Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support SSL and AUTH for redis #717

Open
wants to merge 20 commits into
base: master
Choose a base branch
from
Open

Support SSL and AUTH for redis #717

wants to merge 20 commits into from

Conversation

munishchouhan
Copy link
Member

This PR will add:

  1. enable ssl for redis rediss:// protocol
  2. and password if auth is enabled

@munishchouhan
Added JedisUtils
0866946 
Signed-off-by: munishchouhan <[email protected]>
@munishchouhan munishchouhan linked an issue Oct 24, 2024 that may be closed by this pull request
[Enhancement] - Redis Support encryption in transit #713
Open
@munishchouhan munishchouhan self-assigned this Oct 24, 2024
@munishchouhan
Added license [ci skip]
c2219c3 
Signed-off-by: munishchouhan <[email protected]>
@munishchouhan
[release] bump 1.13.6-A0
9c56729 
Signed-off-by: munishchouhan <[email protected]>
pditommaso
pditommaso reviewed Oct 24, 2024
View reviewed changes
src/main/groovy/io/seqera/wave/util/JedisUtils.groovy Outdated
import redis.clients.jedis.JedisClientConfig


class JedisUtils {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of re-inviting the wheel, look at DefaultJedisClientConfig

  protected JedisFactory(final URI uri, final int connectionTimeout, final int soTimeout,
      final int infiniteSoTimeout, final String clientName, final SSLSocketFactory sslSocketFactory,
      final SSLParameters sslParameters, final HostnameVerifier hostnameVerifier) {
    if (!JedisURIHelper.isValid(uri)) {
      throw new InvalidURIException(String.format(
          "Cannot open Redis connection due invalid URI. %s", uri.toString()));
    }
    this.clientConfig = DefaultJedisClientConfig.builder().connectionTimeoutMillis(connectionTimeout)
        .socketTimeoutMillis(soTimeout).blockingSocketTimeoutMillis(infiniteSoTimeout)
        .user(JedisURIHelper.getUser(uri)).password(JedisURIHelper.getPassword(uri))
        .database(JedisURIHelper.getDBIndex(uri)).clientName(clientName)
        .protocol(JedisURIHelper.getRedisProtocol(uri))
        .ssl(JedisURIHelper.isRedisSSLScheme(uri)).sslSocketFactory(sslSocketFactory)
        .sslParameters(sslParameters).hostnameVerifier(hostnameVerifier).build();
    this.jedisSocketFactory = new DefaultJedisSocketFactory(new HostAndPort(uri.getHost(), uri.getPort()), this.clientConfig);
  }

@munishchouhan
removed JedisUtils
3a8ab3d 
Signed-off-by: munishchouhan <[email protected]>
@munishchouhan
set correct timeout
c781431 
Signed-off-by: munishchouhan <[email protected]>
@munishchouhan
added tests
9f2e6a1 
Signed-off-by: munishchouhan <[email protected]>
pditommaso
pditommaso reviewed Oct 24, 2024
View reviewed changes
src/main/groovy/io/seqera/wave/redis/RedisFactory.groovy Outdated
) {
log.info "Using redis $uri as storage for rate limit - pool minIdle: ${minIdle}; maxIdle: ${maxIdle}; maxTotal: ${maxTotal}"
boolean ssl = uri.startsWith("rediss")
DefaultJedisClientConfig clientConfig = DefaultJedisClientConfig.builder()
.password(password)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it safe if the password is null?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am making changes to use JedisURIHelper

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure it's needed because I think that tries to lookup for the password in the Redis URI, instead we need to specify independently

Copy link
Member Author

@munishchouhan munishchouhan Oct 24, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have added password in config and if its null then check in URI

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

password will be null if auth is not set, like currently we don't have that

should we make it compulsory?

