Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Documentation for starting standalone schema manager #5101

Merged
merged 11 commits into from
Feb 28, 2025
Merged

feat: Documentation for starting standalone schema manager #5101

Show file tree
Hide file tree
Changes from 10 commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
8f35dc0
feat: Documentation for starting standalone schema manager
grlimacan Feb 27, 2025
1472c61
fix: Apply suggestions from automated code review
grlimacan Feb 27, 2025
0c08cee
fix: Fixing some formatting issues
grlimacan Feb 27, 2025
4c8b223
feat: Adding Helm Chart documentation
grlimacan Feb 27, 2025
def8773
Merge branch 'main' into es-without-cluster-privileges
mesellings Feb 27, 2025
4b1f930
feat: Implementing findings from review
grlimacan Feb 27, 2025
d6c9bba
feat: Implementing findings from review
grlimacan Feb 27, 2025
ec198b3
fix: Apply suggestions from code review
grlimacan Feb 28, 2025
6a78531
feat: Implementing findings from review
grlimacan Feb 28, 2025
21430f7
feat: Implementing findings from review
grlimacan Feb 28, 2025
1760e61
Merge branch 'main' into es-without-cluster-privileges
mesellings Feb 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions versioned_docs/version-8.6/self-managed/concepts/elasticsearch-privileges.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,10 @@ If you implement Camunda 8 with Elasticsearch as a service provider, you must co

## Cluster privileges

:::note Running Elasticsearch with limited cluster privileges
If an application cannot be granted cluster privileges, the schema manager can be run as a standalone application separate from the main application. In this setup, the single application does not need cluster privileges. To learn more, see [Elasticsearch without cluster privileges](./elasticsearch-without-cluster-privileges.md).
:::

- `monitor` - necessary for health check
- `manage_index_templates` to create and manage index schema on start up, if they don't already exist in Elasticsearch.
- _Optional_ `manage_ilm` - required only when ILM is enabled
Expand Down
282 changes: 282 additions & 0 deletions ...s/version-8.6/self-managed/concepts/elasticsearch-without-cluster-privileges.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,282 @@
---
id: elasticsearch-without-cluster-privileges
title: "Elasticsearch without cluster privileges"
---

In case the Camunda single application cannot access Elasticsearch with cluster privileges, it is possible to run the schema manager as a stand-alone application separate from the main application. The schema manager solely creates all necessary Elasticsearch Indices. In this case, elevated privileges are only required for the schema creation, the single application does not need to have cluster privileges to work any more.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔧 I would omit the sentence The schema manager solely creates all necessary Elasticsearch Indices. I think it just leads to confusion (since it actually does more than this anyway), and gives unnecessary details. We can leave it at that the application creates the necessary schema for C8 to run afterwards without cluster privileges.

🔧 Similarly, we use elevated privileges and cluster privileges interchangeably, and I don;'t know if that's true? I would pick one, likely cluster level privileges, and just stick to it.


:::note Database Support
This feature is only available from version 8.6.10 on and is also only supported for Elasticsearch installations (no OpenSearch support).
:::

:::note Essential privileges required by the single application
An index-level privilege of at least `manage` is still required for the Camunda single application to work properly.
:::

## Setup

For this setup to work, the database schema must be initialized first (step 1). This requires cluster level privileges for the database. This only needs to be executed once.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This only needs to be executed once.

Wouldn't this be, this needs to be executed once on the first installation, and then every time they perform an update? Or are we not discussing updates?

Because they will eventually update, and they will need to run it again at that point.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Following this discussion it is better to leave as is to avoid confusion. We will update this text before 8.6.11

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we have a way to ensure it will be done before the next update? Note that the next patch is coming out this Tuesday 😄

I mean, I don't expect we have schema changes until then, so it's fine. But you get the idea ;)

Once the schema is initialized, the application can be started without cluster level privileges (step 2). The steps are described in detail below.

### 1. Initialize the Schema Manager

The schema manager is started as a separate standalone Java application and is responsible for creating and managing the database schema and applying database settings, such as retention policies for example.
This step requires cluster level privileges for the database and only needs to be executed once per installation.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

❓ Do we need to specify the required permissions? Or is there an ES equivalent, i.e. saying superuser or something (is that a thing for ES?).


