[
https://issues.apache.org/jira/browse/KARAF-5754?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16477028#comment-16477028
]
ASF GitHub Bot commented on KARAF-5754:
---------------------------------------
jbonofre closed pull request #36: KARAF-5754 Make Decanter elasticsearch-jest
appender support HTTPS/XP…
URL: https://github.com/apache/karaf-decanter/pull/36
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git
a/appender/elasticsearch-jest/src/main/java/org/apache/karaf/decanter/appender/elasticsearch/jest/ElasticsearchAppender.java
b/appender/elasticsearch-jest/src/main/java/org/apache/karaf/decanter/appender/elasticsearch/jest/ElasticsearchAppender.java
index 49174df..9b8c5f2 100644
---
a/appender/elasticsearch-jest/src/main/java/org/apache/karaf/decanter/appender/elasticsearch/jest/ElasticsearchAppender.java
+++
b/appender/elasticsearch-jest/src/main/java/org/apache/karaf/decanter/appender/elasticsearch/jest/ElasticsearchAppender.java
@@ -16,6 +16,11 @@
*/
package org.apache.karaf.decanter.appender.elasticsearch.jest;
+import java.security.KeyManagementException;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
import java.text.SimpleDateFormat;
import java.util.Arrays;
import java.util.Date;
@@ -25,6 +30,16 @@
import java.util.TimeZone;
import java.util.concurrent.TimeUnit;
+import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSession;
+
+import org.apache.http.conn.ssl.DefaultHostnameVerifier;
+import org.apache.http.conn.ssl.NoopHostnameVerifier;
+import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
+import org.apache.http.ssl.SSLContextBuilder;
+import org.apache.http.ssl.TrustStrategy;
+
import org.apache.karaf.decanter.api.marshaller.Marshaller;
import org.osgi.service.component.ComponentContext;
import org.osgi.service.component.annotations.Activate;
@@ -87,6 +102,24 @@ public void open(Dictionary<String, Object> config) {
builder.discoveryEnabled(false);
}
+ for (String address : addresses) {
+ if (address.startsWith("https")) {
+ try {
+ SSLContextBuilder sslContextBuilder = new
SSLContextBuilder();
+ sslContextBuilder.loadTrustMaterial(new TrustAny());
+ SSLContext sslContext = sslContextBuilder.build();
+ HostnameVerifier hostnameVerifier =
NoopHostnameVerifier.INSTANCE;
+ SSLConnectionSocketFactory sslSocketFactory =
+ new SSLConnectionSocketFactory(sslContext,
hostnameVerifier);
+
builder.defaultSchemeForDiscoveredNodes("https").sslSocketFactory(sslSocketFactory);
+ } catch (KeyManagementException | KeyStoreException |
NoSuchAlgorithmException ex) {
+ throw new RuntimeException("SSL exception when connect to
ElasticSearch", ex);
+ }
+
+ break;
+ }
+ }
+
if (username != null) {
builder = builder.defaultCredentials(username, password);
}
@@ -146,4 +179,36 @@ private String getIndexName(String prefix, Date date) {
}
}
+ private class TrustAny implements TrustStrategy {
+
+ public TrustAny() {
+ super();
+ }
+
+ @Override
+ public boolean isTrusted(X509Certificate[] chain, String authType)
+ throws CertificateException {
+ return true;
+ }
+ }
+
+ private class EsHostnameVerifier implements HostnameVerifier {
+
+ private final HostnameVerifier delegate;
+ private final String passHostname;
+
+ public EsHostnameVerifier(String passHostname) {
+ super();
+ this.delegate = new DefaultHostnameVerifier();
+ this.passHostname = passHostname == null || passHostname.length()
== 0
+ ? null : passHostname;
+ }
+
+ @Override
+ public boolean verify(String hostname, SSLSession session) {
+ return (passHostname != null && delegate.verify(passHostname,
session));
+ }
+
+ }
+
}
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
> Make Decanter elasticsearch-jest/elasticsearch-rest appender support
> HTTPS/XPack enabled ES
> -------------------------------------------------------------------------------------------
>
> Key: KARAF-5754
> URL: https://issues.apache.org/jira/browse/KARAF-5754
> Project: Karaf
> Issue Type: Improvement
> Components: decanter
> Affects Versions: decanter-2.0.0
> Reporter: Xilai Dai
> Assignee: Jean-Baptiste Onofré
> Priority: Major
> Fix For: decanter-2.1.0
>
>
> Now the Decanter elasticsearch-jest appender is able to connect with plain
> ES, but failed to connect with HTTPS/XPack enabled ES.
