logstash-input-elasticsearch 5.3.1 → 5.3.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +3 -0
- data/docs/index.asciidoc +4 -2
- data/lib/logstash/inputs/elasticsearch.rb +25 -2
- data/spec/inputs/elasticsearch_spec.rb +22 -0
- data/version +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: f16f7eb70ca4239c5d779c5fa8c77d0778ab48277c7f6ca4003d20894d0d7108
|
|
4
|
+
data.tar.gz: 59baf110729b3f8e353087dda028b6e6dc7c6973449307756729d451ddc4192e
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 5450236e4c130d4a7737520de8571d9364327703c8b715ed3aa6de638f604e83c0062ebc2d1f36fecbb7d11d6e29931f8e713008ae89529f843d048c8f82227d
|
|
7
|
+
data.tar.gz: 1e5fdda8c6feafa77d40eda3940155995fba96b1c6d925b74e3392e246eb893a46dc38912335011cc9bd9235a4bf9ad68a0378b8799e48947ea98f68c1cb2207
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,6 @@
|
|
|
1
|
+
## 5.3.2
|
|
2
|
+
- Support Elastic Cloud API keys in the `api_key` option, which now accepts an `id:api_key` pair, its base64-encoded form, or an `essu_` Cloud API key, and rejects an unrecognized format at startup [#274](https://github.com/logstash-plugins/logstash-input-elasticsearch/pull/274)
|
|
3
|
+
|
|
1
4
|
## 5.3.1
|
|
2
5
|
- Fix serverless request failure caused by conflicting `compatible-with` and `Elastic-Api-Version` headers when using elasticsearch-ruby v9 [#269](https://github.com/logstash-plugins/logstash-input-elasticsearch/pull/269)
|
|
3
6
|
|
data/docs/index.asciidoc
CHANGED
|
@@ -404,10 +404,12 @@ input plugins.
|
|
|
404
404
|
|
|
405
405
|
Authenticate using Elasticsearch API key. Note that this option also requires enabling the <<plugins-{type}s-{plugin}-ssl_enabled>> option.
|
|
406
406
|
|
|
407
|
-
|
|
407
|
+
The format is `id:api_key`, where `id` and `api_key` are as returned by the
|
|
408
408
|
Elasticsearch
|
|
409
409
|
{ref}/security-api-create-api-key.html[Create
|
|
410
|
-
API key API].
|
|
410
|
+
API key API]. The base64-encoded form of that pair is also accepted, as is an
|
|
411
|
+
https://www.elastic.co/docs/deploy-manage/api-keys/elastic-cloud-api-keys[Elastic Cloud API key]
|
|
412
|
+
(prefixed with `essu_`), which is used as-is.
|
|
411
413
|
|
|
412
414
|
[id="plugins-{type}s-{plugin}-ca_trusted_fingerprint"]
|
|
413
415
|
===== `ca_trusted_fingerprint`
|
|
@@ -216,7 +216,8 @@ class LogStash::Inputs::Elasticsearch < LogStash::Inputs::Base
|
|
|
216
216
|
config :cloud_auth, :validate => :password
|
|
217
217
|
|
|
218
218
|
# Authenticate using Elasticsearch API key.
|
|
219
|
-
#
|
|
219
|
+
# Format is either the `id:api_key` pair (as returned by https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-create-api-key.html[Create API key]),
|
|
220
|
+
# its base64-encoded form, or an https://www.elastic.co/docs/deploy-manage/api-keys/elastic-cloud-api-keys[Elastic Cloud API key] (prefixed with `essu_`) can be used.
|
|
220
221
|
config :api_key, :validate => :password
|
|
221
222
|
|
|
222
223
|
# Set the address of a forward HTTP proxy.
|
|
@@ -542,10 +543,32 @@ class LogStash::Inputs::Elasticsearch < LogStash::Inputs::Base
|
|
|
542
543
|
def setup_api_key(api_key)
|
|
543
544
|
return {} unless (api_key&.value)
|
|
544
545
|
|
|
545
|
-
token =
|
|
546
|
+
token = resolve_api_key(api_key.value)
