node in seconds From 91396d4404fb9c5c936e09499b7826ead30c80aa Mon Sep 17 00:00:00 2001 From: Zohar Elkayam <5897181+realmgic@users.noreply.github.com> Date: Sat, 30 Sep 2023 14:14:01 +0300 Subject: [PATCH 2/5] change to switch as per review, fix comment to reflect default auth_mode --- README.md | 2 +- ape.toml | 2 +- ape.toml.template | 2 +- observer.go | 17 +++++++++-------- tests/default_ape.toml | 2 +- tests/labels_ape.toml | 2 +- tests/ns_allowlist_ape.toml | 2 +- tests/ns_blocklist_ape.toml | 2 +- 8 files changed, 16 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index 39a5fb41..87b9d730 100644 --- a/README.md +++ b/README.md @@ -223,7 +223,7 @@ make release-docker-multi-arch # database password password="" - # authentication mode: internal (for server), external (LDAP, etc.), pki + # authentication mode: internal (server authentication) [default], external (e.g., LDAP), pki. auth_mode="" ``` diff --git a/ape.toml b/ape.toml index 8d5207f1..a6951bdc 100644 --- a/ape.toml +++ b/ape.toml @@ -96,7 +96,7 @@ user = "" # database password password = "" -# authentication mode: internal (for server), external (LDAP, etc.), pki +# authentication mode: internal (server authentication) [default], external (e.g., LDAP), pki. auth_mode = "" # timeout for sending commands to the server node in seconds diff --git a/ape.toml.template b/ape.toml.template index 1f3428d7..ad7b02d6 100644 --- a/ape.toml.template +++ b/ape.toml.template @@ -96,7 +96,7 @@ user = "${AS_AUTH_USER}" # database password password = "${AS_AUTH_PASSWORD}" -# authentication mode: internal (for server), external (LDAP, etc.), pki +# authentication mode: internal (server authentication) [default], external (e.g., LDAP), pki. auth_mode = "${AS_AUTH_MODE}" # timeout for sending commands to the server node in seconds diff --git a/observer.go b/observer.go index 43dc9f0c..0bd0b239 100644 --- a/observer.go +++ b/observer.go @@ -80,12 +80,6 @@ func newObserver(server *aero.Host, user, pass string) (o *Observer, err error) config.AeroProm.MetricLabels, ) - // use all cpus in the system for concurrency - authMode := strings.ToLower(strings.TrimSpace(config.Aerospike.AuthMode)) - if authMode != "internal" && authMode != "external" && authMode != "pki" { - log.Fatalln("Invalid auth mode: only `internal`, `external`, `pki` values are accepted.") - } - // Get aerospike auth username username, err := getSecret(user) if err != nil { @@ -102,10 +96,17 @@ func newObserver(server *aero.Host, user, pass string) (o *Observer, err error) clientPolicy.User = string(username) clientPolicy.Password = string(password) - if authMode == "external" { + authMode := strings.ToLower(strings.TrimSpace(config.Aerospike.AuthMode)) + + switch authMode { + case "internal", "": + clientPolicy.AuthMode = aero.AuthModeInternal + case "external": clientPolicy.AuthMode = aero.AuthModeExternal - } else if authMode == "pki" { + case "pki": clientPolicy.AuthMode = aero.AuthModePKI + default: + log.Fatalln("Invalid auth mode: only `internal`, `external`, `pki` values are accepted.") } // allow only ONE connection diff --git a/tests/default_ape.toml b/tests/default_ape.toml index 7595d40f..a3523e57 100644 --- a/tests/default_ape.toml +++ b/tests/default_ape.toml @@ -96,7 +96,7 @@ user = "" # database password password = "" -# authentication mode: internal (for server), external (LDAP, etc.), pki +# authentication mode: internal (default), external (LDAP, etc.), pki auth_mode = "" # timeout for sending commands to the server node in seconds diff --git a/tests/labels_ape.toml b/tests/labels_ape.toml index b347bd02..0c05497b 100644 --- a/tests/labels_ape.toml +++ b/tests/labels_ape.toml @@ -96,7 +96,7 @@ user = "" # database password password = "" -# authentication mode: internal (for server), external (LDAP, etc.), pki +# authentication mode: