elasticsearch resource

[rx294]

Documentation and Unit Tests

Signed-off-by: Rony Xavier [email protected]
Signed-off-by: Aaron Lippold [email protected]

[adamleff]

Hi, @rx294 - welcome to the InSpec community and thanks for your first PR!

I've left you some feedback - please don't hesitate to ask if you have any questions. Thanks!

[adamleff]

Can you just make each item a single bullet item, alphabetized? Makes it easier to read through and easier for a user to find what they're looking for.

[adamleff]

Since the cmp matcher will change a single-element array to a non-array, I'd change this to:

its('cluster_name') { should cmp 'elasticsearch' }

[adamleff]

Again, I'd use the cmp matcher here rather than teaching users to use first

[adamleff]

You can drop the .rb from this

[adamleff]

The desc contents are displayed in the inspec shell output... so there would be no description printed. Please uncomment similar to other resources.

[adamleff]

This would cause the node hash to have a full copy of itself. Did you forget to set a key here?

[adamleff]

I think Environment is a loaded term... how about Elasticsearch ClusterInfo?

[adamleff]

Can you please revert this change from your commit? The Gemfile.lock for the www should remain, and if there is a desire to drop it, we should do that as a separate PR. Thanks!

[rx294]

Hey @adamleff, I have reorganized and made the recommended changes to this PR. I belive I have reverted the Gemfile.lock, please let me know if it has not been reverted.
Please review it when you get a chance. Thank you

[adamleff]

Indentation lines 16-34 is off.. should be in line with the block above in lines 11-14.

[adamleff]

This feels like a duplicative describe block... can we remove this?

[adamleff]

Please remove this line. InSpec is released under Apache 2.0. We have a pending PR to remove this line from all our files (acknowledging that you probably copy/pasted this from another existing file 🙂 ).

[adamleff]

Please remove this line. InSpec is released under Apache 2.0. We have a pending PR to remove this line from all our files (acknowledging that you probably copy/pasted this from another existing file 🙂 ).

[adamleff]

@rx294 just a heads up on this PR, it now has merge conflicts. Be sure to rebase your branch on the latest master and address those issues. One is on www/Gemfile.lock which you should just pull out of your commit since your PR shouldn't touch that file. :)

[adamleff]

@rx294 I may not have cycles to give this a thorough review until I return from my vacation, but perhaps the other maintainers might.

However, right out of the gate, I notice that your change still deletes the Gemfile.lock file and adds it to the .gitignore file. Neither of these changes can be accepted in this PR.

[adamleff]

Great work, let's just tidy this up!

[adamleff]

Lines 51-53, please indent 2 spaces

[adamleff]

66-68, needs one more space

[adamleff]

71-73, fix indentation, and please git rid of that pesky tab on line 72 :)

[adamleff]

Line 80 - more tabs! You're killing me... slowly... 🙂

[adamleff]

Change to:

unless inspec.command('curl').exist?

[adamleff]

Protect against a failed JSON parse to avoid a Ruby exception unwinding the whole InSpec run.

[adamleff]

Perhaps this, and the few lines that follow, should be broken out into a helper method.

def initialize
  # blah blah
  @content = read_es_data(url)
end

def read_es_data(url)
  # call curl
  # handle error, skip_resource if curl fails
  @content = JSON.parse(curl_output)
rescue JSON::ParserError => e
  skip_resource "Couldn't parse ES data: #{e.message}"
end

[adamleff]

Suggestion to think about, should this be cluster_name?

And for sake of clarity, I would set this from node_data vs. setting it from itself...

node.cluster_name = node_data['settings']['cluster']['name']

[adamleff]

rescue JSON::ParserError

[adamleff]

Hashie::Mash.new

[adamleff]

plugins_list << plugins.name

[adamleff]

For your education only :)

[rx294]

@adamleff hey Adam this PR is ready...although looks like one of the Travis tests are failing for an unrelated issue. Thank you

[adamleff]

Perhaps as a follow-up to this PR, I'd suggest adding the stderr from the command to this message in hopes that it will help the user troubleshoot:

return skip_resource "Error fetching Elastcsearch data from #{url}: #{cmd.stderr}"

[rx294]

Thank you @adamleff that makes more sense.

[adamleff]

@rx294 this looks good, just one thing that we need to clean up in the read_es_data method re: error handling. I don't think we'll ever get to one of your error handling steps because of the way the method is written.

[adamleff]

If curl fails, it will catch at line 97 above and then we'll return. I don't think you'll ever get to this part of your method if it failed to connect.

If you want to provide a specific "connection refused" skip message, you will likely need to move lines 100-102 above line 97, and let the if statement at line 97 be a "catch-all error except connection refused events" handler. Make sense?

[rx294]

Thank you for the catch. That makes sense.

[rx294]

@adamleff I am getting a travisci error as below:

example inheritance profile#test_0004_ensure json/check command do not fetch remote profiles if vendored [/home/travis/build/chef/inspec/test/functional/inspec_vendor_test.rb:61]:

It looks unrelated to the elasticsearch resource, please let me know if it is not.

Thank you

[adamleff]

Super-close, @rx294 -- just some doc fixes and a discussion about the default URL. Thanks!

[adamleff]

Need space between ) and {

[rx294]

Done

[adamleff]

Can you please add a newline between each describe block so it's clearer and consistent with other documentation? Thank you!

[rx294]

Done.

[adamleff]

Space needed between it and {

[adamleff]

Space needed between where and {

[rx294]

Done.