|
|
546
547
|
{ 'Authorization' => "ApiKey #{token}" }
|
|
547
548
|
end
|
|
548
549
|
|
|
550
|
+
# Resolves the `api_key` value into the credential used in the
|
|
551
|
+
# `Authorization: ApiKey` header. An already base64-encoded key and an Elastic
|
|
552
|
+
# Cloud API key are used as-is; a raw `id:api_key` pair is base64-encoded. An
|
|
553
|
+
# unrecognized value is rejected so a malformed key surfaces at startup rather
|
|
554
|
+
# than as a later authentication failure.
|
|
555
|
+
def resolve_api_key(key_value)
|
|
556
|
+
if base64?(key_value) || cloud_api_key?(key_value)
|
|
557
|
+
key_value
|
|
558
|
+
elsif key_value.match?(/\A[^:]+:[^:]+\z/)
|
|
559
|
+
Base64.strict_encode64(key_value)
|
|
560
|
+
else
|
|
561
|
+
raise LogStash::ConfigurationError, "Invalid api_key format. Expected a base64-encoded key, an 'id:api_key' pair, or a Cloud API key (essu_ prefix)."
|
|
562
|
+
end
|
|
563
|
+
end
|
|
564
|
+
|
|
565
|
+
# Elastic Cloud API keys (such as the unified Serverless keys) are opaque
|
|
566
|
+
# tokens prefixed with `essu_` that Elasticsearch accepts verbatim in the
|
|
567
|
+
# `Authorization: ApiKey` header, with no base64 encoding.
|
|
568
|
+
def cloud_api_key?(string)
|
|
569
|
+
string.match?(/\Aessu_.+/)
|
|
570
|
+
end
|
|
571
|
+
|
|
549
572
|
def base64?(string)
|
|
550
573
|
string == Base64.strict_encode64(Base64.strict_decode64(string))
|
|
551
574
|
rescue ArgumentError
|
|
@@ -835,6 +835,28 @@ describe LogStash::Inputs::Elasticsearch, :ecs_compatibility_support do
|
|
|
835
835
|
it_behaves_like "a plugin that sets the ApiKey authorization header"
|
|
836
836
|
end
|
|
837
837
|
|
|
838
|
+
context "with an Elastic Cloud API key (essu_ prefix)" do
|
|
839
|
+
# The suffix is intentionally not canonical base64: a Cloud key is opaque
|
|
840
|
+
# and must be forwarded verbatim regardless of its payload encoding.
|
|
841
|
+
let(:api_key_value) { "essu_VFZGblZreFhTekJ4ZDB4M2NHUnZRMEU2YzNWd1pYSnpaV055WlhRPQ==AAAAAAAA" }
|
|
842
|
+
|
|
843
|
+
it "sets the Authorization header verbatim without re-encoding" do
|
|
844
|
+
plugin.register
|
|
845
|
+
client = plugin.send(:client)
|
|
846
|
+
auth_header = client.transport.options[:transport_options][:headers]['Authorization']
|
|
847
|
+
|
|
848
|
+
expect(auth_header).to eql("ApiKey #{api_key_value}")
|
|
849
|
+
end
|
|
850
|
+
end
|
|
851
|
+
|
|
852
|
+
context "with an unrecognized api_key format" do
|
|
853
|
+
let(:api_key_value) { "not-a-valid-key" }
|
|
854
|
+
|
|
855
|
+
it "fails registration with a configuration error" do
|
|
856
|
+
expect { plugin.register }.to raise_error(LogStash::ConfigurationError, /Invalid api_key format/)
|
|
857
|
+
end
|
|
858
|
+
end
|
|
859
|
+
|
|
838
860
|
context 'user also set' do
|
|
839
861
|
let(:config) { super().merge({ 'api_key' => 'foo:bar', 'user' => 'another' }) }
|
|
840
862
|
|
data/version
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
5.3.
|
|
1
|
+
5.3.2
|
metadata
CHANGED
|
@@ -1,13 +1,13 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: logstash-input-elasticsearch
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 5.3.
|
|
4
|
+
version: 5.3.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Elastic
|
|
8
8
|
bindir: bin
|
|
9
9
|
cert_chain: []
|
|
10
|
-
date: 2026-
|
|
10
|
+
date: 2026-07-03 00:00:00.000000000 Z
|
|
11
11
|
dependencies:
|
|
12
12
|
- !ruby/object:Gem::Dependency
|
|
13
13
|
name: logstash-core-plugin-api
|