opensearch-java icon indicating copy to clipboard operation
opensearch-java copied to clipboard
verified publisher icon opensearch-project

[FEATURE] Add example of ignoring certificate validation when using local docker container

Open pingleig opened this issue 3 years ago • 3 comments

Is your feature request related to a problem?

Docker compose launches OpenSearch using https with self signed cert. Example code only shows how to specify a trust store but didn't show how to disable the verification on client side (for local testing).

  • Demo cert from https://github.com/opensearch-project/security/blob/207cfcc379ffd4127e32b9fdfdd75ea394b48d0e/tools/install_demo_configuration.sh#L201
  • Example error
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

	at org.opensearch.client.RestClient.extractAndWrapCause(RestClient.java:902)
	at org.opensearch.client.RestClient.performRequest(RestClient.java:301)
	at org.opensearch.client.RestClient.performRequest(RestClient.java:289)
	at org.opensearch.client.RestHighLevelClient.internalPerformRequest(RestHighLevelClient.java:1762)
	at org.opensearch.client.RestHighLevelClient.performRequest(RestHighLevelClient.java:1745)
	at org.opensearch.client.RestHighLevelClient.performRequestAndParseEntity(RestHighLevelClient.java:1709)
	at org.opensearch.client.IndicesClient.create(IndicesClient.java:160)

What solution would you like?

Tell people how to disable the certificate verification (if they know what they are doing) https://opensearch.org/docs/latest/clients/java/. ~~I am not sure if there is a doc repo~~ Maybe I should create the issue in https://github.com/opensearch-project/documentation-website/issues instead?

        RestHighLevelClient client = new RestHighLevelClient(RestClient.builder(HttpHost.create("https://localhost:9200"))
                .setHttpClientConfigCallback((c) -> {
                    // Disable cert verification
                    // https://stackoverflow.com/questions/2703161/how-to-ignore-ssl-certificate-errors-in-apache-httpclient-4-0
                    // because default uses a demo cert from https://github.com/opensearch-project/security/blob/207cfcc379ffd4127e32b9fdfdd75ea394b48d0e/tools/install_demo_configuration.sh#L201
                    try {
                        c.setSSLContext(new SSLContextBuilder().loadTrustMaterial(null, TrustAllStrategy.INSTANCE).build())
                                .setSSLHostnameVerifier(new NoopHostnameVerifier());
                    } catch (NoSuchAlgorithmException | KeyManagementException | KeyStoreException e) {
                        throw new RuntimeException(e);
                    }
                    return c.setDefaultCredentialsProvider(credentialsProvider);
                }));

What alternatives have you considered?

Alternatives requires more commands to type, rebuild container etc.

  • Provide instruction on how to generating new self signed cert
  • Disable security https://opensearch.org/docs/latest/security-plugin/configuration/disable/#docker

Do you have any additional context?

N/A

pingleig avatar Oct 09 '22 01:10 pingleig

I think we really need something like https://github.com/opensearch-project/opensearch-js/blob/main/USER_GUIDE.md in this repo. Do you think you could start that with the above? It will reduce the amount of things that need to go into documentation-website, especially that the versions of the client don't match the versions of the server and thus evolve separately.

dblock avatar Oct 11 '22 17:10 dblock

Sorry for the late reply, I saw there is already https://github.com/opensearch-project/opensearch-java/blob/main/USER_GUIDE.md I suppose I can add the skip cert check snippet to that file?

pingleig avatar Dec 03 '22 07:12 pingleig

How about we add it wherever people might look, and when there's redundant information, let's also consider removing one and linking to the other?

When it comes to client usage, there's no hard and fast rule yet on what kind of documentation goes where, so I think the determination can be made on a case by case basis.

On Sat, Dec 3, 2022, 2:09 AM Pinglei Guo @.***> wrote:

Sorry for the late reply, I saw there is already https://github.com/opensearch-project/opensearch-java/blob/main/USER_GUIDE.md I suppose I can add the skip cert check snippet to that file?

— Reply to this email directly, view it on GitHub https://github.com/opensearch-project/opensearch-java/issues/236#issuecomment-1336101176, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA5PRLQRN5PQNDTBVSWCYD3WLLW2VANCNFSM6AAAAAARAPKYNM . You are receiving this because you are subscribed to this thread.Message ID: @.***>

wbeckler avatar Dec 03 '22 17:12 wbeckler