> With configuration in the
> org.apache.karaf.decanter.appender.elasticsearch.jest.cfg:
> {code:java}
> address=https://192.168.99.100:9200
> # Basic username and password authentication
> username=xxxx
> password=xxxx{code}
> Then the SSLHandshakeException will be thrown from the ElasticsearchAppender:
> {code:java}
> 2018-05-15T11:11:10,666 | WARN | EventAdminThread #20 |
> earch.jest.ElasticsearchAppender 120 | 315 -
> org.apache.karaf.decanter.appender.elasticsearch.jest - 2.0.0 | Can't append
> into Elasticsearch
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) [?:?]
> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959) [?:?]
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328) [?:?]
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322) [?:?]
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
> [?:?]
> at
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
> [?:?]
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) [?:?]
> at sun.security.ssl.Handshaker.process_record(Handshaker.java:987) [?:?]
> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
> [?:?]
> at
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
> [?:?]
> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
> [?:?]
> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
> [?:?]
> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394)
> [315:org.apache.karaf.decanter.appender.elasticsearch.jest:2.0.0]
> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353)
> [315:org.apache.karaf.decanter.appender.elasticsearch.jest:2.0.0]
> at
> org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:141)
> [315:org.apache.karaf.decanter.appender.elasticsearch.jest:2.0.0]
> at
> org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
> [315:org.apache.karaf.decanter.appender.elasticsearch.jest:2.0.0]
> at
> org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
> [315:org.apache.karaf.decanter.appender.elasticsearch.jest:2.0.0]
> at
> org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
> [315:org.apache.karaf.decanter.appender.elasticsearch.jest:2.0.0]
> at
> org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
> [315:org.apache.karaf.decanter.appender.elasticsearch.jest:2.0.0]
> at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
> [315:org.apache.karaf.decanter.appender.elasticsearch.jest:2.0.0]
> at
> org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
> [315:org.apache.karaf.decanter.appender.elasticsearch.jest:2.0.0]
> at
> org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
> [315:org.apache.karaf.decanter.appender.elasticsearch.jest:2.0.0]
> at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
> [315:org.apache.karaf.decanter.appender.elasticsearch.jest:2.0.0]
> at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
> [315:org.apache.karaf.decanter.appender.elasticsearch.jest:2.0.0]
> at
> io.searchbox.client.http.JestHttpClient.execute(JestHttpClient.java:47)
> [315:org.apache.karaf.decanter.appender.elasticsearch.jest:2.0.0]
> at
> org.apache.karaf.decanter.appender.elasticsearch.jest.ElasticsearchAppender.send(ElasticsearchAppender.java:128)
> [315:org.apache.karaf.decanter.appender.elasticsearch.jest:2.0.0]
> at
> org.apache.karaf.decanter.appender.elasticsearch.jest.ElasticsearchAppender.handleEvent(ElasticsearchAppender.java:118)
> [315:org.apache.karaf.decanter.appender.elasticsearch.jest:2.0.0]
> at
> org.apache.felix.eventadmin.impl.handler.EventHandlerProxy.sendEvent(EventHandlerProxy.java:415)
> [3:org.apache.karaf.services.eventadmin:4.1.5]
> at
> org.apache.felix.eventadmin.impl.tasks.HandlerTask.run(HandlerTask.java:70)
> [3:org.apache.karaf.services.eventadmin:4.1.5]
> at
> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [?:?]
> at java.util.concurrent.FutureTask.run(FutureTask.java:266) [?:?]
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> [?:?]
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> [?:?]
> at java.lang.Thread.run(Thread.java:748) [?:?]
> Caused by: sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
> ~[?:?]
> at
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
> ~[?:?]
> at sun.security.validator.Validator.validate(Validator.java:260) ~[?:?]
> at
> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
> ~[?:?]
> at
> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
> ~[?:?]
> at
> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
> ~[?:?]
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
> ~[?:?]
> ... 29 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable
> to find valid certification path to requested target
> at
> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
> ~[?:?]
> at
> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
> ~[?:?]
> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
> ~[?:?]
> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
> ~[?:?]
> at
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
> ~[?:?]
> at sun.security.validator.Validator.validate(Validator.java:260) ~[?:?]
> at
> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
> ~[?:?]
> at
> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
> ~[?:?]
> at
> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
> ~[?:?]
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
> ~[?:?]
> ... 29 more{code}
> Also, the elasticsearch-rest appender has the same problem with
> Secured/Xpacked enabled ES.
