Skip to content

WIP: 🕸️ Bug / Support AWS OpenSearch Auth#1081

Draft
demariadaniel wants to merge 23 commits into
mainfrom
bug/support-aws-auth
Draft

WIP: 🕸️ Bug / Support AWS OpenSearch Auth#1081
demariadaniel wants to merge 23 commits into
mainfrom
bug/support-aws-auth

Conversation

@demariadaniel

@demariadaniel demariadaniel commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds AWS SDK Client Auth support for OpenSearch client

Issues

nci-hcmi-catalog/portal#1145

Description of Changes

Adds AWS SDK & authentication boilerplate
Adds additional config for indicating connection with AWS

Readiness Checklist

  • Self Review
    • I have performed a self review of code
    • I have run the application locally and manually tested the feature
    • I have checked all updates to correct typos and misspellings
  • Formatting
    • Code follows the project style guide
    • Autmated code formatters (ie. Prettier) have been run
  • Local Testing
    • Successfully built all packages locally
    • Successfully ran all test suites, all unit and integration tests pass
  • Updated Tests
    • Unit and integration tests have been added that describe the bug that was fixed or the features that were added
  • Documentation
    • All new environment variables added to .env.schema file and documented in the README
    • All changes to server HTTP endpoints have open-api documentation
    • All new functions exported from their module have TSDoc comment documentation

@demariadaniel demariadaniel self-assigned this Jul 2, 2026
@demariadaniel demariadaniel added bug Something isn't working authorization Issue is related to user auth or permissions. labels Jul 2, 2026
Comment thread apps/search-server/pnpm-lock.yaml Outdated

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please exclude the modules/graphql-router/src/admin files out of this and all PRs

thanks

@demariadaniel demariadaniel Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are a lot of distracting Type errors in this folder, maybe we can remove it or gitignore? I'm often using Type errors to validate that my new changes haven't broken anything, but frequently end up impacting code in /admin

Suggested gitignore change:
https://github.com/overture-stack/arranger/pull/1081/changes#diff-bc37d034bad564583790a46f19d807abfe519c5671395fd494d8cce506c42947

I will revert the changes in this file, but that's the context / source of repeat issues

Comment thread modules/graphql-router/src/router.ts Outdated
Comment on lines +79 to +78
enableDebug,
enableDebug: !!enableDebug,

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

how is this change necessary?

@demariadaniel demariadaniel Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a Type error, enableDebug at line 58 is boolean | undefined, and getIndexMapping expects only a boolean.
We had to leverage enableDebug to troubleshoot in HCMI Dev.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alternately we could change the getIndexMapping signature to make enableDebug an optional argument and be false by default.

@justincorrigible justincorrigible Jul 6, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sounds like a type problem in the function's definition, rather than something to be coerced in this manner 🤔

@joneubank thoughts on this?

Comment thread modules/graphql-router/src/searchClient/index.ts Outdated
@demariadaniel demariadaniel requested a review from joneubank July 6, 2026 18:40
@demariadaniel demariadaniel changed the title WIP: 🕸️ Bug / Support AWS OpenSearch Auth 🕸️ Bug / Support AWS OpenSearch Auth Jul 6, 2026
@demariadaniel demariadaniel marked this pull request as ready for review July 6, 2026 18:41
@demariadaniel demariadaniel changed the title 🕸️ Bug / Support AWS OpenSearch Auth WIP: 🕸️ Bug / Support AWS OpenSearch Auth Jul 6, 2026
@demariadaniel demariadaniel marked this pull request as draft July 6, 2026 18:41
Comment thread apps/search-server/package.json Outdated
Comment thread modules/graphql-router/src/searchClient/index.ts
@justincorrigible

justincorrigible commented Jul 7, 2026

Copy link
Copy Markdown
Member

To summarize my previous comments, as confirmed by reading the source of the installed package.

