Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add SSL support for connection #8098

Merged
merged 7 commits into from
Dec 28, 2020
Merged

Add SSL support for connection #8098

merged 7 commits into from
Dec 28, 2020

Conversation

FlorianVeaux
Copy link
Member

@FlorianVeaux FlorianVeaux commented Nov 27, 2020
edited
Loading

The library we use (PyHDB) does not support SSL options when creating the connection to the database. See SAP-archive/PyHDB#107

This PR updates the Connection class to add SSL support when opening the socket to the db.

The official SAP HANA python driver has all the necessary configuration to connect with SSL), but unfortunately it's using a license that doesn't permit redistribution so we aren't using it.

@FlorianVeaux FlorianVeaux requested review from a team as code owners November 27, 2020 13:06
@codecov
Copy link

codecov bot commented Nov 27, 2020
edited
Loading

Codecov Report

Merging #8098 (4b489f6) into master (75f1f67) will increase coverage by 4.14%.
The diff coverage is 95.12%.

Impacted Files Coverage Δ
sap_hana/datadog_checks/sap_hana/connection.py 87.50% <87.50%> (ø)
sap_hana/datadog_checks/sap_hana/sap_hana.py 89.21% <100.00%> (ø)
sap_hana/tests/test_unit.py 100.00% <100.00%> (ø)
kafka/tests/conftest.py
cassandra/datadog_checks/cassandra/__init__.py
activemq_xml/tests/test_activemq_xml.py
process/tests/test_lock.py
postgres/tests/test_pg_integration.py
activemq/datadog_checks/activemq/__init__.py
dns_check/datadog_checks/dns_check/dns_check.py
... and 858 more

kayayarai
kayayarai previously approved these changes Nov 27, 2020
View reviewed changes
Copy link
Contributor

@kayayarai kayayarai left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor edits for the docs

sap_hana/assets/configuration/spec.yaml Outdated
@@ -46,4 +46,11 @@ files:
type: integer
default: 10
- template: instances/db
- name: use_tls
description: |
This instructs the SAP HANA integration to connect using TLS.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
This instructs the SAP HANA integration to connect using TLS.
Instructs the SAP HANA integration to connect using TLS.

sap_hana/datadog_checks/sap_hana/data/conf.yaml.example Outdated
@@ -100,6 +100,55 @@ instances:
# tags:
# - test:<INTEGRATION>

## @param use_tls - boolean - optional - default: false
## This instructs the SAP HANA integration to connect using TLS.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
## This instructs the SAP HANA integration to connect using TLS.
## Instructs the SAP HANA integration to connect using TLS.

sap_hana/datadog_checks/sap_hana/data/conf.yaml.example Outdated
# use_tls: false

## @param tls_verify - boolean - optional - default: true
## Instructs the check to validate the TLS certificate of services.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
## Instructs the check to validate the TLS certificate of services.
## Instructs the check to validate the TLS certificates of services.

I think? multiple services will have multiple certificates?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

True, will have to be in another PR though as this option is used in many integrations. It has to be changed for all integrations at once in our "specs"

yzhan289
yzhan289 reviewed Nov 30, 2020
View reviewed changes
sap_hana/datadog_checks/sap_hana/connection.py
self._socket = self.tls_context.wrap_socket(self._socket, server_hostname=self.host)

# Initialization Handshake
self._socket.sendall(INITIALIZATION_BYTES)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you close the socket somewhere?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't, PyHDB does it. As mentioned this function is just an extension from the original implementation that does the same thing (i.e open the socket and initialize the connection): https://github.com/SAP/PyHDB/blob/v0.3.4/pyhdb/connection.py#L65

ChristineTChen
ChristineTChen reviewed Dec 22, 2020
View reviewed changes
sap_hana/datadog_checks/sap_hana/connection.py

response = self._socket.recv(8)
if len(response) != 8:
raise Exception("Connection failed")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

would it be helpful to include the response for debugging?

@FlorianVeaux FlorianVeaux merged commit 09c2123 into master Dec 28, 2020
@FlorianVeaux FlorianVeaux deleted the florian/sap_hana_tls branch December 28, 2020 09:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yzhan289 yzhan289 yzhan289 left review comments

@ChristineTChen ChristineTChen ChristineTChen left review comments

@ofek ofek ofek approved these changes

@kayayarai kayayarai kayayarai left review comments

Assignees
No one assigned
Labels
documentation integration/sap_hana
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@FlorianVeaux @ofek @kayayarai @ChristineTChen @yzhan289