Does watcher 1.0 support PKI based auth?

alerting

(Casie Owen) #1

Hi!

Does watcher 1.0 support PKI-based authentication like later versions of wathcher do? I see "When you use PKI-based authentication instead of HTTP basic auth, you don’t need to store any authentication information in the watch itself. To use PKI-based authentication, you configure the SSL keystore path and password for Watcher in elasticsearch.yml. If the watcher.http.ssl.keystore.path and watcher.http.ssl.keystore password are not set, the Watcher HTTP client falls back to the Shield settings, shield.ssl.keystore.path and shield.ssl.keystore.password." at https://www.elastic.co/guide/en/watcher/current/actions.html if version 2.4 is selected. (And perhaps it's in the info for other versions as well, I didn't check). But, when I switch to 1.0, the PKI/SSL info is not there.

(Yes, we are going to upgrade. Beginning of the year!)

Thanks,
Casie


(Casie Owen) #2

Also, if 1.0 does support PKI-based auth, is it still workable without shield? We are not using shield. If that combination is possible, then. . . if I have watcher running on the marvel cluster (watching the data sent from the main cluster to the marvel cluster), do I install the cert into the machine store on each marvel node as well as configuring the watcher.http.ssl.truststore.path and watcher.http.ssl.truststore.password values in the .yml on each marvel node?

Thanks,
Casie


(Alexander Reelsen) #3

Hey Casie,

I just checked, and it looks as if we added the documentation later on, but using those settings should be possible in watcher 1.0 as well.

Also shield was just used as an example to use PKI based auth in the docs. You can use the watcher http client to connect to any PKI based auth as long as the other side is actually checking that cert like shield does.

If you have watcher running on a cluster, that settings and stores needs to be configured and available on all of the nodes.

--Alex


(Casie Owen) #4

Thanks as always, Alex! I'm setting up a watch with a webhook action, and getting this:

"type": "webhook",
"status": "failure",
"reason": "ElasticsearchException[Relative path in absolute URI: http://xxx.xxx.com/xxx:9200:/watch_jvmheapusedpercentemail2]; nested: URISyntaxException[Relative path in absolute URI: http://xxx.xxxx.com/xxx:9200:/watch_jvmheapusedpercentemail2]; "
}

I've tried it with xxx.xxx.com/xxx and xxx.xxx.com. So:

"webhook" : {
"method" : "POST",
"host" : "xxx.xxx.com",
"port" : 9200,
"path": ":/{{ctx.watch_id}}",
"body" : "{{ctx.watch_id}}:{{ctx.payload.hits.total}}"

and

"webhook" : {
"method" : "POST",
"host" : "xxx.xxx.com/xxx",
"port" : 9200,
"path": ":/{{ctx.watch_id}}",
"body" : "{{ctx.watch_id}}:{{ctx.payload.hits.total}}"

Any ideas?

Thanks,
Casie


(Casie Owen) #5

Correction, for port, I'm using 443 for SSL.

That leads to another question. I've got a cert installed on each of the marvel nodes (which is where watcher is running), and have the watcher.http.ssl.keystore.path and
watcher.http.ssl.keystore.password values set. And I've restarted elasticsearch on each node on that cluster. The service started fine on each and the watches are executing fine, we're only seeing errors on the webhook action. In the error we're getting back, elasticsearch is referring to http even though the webhook action.port is 443. Curious about that.

Thanks,
Casie


(Alexander Reelsen) #6

Hey,

that URL looks shady

http://xxx.xxxx.com/xxx:9200:/watch_jvmheapusedpercentemail2

especially the xxx:9200:part looks broken, should be http://xxx.xxxx.com:9200/watch_jvmheapusedpercentemail2or similar. Also that URL is still HTTP, so maybe there are some leftovers?


(Alexander Reelsen) #7

Also you need to specify the scheme to be https...


(system) #8