[Bug 33563] New: Enable compatibility with Elasticsearch secure mode
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33563 Bug ID: 33563 Summary: Enable compatibility with Elasticsearch secure mode Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: normal Priority: P5 - low Component: Searching Assignee: koha-bugs@lists.koha-community.org Reporter: wizzyrea@gmail.com QA Contact: testopia@bugs.koha-community.org Hi friends, Koha should support authenticated access to Elasticsearch, at the very minimum https://www.elastic.co/guide/en/elasticsearch/reference/current/http-clients... and https://www.elastic.co/guide/en/elasticsearch/reference/current/token-authen... We'd need a place to stash our ES configuration information much like we used to for Zebra. koha-conf.xml is probably fine? Obviously open to discussion from the way smarter people here - this is only to get the discussion started, as Elasticsearch will start creating egregious scary logs for every connection complaining about security, starting with version 7. Liz -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33563 Wes <wsmith@marshallcolibrary.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |wsmith@marshallcolibrary.or | |g -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33563 Andreas Jonsson <andreas.jonsson@kreablo.se> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |andreas.jonsson@kreablo.se --- Comment #1 from Andreas Jonsson <andreas.jonsson@kreablo.se> --- For basic authentication, you can put the credentials in the connection details: <server>username:password@localhost:9200</server> It would be nice to have a comment about this in the koha-conf.xml template. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33563 Liz Rea <wizzyrea@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|Enable compatibility with |Document Elasticsearch |Elasticsearch secure mode |secure mode CC| |wizzyrea@gmail.com --- Comment #2 from Liz Rea <wizzyrea@gmail.com> --- Agreed, let's make the bug "document secure mode" :D -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33563 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dcook@prosentient.com.au -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33563 --- Comment #3 from David Cook <dcook@prosentient.com.au> --- I've been setting up Elasticsearch 7 with a Koha and this is what I used: <!-- Elasticsearch Configuration --> <elasticsearch> <server>localhost:9200</server> <!-- may be repeated to include all servers on your cluster --> <userinfo>elastic:CHANGEME</userinfo> <use_https>1</use_https> The relevant bits above being "userinfo" and "use_https", and I found them by looking at https://metacpan.org/pod/Search::Elasticsearch::Role::Cxn#node and looking around the code a bit. With Elasticsearch 7, to use basic auth you have to use HTTPS as well, but that's a much more complicated topic. We could add commented out "userinfo" and "use_https" elements in koha-conf.xml though to get people on the right track. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33563 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|koha-bugs@lists.koha-commun |dcook@prosentient.com.au |ity.org | -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33563 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33563 --- Comment #4 from David Cook <dcook@prosentient.com.au> --- Created attachment 167053 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=167053&action=edit Bug 33563: Add comments for Elasticsearch security config This patch adds some commented Elasticsearch security configuration, which shows how to use username/password with HTTPS. Test plan: 0. Apply patch 1. cp debian/templates/koha-conf-site.xml.in /etc/koha/koha-conf-site.xml.in 2. koha-create --create-db test 3. vi /etc/koha/sites/test/koha-conf.xml 4. Note that the comments for userinfo and use_https are in the koha-conf.xml -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33563 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Text to go in the| |When using authentication release notes| |with | |Elasticsearch/Opensearch, | |you must use HTTPS. This | |change adds some comments | |in koha-conf.xml to show | |how to do configure Koha to | |use authentication and | |HTTPS for ES/OS. --- Comment #5 from David Cook <dcook@prosentient.com.au> --- I helped out Magnus on Mattermost with setting this up for Opensearch, so I thought it was timely to just write a patch and get it in. Note that the comment asserts that if you're using authentication then you will need to use HTTPS. That's really the key part. -- Opensearch comes with self-signed certs out of the box, so it's very easy to use HTTPS with it. With Elasticsearch, you have to set up your own self-signed certs, but I think that's outside the scope of this bug. You can consult Elasticsearch's documentation for setting up the server-side for HTTPS. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33563 --- Comment #6 from David Cook <dcook@prosentient.com.au> --- Now I'm second guessing my comment... I thought that you had to use HTTPS if you were using authentication with ES... But in koha-testing-docker we don't have HTTPS enabled for Elasticsearch, but if you add userinfo and no use_https "koha-elasticsearch -v -b --rebuild kohadev" will work... -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33563 Magnus Enger <magnus@libriotech.no> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #167053|0 |1 is obsolete| | --- Comment #7 from Magnus Enger <magnus@libriotech.no> --- Created attachment 167066 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=167066&action=edit Bug 33563: Add comments for Elasticsearch security config This patch adds some commented Elasticsearch security configuration, which shows how to use username/password with HTTPS. Test plan: 0. Apply patch 1. cp debian/templates/koha-conf-site.xml.in /etc/koha/koha-conf-site.xml.in 2. koha-create --create-db test 3. vi /etc/koha/sites/test/koha-conf.xml 4. Note that the comments for userinfo and use_https are in the koha-conf.xml Signed-off-by: Magnus Enger <magnus@libriotech.no> Works as advertised. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33563 Magnus Enger <magnus@libriotech.no> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off CC| |magnus@libriotech.no --- Comment #8 from Magnus Enger <magnus@libriotech.no> --- The patch does what it says on the tin, but I have not looked into the question of auth with or without https. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33563 --- Comment #9 from David Cook <dcook@prosentient.com.au> --- (In reply to Magnus Enger from comment #8)
The patch does what it says on the tin, but I have not looked into the question of auth with or without https.