#### 1.1 Configure Schema Manager

Create an additional custom configuration for the schema manager with the following values:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔧 The configuration below implies they want ILM. Maybe we can add a note that the configuration can be tweaked based on existing configuration (link to the respective components configuration), but that config here would be a minimal sample configuration.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've added a note on the config file about ILM. About the existing configuration, that is what is implied with additional custom configuration


```
zeebe.broker.exporters.elasticsearch:
className: io.camunda.zeebe.exporter.ElasticsearchExporter
args:
index:
createTemplate: true
retention:
enabled: true
# Example assuming an existing user called 'camunda-admin' who has 'superuser' privileges
authentication:
username: camunda-admin
password: camunda123
camunda:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this configuration requires tasklist and operate to know the elasticsearchs url in the form of this example:

camunda.operate.elasticsearch.url: "http://camunda-elasticsearch:9200"

and

camunda.tasklist.elasticsearch.url: "http://camunda-elasticsearch:9200"

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I left this undefined on purpose, because I am only documenting the necessary changes additionally to the settings the customer already has. When left unset, in our example, all tools will use the default http://localhost:9200, however if customers have a running setup where they use different URLs, if I add this field here, this would possibly confuse them

operate:
elasticsearch:
# Example assuming an existing user called 'camunda-admin' who has 'superuser' privileges
username: camunda-admin
password: camunda123
healthCheckEnabled: false
archiver:
ilmEnabled: true
tasklist:
elasticsearch:
# Example assuming an existing user called 'camunda-admin' who has 'superuser' privileges
username: camunda-admin
password: camunda123
healthCheckEnabled: false
archiver:
ilmEnabled: true

```

#### 1.2 Start the Schema Manager with the config above

Start the Java application `schema` (or `schema.bat` for Windows) provided in the `bin` folder of the delivered jar file. The schema manager will create the necessary indices and templates in the database and apply the respective settings.
Assuming the configuration above was saved in a file named `schema-manager.yaml`, you can start the application with the following command:

```
SPRING_CONFIG_ADDITIONALLOCATION=/path/to/schema-manager.yaml ./bin/schema
```

Verify that the application executed successfully.

### 2. Start the Camunda single application

The Camunda single application can now be started without cluster level privileges. The application will connect to the database and use the schema created by the schema manager.

#### 2.1 Ensure that an Elasticsearch user with sufficient privileges exists

The application requires a database user with at least `manage` privileges on the indices it is meant to work with.

If preferred, you can use an existing user with the required privileges. Alternatively the required privileges can be assigned to an example user named `camunda-app` with the following request to the Elasticsearch REST API:

```
PUT _security/role/read_write_role
{
"indices": [
{
"names": [
"*"
],
"privileges": [
"read",
"write",
"view_index_metadata"
],
"allow_restricted_indices": false
},
{
"names": [
"operate-*",
"tasklist-*",
"zeebe-*"
],
"privileges": [
"manage"
],
"allow_restricted_indices": false
}
],
"applications": [],
"run_as": [],
"metadata": {},
"transient_metadata": {
"enabled": true
}
}
```

Then, assign the user to the role defined above. For example, if Elasticsearch is running on Docker, this can be achieved with the following command:

```
docker exec -t elasticsearch elasticsearch-users useradd camunda-app -p camunda123
docker exec -t elasticsearch elasticsearch-users roles camunda-app -a read_write_role
```

#### 2.2 Configure the Camunda single application

Create a configuration for the Camunda single application with the values below. This essentially disables schema creation for the app.

```
zeebe.broker.exporters.elasticsearch:
className: io.camunda.zeebe.exporter.ElasticsearchExporter
args:
index:
createTemplate: false
retention:
enabled: false
managePolicy: false
# Example assuming an existing user called 'camunda-app' with the privileges described in 2.1
authentication:
username: camunda-app
password: camunda123
camunda:
tasklist:
elasticsearch:
createSchema: false
username: camunda-app
password: camunda123
healthCheckEnabled: false
zeebeElasticsearch:
# Example assuming an existing user called 'camunda-app' with the privileges described in 2.1
username: camunda-app
password: camunda123
archiver:
ilmEnabled: false
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please note that I removed these 3 params that were present in our test-config so that standard values are used:

elsRolloverDateFormat: "yyyy-MM-dd-HH-mm"
rolloverInterval: 1m
waitPeriodBeforeArchiving: 1m

ilmManagePolicy: false
migration:
migrationEnabled: false
operate:
elasticsearch:
createSchema: false
username: camunda-app
password: camunda123
healthCheckEnabled: false
zeebeElasticsearch:
# Example assuming an existing user called 'camunda-app' with the privileges described in 2.1
username: camunda-app
password: camunda123
archiver:
ilmEnabled: false
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please note that I removed these 3 params that were present in our test-config so that standard values are used:

elsRolloverDateFormat: "yyyy-MM-dd-HH-mm"
rolloverInterval: 1m
waitPeriodBeforeArchiving: 1m

migration:
migrationEnabled: false
```