@munishchouhan munishchouhan marked this pull request as draft October 24, 2024 08:59
@munishchouhan
refactored
452c391 
Signed-off-by: munishchouhan <[email protected]>
@munishchouhan
removed unused code
3047795 
Signed-off-by: munishchouhan <[email protected]>
@munishchouhan
refactored tests
e0dd0e1 
Signed-off-by: munishchouhan <[email protected]>
@munishchouhan
added password in config
f76a20d 
Signed-off-by: munishchouhan <[email protected]>
@munishchouhan
formatted [ci skip]
ad6cf86 
Signed-off-by: munishchouhan <[email protected]>
@munishchouhan
[release] bump 1.13.6-A1
ef72b19 
Signed-off-by: munishchouhan <[email protected]>
@munishchouhan
[release] bump 1.13.6-A1
2610888 
Signed-off-by: munishchouhan <[email protected]>
@munishchouhan
Copy link
Member Author

Tested locally with ssl and auth and its working successfully
Testing now in dev

@munishchouhan
Copy link
Member Author

so after digging i found that, jedispool is working with ssl and auth, error is coming from SpillwayRateLimiter
I am looking into it

redis.clients.jedis.exceptions.JedisDataException: EXECABORT Transaction discarded because of: NOAUTH Authentication required.
	at redis.clients.jedis.Protocol.processError(Protocol.java:105)
	at redis.clients.jedis.Protocol.process(Protocol.java:162)
	at redis.clients.jedis.Protocol.read(Protocol.java:221)
	at redis.clients.jedis.Connection.readProtocolWithCheckingBroken(Connection.java:351)
	at redis.clients.jedis.Connection.getObjectMultiBulkReply(Connection.java:322)
	at redis.clients.jedis.TransactionBase.exec(TransactionBase.java:168)
	at redis.clients.jedis.Transaction.exec(Transaction.java:80)
	at com.coveo.spillway.storage.RedisStorage.addAndGet(RedisStorage.java:112)
	at com.coveo.spillway.Spillway.getExceededLimits(Spillway.java:215)
	at com.coveo.spillway.Spillway.tryCall(Spillway.java:154)
	at com.coveo.spillway.Spillway.tryCall(Spillway.java:142)
	at io.seqera.wave.ratelimit.impl.SpillwayRateLimiter.acquirePull(SpillwayRateLimiter.groovy:84)

@munishchouhan
Copy link
Member Author

munishchouhan commented Oct 24, 2024
edited
Loading

so after digging i found that, jedispool is working with ssl and auth, error is coming from SpillwayRateLimiter I am looking into it

redis.clients.jedis.exceptions.JedisDataException: EXECABORT Transaction discarded because of: NOAUTH Authentication required.
	at redis.clients.jedis.Protocol.processError(Protocol.java:105)
	at redis.clients.jedis.Protocol.process(Protocol.java:162)
	at redis.clients.jedis.Protocol.read(Protocol.java:221)
	at redis.clients.jedis.Connection.readProtocolWithCheckingBroken(Connection.java:351)
	at redis.clients.jedis.Connection.getObjectMultiBulkReply(Connection.java:322)
	at redis.clients.jedis.TransactionBase.exec(TransactionBase.java:168)
	at redis.clients.jedis.Transaction.exec(Transaction.java:80)
	at com.coveo.spillway.storage.RedisStorage.addAndGet(RedisStorage.java:112)
	at com.coveo.spillway.Spillway.getExceededLimits(Spillway.java:215)
	at com.coveo.spillway.Spillway.tryCall(Spillway.java:154)
	at com.coveo.spillway.Spillway.tryCall(Spillway.java:142)
	at io.seqera.wave.ratelimit.impl.SpillwayRateLimiter.acquirePull(SpillwayRateLimiter.groovy:84)

solved it by injecting the JedisPool in SpillWayStorageFactory

@munishchouhan
Copy link
Member Author

Tested successfully with local redis and elasticcache redis with ssl and auth

@munishchouhan
[release] bump 1.13.6-A2
31b889c 
Signed-off-by: munishchouhan <[email protected]>
@munishchouhan munishchouhan marked this pull request as ready for review October 24, 2024 16:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pditommaso pditommaso pditommaso left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@munishchouhan munishchouhan

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Enhancement] - Redis Support encryption in transit
2 participants
@munishchouhan @pditommaso