-
Notifications
You must be signed in to change notification settings - Fork 176
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: allow to set a signature port for tunnel usage #491
base: main
Are you sure you want to change the base?
feat: allow to set a signature port for tunnel usage #491
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #491 +/- ##
==========================================
- Coverage 70.92% 70.58% -0.34%
==========================================
Files 81 81
Lines 7732 7738 +6
==========================================
- Hits 5484 5462 -22
- Misses 2248 2276 +28 ☔ View full report in Codecov by Sentry. |
a6cb241
to
ceccd38
Compare
Signed-off-by: Andreas Lang <[email protected]>
ceccd38
to
4e3ef98
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is an interesting workaround, but I really don't think it's the right one. Using a tunnel is already quite suspicious for auth, it feels like MITM. With this change we're basically telling the signer to use a different host/port in some very special case - I am struggling to convince myself it's a good idea.
- What do other clients do? Do they break the same way?
- Can we just document this case and use a slightly more custom
AWSV4SignerAuth
?
I would merge a change that allows to override headers, and specifically to override the |
Yes, that is a really good point. It should work the same way if I replace the host header like localhost:10012 > realdomain:443. I will change the PR having an Authentication class specifically for that (e.g. |
I actually would prefer as a developer to be able to write something like this: client = OpenSearch(
hosts = [{'host': host, 'port': port}],
http_headers: {
'Host': 'something.us-west2.aws.bla.bla.bla'
}
) The signer implementation should be smart enough to consider this This seems more generic and future-proof, don't you think? |
@andreaslang Are you still interested in adding an |
Yes, I am. Sorry for the delay. I do have a good excuse that my daughter
was born though. Planning to pick this up soon.
…On Thu, 9 Nov 2023, 23:40 Daniel (dB.) Doubrovkine, < ***@***.***> wrote:
@andreaslang <https://github.com/andreaslang> Are you still interested in
adding an http_headers option?
—
Reply to this email directly, view it on GitHub
<#491 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAZJ2U3FVZSYEZW7CZ7R55LYDVSVDAVCNFSM6AAAAAA4UZOLR6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMBUHA2DQMRZGE>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Hello @andreaslang! Hope you're doing great. Could you please consider finishing up this PR when you have a moment? Thank you! |
Description
Allows to change the port used to sign the AWS request which is causing an issue if accessing an AWS Opensearch instance via a tunnel
If you have an ssh tunnel created this works now (while it would not without
signature_port
):Issues Resolved
#184
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.