#### 2.3 Start the application with the above configuration

#### Starting the application from the JAR file

Start the Java application `camunda` (or `camunda.bat` for Windows) provided in the `bin` folder of the delivered JAR file.
Assuming the configuration above was saved in a file named `application-custom.yaml`, you can start the application with the following command:

```
SPRING_CONFIG_ADDITIONALLOCATION=/path/to/application-custom.yaml ./bin/camunda
```

#### Starting the application using Helm charts

##### Case 1: Auto-generated app config by Helm chart

[Spring Boot convention](https://docs.spring.io/spring-boot/reference/features/external-config.html#features.external-config.typesafe-configuration-properties.relaxed-binding.environment-variables) environment variables can be used to override configuration.

These are the Helm values needed to disable the schema manager in the Camunda apps.

```
# Helm chart values file.
zeebe:
env:
- name: ZEEBE_BROKER_EXPORTERS_ELASTICSEARCH_ARGS_INDEX_CREATETEMPLATE
value: "false"
- name: ZEEBE_BROKER_EXPORTERS_ELASTICSEARCH_ARGS_RETENTION_ENABLED
value: "false"
- name: ZEEBE_BROKER_EXPORTERS_ELASTICSEARCH_ARGS_RETENTION_MANAGEPOLICY
value: "false"

tasklist:
env:
- name: CAMUNDA_TASKLIST_ELASTICSEARCH_CREATESCHEMA
value: "false"
- name: CAMUNDA_TASKLIST_ELASTICSEARCH_HEALTHCHECKENABLED
value: "false"
- name: CAMUNDA_TASKLIST_ARCHIVER_ILMENABLED
value: "false"
- name: CAMUNDA_TASKLIST_ARCHIVER_ILMMANAGEPOLICY
value: "false"
- name: CAMUNDA_TASKLIST_MIGRATION_MIGRATIONENABLED
value: "false"

operate:
env:
- name: CAMUNDA_OPERATE_ELASTICSEARCH_CREATESCHEMA
value: "false"
- name: CAMUNDA_OPERATE_ELASTICSEARCH_HEALTHCHECKENABLED
value: "false"
- name: CAMUNDA_OPERATE_ARCHIVER_ILMENABLED
value: "false"
- name: CAMUNDA_OPERATE_MIGRATION_MIGRATIONENABLED
value: "false"
```

##### Case 2: Manually-managed app config by the user

If the application configurations are managed directly and do not rely on the Helm chart auto-generated configuration.

```
# Helm chart values file.

zeebe:
configuration |
[...] # Any other custom config.
zeebe.broker.exporters.elasticsearch:
className: io.camunda.zeebe.exporter.ElasticsearchExporter
args:
index:
createTemplate: false
retention:
enabled: false
managePolicy: false
[...] # Any other custom config.

tasklist:
configuration |
[...] # Any other custom config.
camunda.tasklist:
elasticsearch:
createSchema: false
healthCheckEnabled: false
archiver:
ilmEnabled: false
ilmManagePolicy: false
migration:
migrationEnabled: false
[...] # Any other custom config.

operate:
configuration |
[...] # Any other custom config.
camunda.operate:
elasticsearch:
createSchema: false
healthCheckEnabled: false
archiver:
ilmEnabled: false
migration:
migrationEnabled: false
[...] # Any other custom config.
```

## Limitations

- This feature is only available for the Camunda `8.6.10` version and above.
- This feature only works for installations using Elasticsearch.
- Camunda Optimize cannot be executed with this setup.
1 change: 1 addition & 0 deletions versioned_sidebars/version-8.6-sidebars.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1929,6 +1929,7 @@
"self-managed/concepts/multi-tenancy",
"self-managed/concepts/mapping-rules",
"self-managed/concepts/elasticsearch-privileges",
"self-managed/concepts/elasticsearch-without-cluster-privileges",
"self-managed/concepts/opensearch-privileges"
]
},
Expand Down
Loading