Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

#14340 & #13849 - Clean secret ID and improve encrypt/decrypt exception management #14356

Merged
merged 17 commits into from
Dec 18, 2023
Merged

#14340 & #13849 - Clean secret ID and improve encrypt/decrypt exception management #14356

merged 17 commits into from
Dec 18, 2023

Conversation

pmbrull
Copy link
Collaborator

@pmbrull pmbrull commented Dec 12, 2023

Describe your changes:

Fixes #14340
Fixes #13849

Also takes care of this Collate's issue https://github.com/open-metadata/openmetadata-collate/issues/227

  • We cleaned one internal method that was removing exception messages in some scenarios. Now the exception gives more information on what is the root cause of the encrypt/decrypt error
  • We are cleaning the secret ID when building it to not include strange characters not supported by AWS SM
  • We are updating the config to handle prefix and tags when creating the secret in AWS
  prefix: ${SECRET_MANAGER_PREFIX:-""} # Define the secret key ID as /<prefix>/<clusterName>/<key>
  tags: ${SECRET_MANAGER_TAGS:-[]} # Add tags to the created resource, e.g., in AWS. Format is `[key1:value1,key2:value2,...]`

I'll do the docs in a followup PR

I worked on ... because ...

Type of change:

  • Bug fix
  • Improvement
  • New feature
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation

Checklist:

  • I have read the CONTRIBUTING document.
  • My PR title is Fixes <issue-number>: <short explanation>
  • I have commented on my code, particularly in hard-to-understand areas.
  • For JSON Schema changes: I updated the migration scripts or explained why it is not needed.

@pmbrull pmbrull requested review from a team as code owners December 12, 2023 17:08
@github-actions github-actions bot added Ingestion backend safe to test Add this label to run secure Github workflows on PRs labels Dec 12, 2023
harshach
harshach requested changes Dec 14, 2023
View reviewed changes
conf/openmetadata.yaml Outdated Show resolved Hide resolved
openmetadata-service/src/main/java/org/openmetadata/service/secrets/SecretsManager.java Outdated Show resolved Hide resolved
openmetadata-service/src/main/java/org/openmetadata/service/secrets/SecretsManager.java Show resolved Hide resolved
openmetadata-service/src/main/java/org/openmetadata/service/secrets/SecretsManager.java Outdated Show resolved Hide resolved
openmetadata-service/src/main/java/org/openmetadata/service/secrets/SecretsManagerFactory.java Outdated
*/
secretsManager = NoopSecretsManager.getInstance(clusterName, secretsManagerProvider);
secretsManager = NoopSecretsManager.getInstance(secretsManagerProvider, secretsConfig);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we avoid the switch case, instead use something similar to ENTITY_REPOSITORY_MAP?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

mmhh when trying it out it gets a bit ugly actually. We are not initializing all the secret managers just the one being requested by the config, and it would require some further changes on the parent class to allow getting the instances just right.

if it's ok, I'll keep the switch for now

...e/src/test/java/org/openmetadata/service/resources/services/PipelineServiceResourceTest.java Show resolved Hide resolved
harshach
harshach reviewed Dec 14, 2023
View reviewed changes
openmetadata-service/src/main/java/org/openmetadata/service/secrets/NoopSecretsManager.java Outdated
@@ -18,13 +18,14 @@
public class NoopSecretsManager extends SecretsManager {
private static NoopSecretsManager instance;

private NoopSecretsManager(String clusterPrefix, SecretsManagerProvider secretsManagerProvider) {
super(secretsManagerProvider, clusterPrefix);
private NoopSecretsManager(SecretsManagerProvider secretsManagerProvider, SecretsConfig secretsConfig) {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of calling this as NoopSecretsManager, lets call it as DBSecretsManager and use the fernet key to encrypt/decrypt the passwords.
We also needs to have config of key/value pairs thats optional and can be passed as part of the config

harshach
harshach reviewed Dec 14, 2023
View reviewed changes
openmetadata-service/src/main/java/org/openmetadata/service/secrets/SecretsManager.java
toEncryptObject,
Fernet.isTokenized(newFieldValue)
? newFieldValue
: store ? fernet.encrypt(newFieldValue) : newFieldValue,
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we need to remove fernet.encrypt from here and make it into DBSecretesManager and except that logic to live inside of these secret managers

@github-actions GitHub Actions
Copy link
Contributor

The Python checkstyle failed.

Please run make py_format and py_format_check in the root of your repository and commit the changes to this PR.
You can also use pre-commit to automate the Python code formatting.

You can install the pre-commit hooks with make install_test precommit_install.

@github-actions github-actions bot added the UI UI specific issues label Dec 15, 2023
@github-actions GitHub Actions
Copy link
Contributor

Jest test Coverage

UI tests summary

Lines Statements Branches Functions
Coverage: 49%
 49.59% (24760/49933) 32.37% (9717/30019) 30.83% (2808/9109)

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed for 'open-metadata-ui'

Kudos, no new issues were introduced!

0 New issues
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed for 'open-metadata-ingestion'

Kudos, no new issues were introduced!

0 New issues
0 Security Hotspots
83.3% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

harshach
harshach reviewed Dec 17, 2023
View reviewed changes
docker/docker-compose-quickstart/docker-compose.yml
@@ -140,7 +140,7 @@ services:
FERNET_KEY: ${FERNET_KEY:-jJ/9sz0g0OHxsfxOoSfdFdmk3ysNmPRnH3TUAbz3IHA=}

#secretsManagerConfiguration
SECRET_MANAGER: ${SECRET_MANAGER:-noop}
SECRET_MANAGER: ${SECRET_MANAGER:-db}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if someone exported SECRET_MANAGER as noop they will run into issues, worth noting this as backward incompatible change and capture it in our upgrade notes

@pmbrull pmbrull merged commit d8984d2 into open-metadata:main Dec 18, 2023
22 of 23 checks passed
@pmbrull pmbrull deleted the issue-14340 branch December 18, 2023 05:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@akash-jain-10 akash-jain-10 akash-jain-10 approved these changes

@harshach harshach harshach approved these changes

@karanh37 karanh37 Awaiting requested review from karanh37

@chirag-madlani chirag-madlani Awaiting requested review from chirag-madlani

Assignees
No one assigned
Labels
backend devops Ingestion safe to test Add this label to run secure Github workflows on PRs UI UI specific issues
Projects
None yet
Milestone
No milestone
3 participants
@pmbrull @harshach @akash-jain-10