> {code}
> 2018-05-15T11:24:00,901 | WARN | Thread-6 |
> earch.rest.ElasticsearchAppender 144 | 329 -
> org.apache.karaf.decanter.appender.elasticsearch.rest - 2.0.0 | Can't append
> into Elasticsearch
> javax.net.ssl.SSLHandshakeException: General SSLEngine problem
> at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1529) [?:?]
> at
> sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535) [?:?]
> at
> sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214) [?:?]
> at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186) [?:?]
> at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469) [?:?]
> at
> org.apache.http.nio.reactor.ssl.SSLIOSession.doWrap(SSLIOSession.java:265)
> [329:org.apache.karaf.decanter.appender.elasticsearch.rest:2.0.0]
> at
> org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:305)
> [329:org.apache.karaf.decanter.appender.elasticsearch.rest:2.0.0]
> at
> org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:509)
> [329:org.apache.karaf.decanter.appender.elasticsearch.rest:2.0.0]
> at
> org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:120)
> [329:org.apache.karaf.decanter.appender.elasticsearch.rest:2.0.0]
> at
> org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162)
> [329:org.apache.karaf.decanter.appender.elasticsearch.rest:2.0.0]
> at
> org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337)
> [329:org.apache.karaf.decanter.appender.elasticsearch.rest:2.0.0]
> at
> org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315)
> [329:org.apache.karaf.decanter.appender.elasticsearch.rest:2.0.0]
> at
> org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276)
> [329:org.apache.karaf.decanter.appender.elasticsearch.rest:2.0.0]
> at
> org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104)
> [329:org.apache.karaf.decanter.appender.elasticsearch.rest:2.0.0]
> at
> org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:588)
> [329:org.apache.karaf.decanter.appender.elasticsearch.rest:2.0.0]
> at java.lang.Thread.run(Thread.java:748) [?:?]
> Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:?]
> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728) ~[?:?]
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:330) ~[?:?]
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322) ~[?:?]
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
> ~[?:?]
> at
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
> ~[?:?]
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) ~[?:?]
> at sun.security.ssl.Handshaker$1.run(Handshaker.java:992) ~[?:?]
> at sun.security.ssl.Handshaker$1.run(Handshaker.java:989) ~[?:?]
> at java.security.AccessController.doPrivileged(Native Method) ~[?:?]
> at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1467)
> ~[?:?]
> at
> org.apache.http.nio.reactor.ssl.SSLIOSession.doRunTask(SSLIOSession.java:283)
> ~[?:?]
> at
> org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:353)
> ~[?:?]
> ... 9 more
> Caused by: sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
> ~[?:?]
> at
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
> ~[?:?]
> at sun.security.validator.Validator.validate(Validator.java:260) ~[?:?]
> at
> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
> ~[?:?]
> at
> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281)
> ~[?:?]
> at
> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
> ~[?:?]
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1601)
> ~[?:?]
> at
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
> ~[?:?]
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) ~[?:?]
> at sun.security.ssl.Handshaker$1.run(Handshaker.java:992) ~[?:?]
> at sun.security.ssl.Handshaker$1.run(Handshaker.java:989) ~[?:?]
> at java.security.AccessController.doPrivileged(Native Method) ~[?:?]
> at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1467)
> ~[?:?]
> at
> org.apache.http.nio.reactor.ssl.SSLIOSession.doRunTask(SSLIOSession.java:283)
> ~[?:?]
> at
> org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:353)
> ~[?:?]
> ... 9 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable
> to find valid certification path to requested target
> at
> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
> ~[?:?]
> at
> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
> ~[?:?]
> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
> ~[?:?]
> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
> ~[?:?]
> at
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
> ~[?:?]
> at sun.security.validator.Validator.validate(Validator.java:260) ~[?:?]
> at
> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
> ~[?:?]
> at
> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281)
> ~[?:?]
> at
> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
> ~[?:?]
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1601)
> ~[?:?]
> at
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
> ~[?:?]
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) ~[?:?]
> at sun.security.ssl.Handshaker$1.run(Handshaker.java:992) ~[?:?]
> at sun.security.ssl.Handshaker$1.run(Handshaker.java:989) ~[?:?]
> at java.security.AccessController.doPrivileged(Native Method) ~[?:?]
> at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1467)
> ~[?:?]
> at
> org.apache.http.nio.reactor.ssl.SSLIOSession.doRunTask(SSLIOSession.java:283)
> ~[?:?]
> at
> org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:353)
> ~[?:?]
> ... 9 more
> {code}
> The elasticsearch-jest/elasticsearch-rest appenders need to be enhanced to
> support XPack secured ES.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