@aws-sdk/credential-provider-node is not needed and the getCredentials wrapper can be removed entirely.
AwsSigv4Signer from @opensearch-project/opensearch/aws already does the dynamic import internally:

// seen in node_modules/@opensearch-project/opensearch/lib/aws/AwsSigv4Signer.js
const getAwsSDKCredentialsProvider = async () => {
  try {
    const awsV3 = await import('@aws-sdk/credential-provider-node');
    if (typeof awsV3.defaultProvider === 'function') {
      return awsV3.defaultProvider();
    }
  } catch (err) { /* falls back to aws-sdk v2 */ }
  // ...
};

The explicit defaultProvider import and the getCredentials wrapper in the AwsSigv4Signer call are duplicating this exactly. The fix is to drop both:

// remove: import { defaultProvider } from '@aws-sdk/credential-provider-node';

...AwsSigv4Signer({
  region: auth.region || '',
  service: auth.service,
  // no getCredentials - AwsSigv4Signer resolves credentials automatically
}),

And drop @aws-sdk/credential-provider-node from apps/search-server/package.json (and it should not be added to modules/graphql-router either... it is not needed there at all).

Runtime note: on AWS infrastructure (ECS task role, EC2 instance profile), `@aws-sdk/credential-provider-node` is already present via the SDK layer. Deployments that need it will have it; those that don't will get an explicit error from the OpenSearch client on startup.

Comment thread package-lock.json Outdated
"apps/search-server": {
"name": "@overture-stack/arranger-search-server",
"version": "0.0.0-dev",
"dependencies": {
"@aws-sdk/credential-provider-node": "^3.972.60",

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this file seems to be out of date now

@joneubank joneubank left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for adopting the new configuration pattern.

id: string;
index: string;
body: Record<string, any>;
refresh?: boolean | 'false' | 'true' | 'wait_for';

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This list of types is peculiar, is this inherited from some third party library or did we decide these types? If we decided them, lets simplify to a list of string literals and add some documentation for why we chose these. If they are inherited, could we simplify them in a similar way?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see the problem too. Just to be clear, this is comment points to an outdated change, the latest version does not contain string literals for 'false' or 'true'. These are definitions that reflect the expected types for the OS/ES libraries.

Comment thread modules/graphql-router/src/searchClient/types.ts Outdated
Comment thread modules/graphql-router/src/router.ts Outdated
Comment on lines +79 to +78
enableDebug,
enableDebug: !!enableDebug,

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alternately we could change the getIndexMapping signature to make enableDebug an optional argument and be false by default.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We aren't adding any code to consume these env variables, in fact we make no code changes to the server. Let's not add new env variables to our schema that are unused.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wanted get a start on documenting the Auth changes and new config values, then updated the client side without revisiting. Will revise.

Comment on lines +15 to +31
export type BaseAuthConfig = {
password: string;
type?: AuthTypes;
username: string;
};
export type DefaultAuthConfig = Prettify<
BaseAuthConfig & {
type: 'standard';
}
>;
export type AWSAuthConfig = Prettify<
BaseAuthConfig & {
type: 'AWS';
region: string;
service?: 'es' | 'aoss';
}
>;

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No reason to extend a base config.

Suggested change
export type BaseAuthConfig = {
password: string;
type?: AuthTypes;
username: string;
};
export type DefaultAuthConfig = Prettify<
BaseAuthConfig & {
type: 'standard';
}
>;
export type AWSAuthConfig = Prettify<
BaseAuthConfig & {
type: 'AWS';
region: string;
service?: 'es' | 'aoss';
}
>;
export type StandardAuthConfig = {
type: 'standard';
password: string;
username: string;
}
export type AWSAuthConfig = {
type: 'AWS';
password: string;
username: string;
region: string;
service?: 'es' | 'aoss';
}

@demariadaniel demariadaniel Jul 8, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah I saw that BaseAuthConfig just ends up cluttering Type things downstream. This is updated using StandardAuth. Would BasicAuth be fitting var name you think?

Comment thread modules/graphql-router/src/searchClient/types.ts Outdated
Comment thread modules/graphql-router/src/searchClient/types.ts Outdated
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

authorization Issue is related to user auth or permissions. bug Something isn't working

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants