App-ElasticSearch-Utilities
view release on metacpan or search on metacpan
lib/App/ElasticSearch/Utilities.pm view on Meta::CPAN
}
}
# Regexes for Pattern Expansion
our $CURRENT_VERSION;
my $CLUSTER_MASTER;
sub es_globals {
my ($key) = @_;
es_utils_initialize() unless keys %DEF;
return unless exists $_GLOBALS{$key};
return $_GLOBALS{$key};
}
my %_auth_cache = ();
sub es_basic_auth {
my ($host) = @_;
es_utils_initialize() unless keys %DEF;
$host ||= $DEF{HOST};
# Return the results if we've done this already
return @{ $_auth_cache{$host} }{qw(username password)}
if exists $_auth_cache{$host};
# Set the cached element
my %auth = ();
# Lookup the details netrc
my $netrc = Net::Netrc->lookup($host);
if( $DEF{HOST} eq $host ) {
%auth = map { lc($_) => $DEF{$_} } qw(USERNAME);
}
my %meta = ();
foreach my $k (qw( http-username password-exec )) {
foreach my $name ( $DEF{INDEX}, $DEF{BASE} ) {
next unless $name;
if( my $v = es_local_index_meta($k, $name) ) {
$meta{$k} = $v;
last;
}
}
}
# Get the Username
$auth{username} ||= $meta{'http-username'} ? $meta{'http-username'}
: defined $DEF{USERNAME} ? $DEF{USERNAME}
: defined $netrc ? $netrc->login
: $ENV{USER};
# Prompt for the password
$auth{password} ||= defined $netrc ? $netrc->password
: (es_pass_exec($host,$auth{username},$meta{'password-exec'})
|| prompt(sprintf "Password for '%s' at '%s': ", $auth{username}, $host)
);
# Store
$_auth_cache{$host} = \%auth;
return @auth{qw(username password)};
}
sub es_pass_exec {
my ($host,$username,$exec) = @_;
es_utils_initialize() unless keys %DEF;
# Simplest case we can't run
$exec ||= $DEF{PASSEXEC};
return unless length $exec && -x $exec;
my(@out,@err);
# Run the password command captue out, error and RC
run3 [ $exec, $host, $username ], \undef, \@out, \@err;
my $rc = $?;
# Record the error
if( @err or $rc != 0 ) {
output({color=>'red',stderr=>1},
sprintf("es_pass_exec() called '%s' and met with an error code '%d'", $exec, $rc),
@err
);
return;
}
# Format and return the result
my $passwd = $out[-1];
chomp($passwd);
return $passwd;
}
sub es_pattern {
es_utils_initialize() unless keys %DEF;
return {
re => $PATTERN,
string => $DEF{PATTERN},
};
}
sub _get_ssl_opts {
es_utils_initialize() unless keys %DEF;
my %opts = ();
$opts{SSL_ca_file} = $DEF{CACERT} if $DEF{CACERT};
$opts{SSL_ca_path} = $DEF{CAPATH} if $DEF{CAPATH};
$opts{SSL_cert_file} = $DEF{CERT} if $DEF{CERT};
$opts{SSL_key_file} = $DEF{KEY} if $DEF{KEY};
# Disable Certificate Verification
if ( $DEF{INSECURE} ) {
$opts{verify_hostname} = 0;
$opts{SSL_verify_mode} = 0x00;
}
lib/App/ElasticSearch/Utilities.pm view on Meta::CPAN
=item B<http-username>
If HTTP Basic Authentication is required, use this username.
See also the L<HTTP Basic Authentication> section for more details
=item B<password-exec>
If HTTP Basic Authentication is required, run this command, passing the arguments:
<command_to_run> <es_host> <es_username>
The script expects the last line to contain the password in plaintext.
=item B<noop>
Prevents any communication to the cluster from making changes to the settings or data contained therein.
In short, it prevents anything but HEAD and GET requests, B<except> POST requests to the _search endpoint.
=item B<timeout>
Timeout for connections and requests, defaults to 10.
=item B<keep-proxy>
By default, HTTP proxy environment variables are stripped. Use this option to keep your proxy environment variables
in tact.
=item B<insecure>
Don't verify TLS certificates
=item B<cacert>
Specify a file with the TLS CA certificates.
=item B<capath>
Specify a directory containing the TLS CA certificates.
=item B<cert>
Specify the path to the TLS client certificate file..
=item B<key>
Specify the path to the TLS client private key file.
=back
=head1 AUTHENTICATION
HTTP Basic Authorization is only supported when the C<proto> is set to B<https>
as not to leak credentials all over.
The username is selected by going through these mechanisms until one is found:
--http-username
'http-username' in /etc/es-utils.yml or ~/.es-utils.yml
Netrc element matching the hostname of the request
CLI::Helpers prompt()
Once the username has been resolved, the following mechanisms are tried in order:
Netrc element matching the hostname of the request
Password executable defined by --password-exec
'password-exec' in /etc/es-utils.yml, ~/.es-utils.yml
CLI::Helpers prompt()
=head2 Password Exec
It is B<BAD> practice to specify passwords as a command line argument, or store it in a plaintext
file. There are cases where this may be necessary, but it is not recommended. The best method for securing your
password is to use the B<password-exec> option.
This option must point to an executable script. That script will be passed two arguments, the hostname and the username
for the request. It expects the password printed to STDOUT as the last line of output. Here's an example password-exec setup
using Apple Keychain:
#!/bin/sh
HOSTNAME=$1;
USERNAME=$2;
/usr/bin/security find-generic-password -w -a "$USERNAME" -s "$HOSTNAME"
If we save this to "$HOME/bin/get-passwd.sh" we can execute a script
like this:
$ es-search.pl --http-username bob --password-exec $HOME/bin/get-passwd.sh \
--base secure-data --fields
Though it's probably best to set this in your ~/.es-utils.yml file:
---
host: secured-cluster.example.org
port: 443
proto: https
http-username: bob
password-exec: /home/bob/bin/get-passwd.sh
=head3 CLI::Helpers and Password Prompting
If all the fails to yield a password, the last resort is to use CLI::Helpers::prompt() to ask the user for their
password. If the user is using version 1.1 or higher of CLI::Helpers, this call will turn off echo and readline magic
for the password prompt.
=head1 INDEX SELECTION ARGUMENTS
=over
=item B<base>
In an environment using monthly, weekly, daily, or hourly indexes. The base index name is everything without the date.
Parsing for bases, also provides splitting and matching on segments of the index name delineated by the '-' character.
If we have the following indexes:
web-dc1-YYYY.MM.DD
web-dc2-YYYY.MM.DD
logstash-dc1-YYYY.MM.DD
logstash-dc2-YYYY.MM.DD
Valid bases would be:
web
web-dc1
web-dc2
logstash
logstash-dc1
logstash-dc2
dc1
dc2
Combining that with the days option can provide a way to select many indexes at once.
=item B<days>
How many days backwards you want your operation to be relevant.
=item B<datesep>
Default is '.' Can be set to an empty string for no separator.
=item B<pattern>
A pattern to match the indexes. Can expand the following key words and characters:
'*' expanded to '.*'
'ANY' expanded to '.*'
'DATE' expanded to a pattern to match a date,
The indexes are compared against this pattern.
=back
=head1 OVERVIEW
In addition to the scripts, the libraries provide a simplistic interface to
write your own scripts. It builds C<CLI::Helpers> to provide consistent options
for scripts.
use App::ElasticSearch::Utilities qw(:all);
use Data::Printer;
my $res = es_result('_cluster/health');
p($res)
( run in 1.742 second using v1.01-cache-2.11-cpan-6aa56a78535 )