WIP: 🕸️ Bug / Support AWS OpenSearch Auth#1081
Conversation
There was a problem hiding this comment.
please exclude the modules/graphql-router/src/admin files out of this and all PRs
thanks
There was a problem hiding this comment.
There are a lot of distracting Type errors in this folder, maybe we can remove it or gitignore? I'm often using Type errors to validate that my new changes haven't broken anything, but frequently end up impacting code in /admin
Suggested gitignore change:
https://github.com/overture-stack/arranger/pull/1081/changes#diff-bc37d034bad564583790a46f19d807abfe519c5671395fd494d8cce506c42947
I will revert the changes in this file, but that's the context / source of repeat issues
| enableDebug, | ||
| enableDebug: !!enableDebug, |
There was a problem hiding this comment.
how is this change necessary?
There was a problem hiding this comment.
This is a Type error, enableDebug at line 58 is boolean | undefined, and getIndexMapping expects only a boolean.
We had to leverage enableDebug to troubleshoot in HCMI Dev.
There was a problem hiding this comment.
Alternately we could change the getIndexMapping signature to make enableDebug an optional argument and be false by default.
There was a problem hiding this comment.
sounds like a type problem in the function's definition, rather than something to be coerced in this manner 🤔
@joneubank thoughts on this?
|
To summarize my previous comments, as confirmed by reading the source of the installed package.
// seen in node_modules/@opensearch-project/opensearch/lib/aws/AwsSigv4Signer.js
const getAwsSDKCredentialsProvider = async () => {
try {
const awsV3 = await import('@aws-sdk/credential-provider-node');
if (typeof awsV3.defaultProvider === 'function') {
return awsV3.defaultProvider();
}
} catch (err) { /* falls back to aws-sdk v2 */ }
// ...
};The explicit // remove: import { defaultProvider } from '@aws-sdk/credential-provider-node';
...AwsSigv4Signer({
region: auth.region || '',
service: auth.service,
// no getCredentials - AwsSigv4Signer resolves credentials automatically
}),And drop Runtime note: on AWS infrastructure (ECS task role, EC2 instance profile), `@aws-sdk/credential-provider-node` is already present via the SDK layer. Deployments that need it will have it; those that don't will get an explicit error from the OpenSearch client on startup. |
| "apps/search-server": { | ||
| "name": "@overture-stack/arranger-search-server", | ||
| "version": "0.0.0-dev", | ||
| "dependencies": { | ||
| "@aws-sdk/credential-provider-node": "^3.972.60", |
There was a problem hiding this comment.
this file seems to be out of date now
joneubank
left a comment
There was a problem hiding this comment.
Thanks for adopting the new configuration pattern.
| id: string; | ||
| index: string; | ||
| body: Record<string, any>; | ||
| refresh?: boolean | 'false' | 'true' | 'wait_for'; |
There was a problem hiding this comment.
This list of types is peculiar, is this inherited from some third party library or did we decide these types? If we decided them, lets simplify to a list of string literals and add some documentation for why we chose these. If they are inherited, could we simplify them in a similar way?
There was a problem hiding this comment.
I see the problem too. Just to be clear, this is comment points to an outdated change, the latest version does not contain string literals for 'false' or 'true'. These are definitions that reflect the expected types for the OS/ES libraries.
| enableDebug, | ||
| enableDebug: !!enableDebug, |
There was a problem hiding this comment.
Alternately we could change the getIndexMapping signature to make enableDebug an optional argument and be false by default.
There was a problem hiding this comment.
We aren't adding any code to consume these env variables, in fact we make no code changes to the server. Let's not add new env variables to our schema that are unused.
There was a problem hiding this comment.
I wanted get a start on documenting the Auth changes and new config values, then updated the client side without revisiting. Will revise.
| export type BaseAuthConfig = { | ||
| password: string; | ||
| type?: AuthTypes; | ||
| username: string; | ||
| }; | ||
| export type DefaultAuthConfig = Prettify< | ||
| BaseAuthConfig & { | ||
| type: 'standard'; | ||
| } | ||
| >; | ||
| export type AWSAuthConfig = Prettify< | ||
| BaseAuthConfig & { | ||
| type: 'AWS'; | ||
| region: string; | ||
| service?: 'es' | 'aoss'; | ||
| } | ||
| >; |
There was a problem hiding this comment.
No reason to extend a base config.
| export type BaseAuthConfig = { | |
| password: string; | |
| type?: AuthTypes; | |
| username: string; | |
| }; | |
| export type DefaultAuthConfig = Prettify< | |
| BaseAuthConfig & { | |
| type: 'standard'; | |
| } | |
| >; | |
| export type AWSAuthConfig = Prettify< | |
| BaseAuthConfig & { | |
| type: 'AWS'; | |
| region: string; | |
| service?: 'es' | 'aoss'; | |
| } | |
| >; | |
| export type StandardAuthConfig = { | |
| type: 'standard'; | |
| password: string; | |
| username: string; | |
| } | |
| export type AWSAuthConfig = { | |
| type: 'AWS'; | |
| password: string; | |
| username: string; | |
| region: string; | |
| service?: 'es' | 'aoss'; | |
| } |
There was a problem hiding this comment.
Yeah I saw that BaseAuthConfig just ends up cluttering Type things downstream. This is updated using StandardAuth. Would BasicAuth be fitting var name you think?
…o bug/support-aws-auth
Summary
Adds AWS SDK Client Auth support for OpenSearch client
Issues
nci-hcmi-catalog/portal#1145
Description of Changes
Adds AWS SDK & authentication boilerplate
Adds additional config for indicating connection with AWS
Readiness Checklist
.env.schemafile and documented in the README