Migrate Console to use Node http instead of Hapi to support GET requests with bodies #46200
Conversation
| @@ -105,42 +103,54 @@ export const createProxyRoute = ({ | |||
| const { path, method } = query; | |||
| const uri = resolveUri(baseUrl, path); | |||
|
|
|||
| // Because this can technically be provided by a settings-defined proxy config, we need to | |||
| // preserve these property names to maintain BWC. | |||
| const { timeout, rejectUnauthorized, agent, headers } = getConfigForReq(req, uri); | |||
There was a problem hiding this comment.
Note that rejectUnauthorized and agent are currently not being consumed. We should verify what kind of behavior depended upon them originally and ensure that behavior still exists.
… requests with bodies. - Remove payload configuration of endpoint.
b88fe9d to
254c605
Compare
💔 Build Failed |
|
Pinging @elastic/es-ui |
💔 Build Failed |
Removed some whitespace Converted Elasticsearch proxy config to TS (now we can see the types with https.AgentOptions) Wrap request in util.promisify and refactor Use 'url' lib for parsing URLs Remove rejectUnauthorized from proxy_route.js (this is a TLS setting handled in agent setup)
|
@elasticmachine merge upstream |
💔 Build Failed |
…t when piping to request.
💔 Build Failed |
💚 Build Succeeded |
|
@elasticmachine merge upstream |
💚 Build Succeeded |
|
+1 on the non request implementation, ref request/request#3142. It looks like it's not used but still in the title/description |
| headers: { | ||
| ...headers, | ||
| 'content-type': 'application/json', | ||
| 'transfer-encoding': 'chunked', |
There was a problem hiding this comment.
i don't feel very strongly about this, but think it's fine. the query may have a lot of data, but i would expect the ui to lock up before that's an issue. ace used to have a max of 65k lines but i'm a little out of date
There was a problem hiding this comment.
LGTM @jloleysens! I had some nitpicks on the code, but feel free to ignore them. I tested locally and marked everything with "DONE" that I was able to verify. Here are the things I haven't looked into because they're not things I'm familiar with:
- Effects upon users with read-only permissions: we could possibly ignore this one since I was just pointing out that this change may actually address the reported issue
- Support for streaming large responses: from @jbudz's comment it sounds like streaming is not actually a concern?
- Figure out what rejectUnauthorized was supposed to do: not sure if it's worth digging into this since auth seems to behave as expected
- proxyConfig and proxyFilters should still work: this is worth some light testing -- these features are deprecated and we stopped documenting them with 6.x, but we don't want to break things for anyone who still happens to be using this
| headers: http.OutgoingHttpHeaders; | ||
| } | ||
|
|
||
| // We use a modified version of Hapi's Wreck because Hapi, Axios, and Superagent don't support GET requests |
There was a problem hiding this comment.
Nit: got an extra space between "because" and "Hapi"
| import { URL } from 'url'; | ||
|
|
||
| interface Args { | ||
| method: string; |
There was a problem hiding this comment.
Nit: Should we change this to match https://github.com/elastic/kibana/pull/46570/files#diff-66fd5f9b6470ae3554f659cf3f40fe1dR24 ?
method: 'get' | 'post' | 'put' | 'delete' | 'patch' | 'head';| const req = client.request({ | ||
| method: method.toUpperCase(), | ||
| host: uri.hostname, | ||
| port: uri.port !== '' ? Number(uri.port) : undefined, |
There was a problem hiding this comment.
Nit: I think this would be easier to scan if we avoid the negative comparison:
port: uri.port === '' ? undefined : Number(uri.port),| host: uri.hostname, | ||
| port: uri.port !== '' ? Number(uri.port) : undefined, | ||
| protocol: uri.protocol, | ||
| path: `${uri.pathname}${uri.search || ''}`, |
There was a problem hiding this comment.
Nit: the code might be easier to scan if we destructure all of these uri properties on line 40, so we don't need to keep referring to it.
|
Thanks for looking through and doing manual testing! I can confirm on the points you did not test:
|
|
@elasticmachine merge upstream |
💚 Build Succeeded |
…sts with bodies (#46200) (#46953) * Cleaned up use of es.send API - Converted Elasticsearch proxy config to TS (now we can see the types with https.AgentOptions) - Wrap request in util.promisify and refactor - Use 'url' lib for parsing URLs - Remove rejectUnauthorized from proxy_route.js (this is a TLS setting handled in agent setup) * Retained original proxying behavior * Re-enable support for setting rejectUnauthorized via proxy config settings * Updated tests.
💚 Build Succeeded |
Fixes #11125. Replaces #39170.
Summary
This approach uses Node's
httplibrary. It contains an earlier commit which used the request library.Considerations
Effects upon users with read-only permissions
Per #36635 ("Autocomplete support for read only users"), some admins limit users to read-only access of a few select indices. How does this change affect the experience of users with these limited permissions? I would expect these users to experience problems due to their GET requests being converted to POST requests on master, and that these changes would address this problem.
Support for streaming large responses
How are large responses handled on master? Are they streamed? If so then we need to ensure this behavior is unaffected by these changes.
DONE: Auth header is sent with ES request
I verified that the required auth header is passed along by trying to access an index to which the user didn't have permission.
DONE: Correct error response is shown when ES is down
When ES is unavailable, the request to
HEAD /?pretty=trueshould resolve in:DONE: HEAD requests behave as expected
Create a document and then send a HEAD request for it.
Expected response:
DONE: JSON parse failures are returned
Create a document with an incorrectly formed payload.
Expected response:
DONE: SSL/TLS is still supported
Tested with an SSL setup and verified everything works as normal.
Figure out what
rejectUnauthorizedwas supposed to doThe
rejectUnauthorizedvariable was originally an option passed to Hapi, introduced in https://github.com/elastic/kibana/pull/10611/files. What did it do? Do we still need it?DONE: DELETE requests should support bodies
This is needed by the
scrollAPI.DONE:
catAPI responses still support formattingSend a [cat](https://www.elastic.co/guide/en/elasticsearch/reference/current/cat.html] request with formatting enabled:
Expect a response formatted like this:
DONE: GET requests which don't support bodies are rejected
Some APIs don't support bodies with GET requests and we still need to make sure they're being rejected.
On master this will act as a POST and create a document, but it should be an error:
proxyConfigandproxyFiltersshould still workWe should remove these settings for 8.0 (#39494), but for 7.x they're still supported. For more information on them see the 5.0 console docs.