internal (server authentication) [default], external (e.g., LDAP), pki. auth_mode = "" # timeout for sending commands to the server node in seconds diff --git a/tests/ns_allowlist_ape.toml b/tests/ns_allowlist_ape.toml index 9252c487..67188596 100644 --- a/tests/ns_allowlist_ape.toml +++ b/tests/ns_allowlist_ape.toml @@ -96,7 +96,7 @@ user = "" # database password password = "" -# authentication mode: internal (for server), external (LDAP, etc.), pki +# authentication mode: internal (server authentication) [default], external (e.g., LDAP), pki. auth_mode = "" # timeout for sending commands to the server node in seconds diff --git a/tests/ns_blocklist_ape.toml b/tests/ns_blocklist_ape.toml index 4d321f76..7cc4cf07 100644 --- a/tests/ns_blocklist_ape.toml +++ b/tests/ns_blocklist_ape.toml @@ -96,7 +96,7 @@ user = "" # database password password = "" -# authentication mode: internal (for server), external (LDAP, etc.), pki +# authentication mode: internal (server authentication) [default], external (e.g., LDAP), pki. auth_mode = "" # timeout for sending commands to the server node in seconds From 90d2c239415a15917b9fbd50454191169db0dcb0 Mon Sep 17 00:00:00 2001 From: Zohar Elkayam <5897181+realmgic@users.noreply.github.com> Date: Sat, 30 Sep 2023 14:16:15 +0300 Subject: [PATCH 3/5] missed one test comment --- tests/default_ape.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/default_ape.toml b/tests/default_ape.toml index a3523e57..9f66e4cc 100644 --- a/tests/default_ape.toml +++ b/tests/default_ape.toml @@ -96,7 +96,7 @@ user = "" # database password password = "" -# authentication mode: internal (default), external (LDAP, etc.), pki +# authentication mode: internal (server authentication) [default], external (e.g., LDAP), pki. auth_mode = "" # timeout for sending commands to the server node in seconds From 5f164c2c28b83cb097a3ebfeb3405c4bff41f8c5 Mon Sep 17 00:00:00 2001 From: Zohar Elkayam <5897181+realmgic@users.noreply.github.com> Date: Sat, 30 Sep 2023 16:11:32 +0300 Subject: [PATCH 4/5] validate cert config when using pki auth --- observer.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/observer.go b/observer.go index 0bd0b239..eccacb75 100644 --- a/observer.go +++ b/observer.go @@ -104,6 +104,9 @@ func newObserver(server *aero.Host, user, pass string) (o *Observer, err error) case "external": clientPolicy.AuthMode = aero.AuthModeExternal case "pki": + if len(config.Aerospike.RootCA) == 0 || len(config.Aerospike.CertFile) == 0 || len(config.Aerospike.KeyFile) == 0 { + log.Fatalln("Invalid certificate configuration when using auth mode PKI: cert_file, key_file, root_ca must be set") + } clientPolicy.AuthMode = aero.AuthModePKI default: log.Fatalln("Invalid auth mode: only `internal`, `external`, `pki` values are accepted.") From 9dcf08099aac87edd4b8af3a8571fa9b8095f9cb Mon Sep 17 00:00:00 2001 From: Zohar Elkayam <5897181+realmgic@users.noreply.github.com> Date: Thu, 5 Oct 2023 10:14:11 +0300 Subject: [PATCH 5/5] fix validation according to PR comment --- observer.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/observer.go b/observer.go index eccacb75..50d8609f 100644 --- a/observer.go +++ b/observer.go @@ -104,8 +104,8 @@ func newObserver(server *aero.Host, user, pass string) (o *Observer, err error) case "external": clientPolicy.AuthMode = aero.AuthModeExternal case "pki": - if len(config.Aerospike.RootCA) == 0 || len(config.Aerospike.CertFile) == 0 || len(config.Aerospike.KeyFile) == 0 { - log.Fatalln("Invalid certificate configuration when using auth mode PKI: cert_file, key_file, root_ca must be set") + if len(config.Aerospike.CertFile) == 0 || len(config.Aerospike.KeyFile) == 0 { + log.Fatalln("Invalid certificate configuration when using auth mode PKI: cert_file and key_file must be set") } clientPolicy.AuthMode = aero.AuthModePKI default: