Support for more security options #6

ViaQ / watches-cli

:watch: CLI tool to pull statistics from Elasticsearch

Apache License 2.0

1 stars 1 forks source link

Support for more security options #6 #13

Closed richm closed 7 years ago

richm commented 7 years ago

https://github.com/ViaQ/watches-cli/issues/6

Allow using --cacert without --cert and --key. This still requires that all 3 must be specified to use client cert auth, but allows the use of --cacert by itself in order to use other forms of auth.

Allow specifying HTTP headers. For example, to authenticate to OpenShift Elasticsearch, after exposing it via a reencrypt route, you use curl like this:

curl -s --cacert ca.crt -H "X-Proxy-Remote-User: esuser" \
    -H "Authorization: Bearer asjasodfiasdjf" \
    -H "X-Forwarded-For: 127.0.0.1" \
    https://es.test/_cluster/health

With watches-cli, this becomes:

watches cluster_health --cacert ca.crt \
    --header "X-Proxy-Remote-User: esuser" \
    --header "Authorization: Bearer asjasodfiasdjf" \
    --header "X-Forwarded-For: 127.0.0.1" \
    --url https://es.test/_cluster/health

There is no support for --username/--password yet.

richm commented 7 years ago

@lukas-vlcek PTAL

richm commented 7 years ago

@lukas-vlcek Do you know why the tests are failing?

lukas-vlcek commented 7 years ago

@richm I will check tomorrow, but from a quick check I think we will need to update the CLI options (the docopt language). Because the language contains the original rule:

[(--cacert=CACERT --cert=CERT --key=KEY)]

Which means, these options are optional, but if they are provided then ALL OF THEM have to be provided. Now, with new functionality we are adding rule:

watches cluster_health [-i=INTERVAL -d=DURATION --url=URL -tsv --cacert=CACERT]
                                                               ^^^^^^^^^^^^^^^

Which is probably conflicting with the previous rule. May be we will end up enhancing the original rule to:

[(--cacert=CACERT --cert=CERT --key=KEY) | (--cacert=CACERT --header=HEADER...)]

Meaning we allow two options how cacert can be provided. First has to contain three parameters: cacert, cert and key, for second there must be two parameters: cacert and header.

Were you able to run the command manually from CL?

lukas-vlcek commented 7 years ago

@richm FYI, I added both options --username and --password to the rest of watches commands (if I am not mistaken these apply to all of them, not only to cluster_health).

Also I rearranged the commands - hope this makes reading synopsis doc a bit easier.

One issues I have is that each time we update the CLI options we should also update the README.rst as well. If I understand how Python works then the README.rst file is used (or packaged?) when doing watches distribution and it is then distributed as some form of "man"-like page with the tool? May be there are better solution?

richm commented 7 years ago

There is probably a way to generate README.rst from the docopts + some sort of boilerplate for the rest, and you can generate html/pdf/man from rst.