zipkin-dependencies icon indicating copy to clipboard operation
zipkin-dependencies copied to clipboard

Published 20 hours ago verified publisher icon openzipkin

Disable SSL verification for test environments

Open Opa- opened this issue 4 years ago • 5 comments

Hi,

We are running Zipkin in various test environments where we do not want to bother generating certificates and have keystore and everything. Not checking SSL would really help us to run zipkin-dependencies in those test environments.

Note that this feature was added to Zipkin itself (see https://github.com/openzipkin/zipkin/pull/3100)

I'll check if I can do the change myself but I need some time to have an understanding of how it works. https://github.com/openzipkin/zipkin-dependencies/blob/dd2f4911a5547704bb93bdc85a4f0b4aca5550cf/elasticsearch/src/main/java/zipkin2/dependencies/elasticsearch/ElasticsearchDependenciesJob.java#L161 I came across this line which is enabling SSL when host begins with https. I think modifying the if statement to take into account some environment variable could be sufficient.

If someone has a better idea feel free to jump in !

Thanks :)

Opa- avatar Dec 09 '20 18:12 Opa-

thanks for offering to help. generally we try to keep the same behavior as the server's ENV even though this impl is completely different. I think it would be a good idea to first check on the prefix, but it is possible the elasticsearch-hadoop lib will ignore any ssl settings if the url is plain text anyway, you'll have to test and see.

codefromthecrypt avatar Dec 09 '20 23:12 codefromthecrypt

I think you're right, it appears that elasticsearch-hadoop or Spark completely ignores it and I got no response from the ES server when trying to connect in https while not providing es.net.ssl (or setting it to false). And I can't see anywhere in es hadoop documentation a way to ignore the check 😕

Opa- avatar Dec 10 '20 12:12 Opa-

have you tried searching for similar issues in ES support forums or https://github.com/elastic/elasticsearch-hadoop?

codefromthecrypt avatar Dec 10 '20 23:12 codefromthecrypt

Could we use something like https://github.com/elastic/elasticsearch-hadoop/issues/1651#issuecomment-869560755 for ES_SSL_NO_VERIFY env like server?

ohanedan avatar Oct 27 '21 12:10 ohanedan

In my case, I was finally able to run zipkin-dependencies by setting SPARK_CONF environment variable to es.net.ssl.cert.allow.self.signed=true.

This differs a bit from a full SSL no verify as mentioned on https://github.com/elastic/elasticsearch-hadoop/issues/1651#issuecomment-984724073, but that should cover most of cases :wink:

Opa- avatar Dec 09 '21 10:12 Opa-