diff --git a/services/save-and-restore/src/main/java/org/phoebus/service/saveandrestore/persistence/config/ElasticConfig.java b/services/save-and-restore/src/main/java/org/phoebus/service/saveandrestore/persistence/config/ElasticConfig.java index eb6f1b289d..ca811432f2 100644 --- a/services/save-and-restore/src/main/java/org/phoebus/service/saveandrestore/persistence/config/ElasticConfig.java +++ b/services/save-and-restore/src/main/java/org/phoebus/service/saveandrestore/persistence/config/ElasticConfig.java @@ -13,8 +13,15 @@ import co.elastic.clients.transport.endpoints.BooleanResponse; import co.elastic.clients.transport.rest_client.RestClientTransport; import com.fasterxml.jackson.databind.module.SimpleModule; +import org.apache.http.Header; import org.apache.http.HttpHost; +import org.apache.http.auth.AuthScope; +import org.apache.http.auth.UsernamePasswordCredentials; +import org.apache.http.client.CredentialsProvider; +import org.apache.http.impl.client.BasicCredentialsProvider; +import org.apache.http.message.BasicHeader; import org.elasticsearch.client.RestClient; +import org.elasticsearch.client.RestClientBuilder; import org.epics.vtype.VType; import org.phoebus.applications.saveandrestore.model.Node; import org.phoebus.applications.saveandrestore.model.NodeType; @@ -75,6 +82,16 @@ public class ElasticConfig { @Value("${elasticsearch.http.port:9200}") private int port; + @Value("${elasticsearch.authorization.header:}") + private String authorizationHeader; + + @Value("${elasticsearch.authorization.username:}") + private String username; + + @Value("${elasticsearch.authorization.password}") + private String password; + + private ElasticsearchClient client; private static final AtomicBoolean esInitialized = new AtomicBoolean(); @@ -95,8 +112,20 @@ public class ElasticConfig { public ElasticsearchClient getClient() { if (client == null) { // Create the low-level client - RestClient httpClient = RestClient.builder(new HttpHost(host, port)).build(); + RestClientBuilder clientBuilder = RestClient.builder(new HttpHost(host, port)); + // Configure authentication + if (!authorizationHeader.isEmpty()) { + clientBuilder.setDefaultHeaders(new Header[] {new BasicHeader("Authorization", authorizationHeader)}); + if (!username.isEmpty() || !password.isEmpty()) { + logger.warning("elasticsearch.authorization_header is set, ignoring elasticsearch.username and elasticsearch.password."); + } + } else if (!username.isEmpty() || !password.isEmpty()) { + final CredentialsProvider credentialsProvider = new BasicCredentialsProvider(); + credentialsProvider.setCredentials(AuthScope.ANY, new UsernamePasswordCredentials(username, password)); + clientBuilder.setHttpClientConfigCallback(httpClientBuilder -> httpClientBuilder.setDefaultCredentialsProvider(credentialsProvider)); + } + RestClient httpClient = clientBuilder.build(); JacksonJsonpMapper jacksonJsonpMapper = new JacksonJsonpMapper(); SimpleModule module = new SimpleModule(); module.addSerializer(VType.class, new VTypeSerializer()); diff --git a/services/save-and-restore/src/main/resources/application.properties b/services/save-and-restore/src/main/resources/application.properties index 6ad52e731e..6e3842668a 100644 --- a/services/save-and-restore/src/main/resources/application.properties +++ b/services/save-and-restore/src/main/resources/application.properties @@ -9,6 +9,17 @@ server.port=8080 elasticsearch.network.host=localhost elasticsearch.http.port=9200 +# The value for the `Authorization` header used in requests to the Elasticsearch server. +# This header supports token-based or API key-based authentication. +# See https://www.elastic.co/guide/en/elasticsearch/client/java-api-client/8.12/_other_authentication_methods.html +elasticsearch.authorization.header = + +# Username and password for basic authentication with the Elasticsearch server. +# These credentials are only used if `elasticsearch.authorization.header` is not set. +elasticsearch.authorization.username = +elasticsearch.authorization.password = + + # Do not change this! spring.jackson.serialization.write-dates-as-timestamps=false