I suppose at the very least it's handy to have the commented out fields there -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33563 Nick Clemens (kidclamp) <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33563 Nick Clemens (kidclamp) <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #167066|0 |1 is obsolete| | --- Comment #10 from Nick Clemens (kidclamp) <nick@bywatersolutions.com> --- Created attachment 168093 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=168093&action=edit Bug 33563: Add comments for Elasticsearch security config This patch adds some commented Elasticsearch security configuration, which shows how to use username/password with HTTPS. Test plan: 0. Apply patch 1. cp debian/templates/koha-conf-site.xml.in /etc/koha/koha-conf-site.xml.in 2. koha-create --create-db test 3. vi /etc/koha/sites/test/koha-conf.xml 4. Note that the comments for userinfo and use_https are in the koha-conf.xml Signed-off-by: Magnus Enger <magnus@libriotech.no> Works as advertised. Signed-off-by: Nick Clemens <nick@bywatersolutions.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33563 --- Comment #11 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- Always love documentation :) -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33563 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Passed QA |Pushed to main Version(s)| |24.11.00 released in| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33563 --- Comment #12 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- Pushed for 24.11! Well done everyone, thank you! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33563 Lucas Gass <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to main |Pushed to stable CC| |lucas@bywatersolutions.com Version(s)|24.11.00 |24.11.00,24.05.02 released in| | --- Comment #13 from Lucas Gass <lucas@bywatersolutions.com> --- Backported to 24.05.x for upcoming 24.05.02 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33563 Fridolin Somers <fridolin.somers@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fridolin.somers@biblibre.co | |m Status|Pushed to stable |Pushed to oldstable Version(s)|24.11.00,24.05.02 |24.11.00,24.05.02,23.11.07 released in| | --- Comment #14 from Fridolin Somers <fridolin.somers@biblibre.com> --- Pushed to 23.11.x for 23.11.07 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33563 wainuiwitikapark@catalyst.net.nz changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |wainuiwitikapark@catalyst.n | |et.nz --- Comment #15 from wainuiwitikapark@catalyst.net.nz --- Not backporting to 23.05.x unless requested -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33563 Aleisha Amohia <aleisha@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |36134 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36134 [Bug 36134] Elasticsearch authentication using userinfo parameter crashes about.pl -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33563 Michał <schodkowy.omegi-0r@icloud.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |schodkowy.omegi-0r@icloud.c | |om --- Comment #16 from Michał <schodkowy.omegi-0r@icloud.com> --- I tested that it works and updated the Koha installation instructions in wiki: https://wiki.koha-community.org/wiki/Koha_on_Debian#Elasticsearch On that note it'd be nice if ktd used security by default to test for regressions... -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33563 --- Comment #17 from David Cook <dcook@prosentient.com.au> --- (In reply to Michał from comment #16)
I tested that it works and updated the Koha installation instructions in wiki: https://wiki.koha-community.org/wiki/Koha_on_Debian#Elasticsearch
On that note it'd be nice if ktd used security by default to test for regressions...
Agreed In my ktd, I have security turned on by default, although I have to manually update my koha-conf.xml every time, which is a bit annoying. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33563 Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to oldstable |Needs documenting --- Comment #18 from Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz> --- Not backporting to 22.11 unless requested -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org