[adamleff]

Please add wrapper spaces within the braces...

{ should cmp '/etc/elasticsearch' }

[rx294]

Done

[adamleff]

Please add wrapper spaces within the braces...

{ should cmp '/etc/elasticsearch' }

[rx294]

Done. Thank you @adamleff , I should have known better by now haha

[adamleff]

Any reason to include the _nodes part here? I think perhaps this should be the base URL for wherever Elasticsearch lives, and then we can call /_nodes within the resource. That way if we want to hit other endpoints later, such as /_cluster/health, we don't have to rework this.

[rx294]

The _nodes part is important because it exposes all the settings we are exposing using the resource and our parsers are expecting the json structure the '_nodes' curl request returns.

[adamleff]

@rx294 that's exactly my point. Your resource depends on hitting /_nodes to do its job, but that is not the top-level URL to an Elasticsearch node/cluster. You are shifting an implementation detail responsibility onto the consumer of your resource.

You should ask expect the user to give you the top-level URL to their cluster, and then you as the resource author should tack on the /_nodes endpoint to the URL before you start making curl calls. Otherwise, you are forcing users to know that detail... and in the future, if we need to retrieve data from different endpoints (such as /_cluster or /_cat, we don't have to do janky regsub or break backward compatibility.

[adamleff]

Let's test with a non-default URL. This really isn't testing anything other than our ability to pass in a second argument. :)

[rx294]

Done.

[adamleff]

This is not what I meant... that's not part of the URL, that's now a command flag you pass to curl, but in the future, this resource may use a different method of fetching an HTTP endpoint.

It's possible to have elasticsearch clusters on different hostnames and different URIs. For example:

http://mydatacenter.mycompany.biz/myelasticsearch

... in which case, your resource would fetch from http://mydatacenter.mycompany.biz/myelasticsearch/_nodes

[adamleff]

Status as I see it today: my concern about the user needing to supply /_nodes in their URL still needs to be addressed as does my concern about the way we're testing a non-standard URL. This is not yet ready to be re-reviewed.

[rx294]

Hey @adamleff . I have made the updates. Please review it when you get a chance. Thank you!

[adamleff]

@rx294 I only looked at it briefly, and this is closer, but I believe you made a decision that will hinder some users' ability to use it.

Specifically, you eliminated passing a URL and instead opted for parameters es_host and es_port. This means users to have Elasticsearch installed on a machine with a non-root URI (i.e. http://myhost:9201/elasticsearch) will not be able to use this resource. We should really go back to using URIs instead of parameterizing the host and port

Also, we should use better parameter names - there is no need to use the es_ prefix since the parameters are specific to this resource. Let's try to use clear and easy-to-understand parameter names.

[adamleff]

No need to prefix with es_ - use username

[rx294]

Done.

[adamleff]

No need to prefix with es_ - use password

[adamleff]

No need to have this as a parameter - just accept a full URI to the elasticsearch top-level

[rx294]

Done.

[adamleff]

There are more reasons you need to disable SSL certificate validation other than a self-signed cert is in use. For consistency with other resources, please name this ssl_verify and you can default to true

[rx294]

Done.

[adamleff]

We should accept a URI and not an IP/port - see my top-level review comment.

[rx294]

Good point. Done.

[adamleff]

Can you explain this? What's a "security exception"?

[rx294]

I have modified it to show status of the error from elasticsearch

[adamleff]

Is this necessary? The stderr will be displayed in the skip_resource message in line 112.

[rx294]

This would help capture the reason of failure.

[adamleff]

Right, but the reason for the failure you're matching on ("Peer's Certificate issue is not recognized") is in the stderr output already, and it will be output in line 112. The skip message you're returning in this line 111 is not adding any additional value that wouldn't be handled properly in line 112.

[rx294]

Oh i remmember, the Peer certificate stderr is this big ugly block
"% Total % Received % Xferd Average Speed Time Time Time Current\n Dload Upload Total Spent Left Speed\n\r 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0\r 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0\ncurl: (60) Peer's Certificate issuer is not recognized.\nMore details here: http://curl.haxx.se/docs/sslcerts.html\n\ncurl performs SSL certificate verification by default, using a "bundle"\n of Certificate Authority (CA) public keys (CA certs). If the default\n bundle file isn't adequate, you can specify an alternate file\n using the --cacert option.\nIf this HTTPS server uses a certificate signed by a CA represented in\n the bundle, the certificate verification probably failed due to a\n problem with the certificate (it might be expired, or the name might\n not match the domain name in the URL).\nIf you'd like to turn off curl's verification of the certificate, use\n the -k (or --insecure) option.\n"

I figured this would be a cleaner skip message of a known possible error.

[adamleff]

That's a great reason. Let's add a comment above this line that explains why we're specifically catching this one error type.

[rx294]

Done!

[adamleff]

@rx294 I still think there are some issues with this that I've unsuccessfully tried to communicate (i.e. the URL should be an argument rather than an item in the option hash), and there are still issues (i.e. the default URL shouldn't use 0.0.0.0 or https by default), so I'm going to adopt your PR with attribution and try and push it across the finish line. I'm traveling for the next couple of days, so I should be able to work on this sometime next week. Unfortunately, it's just taking too much time to try and address the remaining issues through the PR back-and-forth process.

I'll close this PR with an new updated one once I've done so. Thanks.

[rx294]

Got it. thank you adam

[adamleff]

Superseded by PR #2261 - thanks for your work on this.