fluent / fluent-plugin-opensearch / 14873730023

require 'date'

require 'excon'

require 'opensearch'

require 'set'

require 'json'

require 'uri'

require 'base64'

  require 'strptime'

require 'resolv'

require 'fluent/plugin/output'

require 'fluent/event'

require 'fluent/error'

require 'fluent/time'

require 'fluent/unique_id'

require 'fluent/log-ext'

require 'zlib'

require_relative 'opensearch_constants'

require_relative 'opensearch_error'

require_relative 'opensearch_error_handler'

require_relative 'opensearch_index_template'

require_relative 'opensearch_tls'

require_relative 'opensearch_fallback_selector'

  require_relative 'oj_serializer'

require 'aws-sdk-core'

require 'faraday_middleware/aws_sigv4'

require 'faraday/excon'

module Fluent::Plugin

  class OpenSearchOutput < Output

    class RecoverableRequestFailure < StandardError; end

    class UnrecoverableRequestFailure < Fluent::UnrecoverableError; end

    class RetryStreamEmitFailure < StandardError; end

    class MissingIdFieldError < StandardError; end

    class RetryStreamError < StandardError

      attr_reader :retry_stream

      def initialize(retry_stream)

        @retry_stream = retry_stream

    RequestInfo = Struct.new(:host, :index, :target_index, :alias)

    attr_reader :template_names

    attr_reader :ssl_version_options

    attr_reader :compressable_connection

    helpers :event_emitter, :compat_parameters, :record_accessor, :timer

    Fluent::Plugin.register_output('opensearch', self)

    DEFAULT_BUFFER_TYPE = "memory"

    DEFAULT_OPENSEARCH_VERSION = 1

    DEFAULT_TYPE_NAME = "_doc".freeze

    DEFAULT_RELOAD_AFTER = -1

    DEFAULT_TARGET_BULK_BYTES = -1

    DEFAULT_POLICY_ID = "logstash-policy"

    config_param :host, :string,  :default => 'localhost'

    config_param :port, :integer, :default => 9200

    config_param :user, :string, :default => nil

    config_param :password, :string, :default => nil, :secret => true

    config_param :path, :string, :default => nil

    config_param :scheme, :enum, :list => [:https, :http], :default => :http

    config_param :hosts, :string, :default => nil

    config_param :target_index_key, :string, :default => nil

    config_param :time_key_format, :string, :default => nil

    config_param :time_precision, :integer, :default => 9

    config_param :include_timestamp, :bool, :default => false

    config_param :logstash_format, :bool, :default => false

    config_param :logstash_prefix, :string, :default => "logstash"

    config_param :logstash_prefix_separator, :string, :default => '-'

    config_param :logstash_dateformat, :string, :default => "%Y.%m.%d"

    config_param :utc_index, :bool, :default => true

    config_param :suppress_type_name, :bool, :default => false

    config_param :index_name, :string, :default => "fluentd"

    config_param :id_key, :string, :default => nil

    config_param :write_operation, :string, :default => "index"

    config_param :parent_key, :string, :default => nil

    config_param :routing_key, :string, :default => nil

    config_param :request_timeout, :time, :default => 5

    config_param :reload_connections, :bool, :default => true

    config_param :reload_on_failure, :bool, :default => false

    config_param :retry_tag, :string, :default=>nil

    config_param :resurrect_after, :time, :default => 60

    config_param :time_key, :string, :default => nil

    config_param :time_key_exclude_timestamp, :bool, :default => false

    config_param :ssl_verify , :bool, :default => true

    config_param :client_key, :string, :default => nil

    config_param :client_cert, :string, :default => nil

    config_param :client_key_pass, :string, :default => nil, :secret => true

    config_param :ca_file, :string, :default => nil

    config_param :remove_keys, :string, :default => nil

    config_param :remove_keys_on_update, :string, :default => ""

    config_param :remove_keys_on_update_key, :string, :default => nil

    config_param :flatten_hashes, :bool, :default => false

    config_param :flatten_hashes_separator, :string, :default => "_"

    config_param :template_name, :string, :default => nil

    config_param :template_file, :string, :default => nil

    config_param :template_overwrite, :bool, :default => false

    config_param :customize_template, :hash, :default => nil

    config_param :index_date_pattern, :string, :default => "now/d"

    config_param :index_separator, :string, :default => "-"

    config_param :application_name, :string, :default => "default"

    config_param :templates, :hash, :default => nil

    config_param :max_retry_putting_template, :integer, :default => 10

    config_param :fail_on_putting_template_retry_exceed, :bool, :default => true

    config_param :fail_on_detecting_os_version_retry_exceed, :bool, :default => true

    config_param :max_retry_get_os_version, :integer, :default => 15

    config_param :include_tag_key, :bool, :default => false

    config_param :tag_key, :string, :default => 'tag'

    config_param :time_parse_error_tag, :string, :default => 'opensearch_plugin.output.time.error'

    config_param :reconnect_on_error, :bool, :default => false

    config_param :pipeline, :string, :default => nil

    config_param :with_transporter_log, :bool, :default => false

    config_param :emit_error_for_missing_id, :bool, :default => false

    config_param :sniffer_class_name, :string, :default => nil

    config_param :selector_class_name, :string, :default => nil

    config_param :reload_after, :integer, :default => DEFAULT_RELOAD_AFTER

    config_param :include_index_in_url, :bool, :default => false

    config_param :http_backend, :enum, list: [:excon, :typhoeus], :default => :excon

    config_param :http_backend_excon_nonblock, :bool, :default => true

    config_param :validate_client_version, :bool, :default => false

    config_param :prefer_oj_serializer, :bool, :default => false

    config_param :unrecoverable_error_types, :array, :default => ["out_of_memory_error", "rejected_execution_exception"]

    config_param :unrecoverable_record_types, :array, :default => ["json_parse_exception"]

    config_param :emit_error_label_event, :bool, :default => true

    config_param :verify_os_version_at_startup, :bool, :default => true

    config_param :default_opensearch_version, :integer, :default => DEFAULT_OPENSEARCH_VERSION

    config_param :log_os_400_reason, :bool, :default => false

    config_param :custom_headers, :hash, :default => {}

    config_param :suppress_doc_wrap, :bool, :default => false

    config_param :ignore_exceptions, :array, :default => [], value_type: :string, :desc => "Ignorable exception list"

    config_param :exception_backup, :bool, :default => true, :desc => "Chunk backup flag when ignore exception occured"

    config_param :bulk_message_request_threshold, :size, :default => DEFAULT_TARGET_BULK_BYTES

    config_param :compression_level, :enum, list: [:no_compression, :best_speed, :best_compression, :default_compression], :default => :no_compression

    config_param :truncate_caches_interval, :time, :default => nil

    config_param :use_legacy_template, :bool, :default => true

    config_param :catch_transport_exception_on_retry, :bool, :default => true

    config_param :target_index_affinity, :bool, :default => false

    config_section :metadata, param_name: :metainfo, multi: false do

      config_param :include_chunk_id, :bool, :default => false

      config_param :chunk_id_key, :string, :default => "chunk_id".freeze

    config_section :endpoint, multi: false do

      config_param :region, :string

      config_param :url do |c|

        c.chomp("/")

      config_param :access_key_id, :string, :default => ""

      config_param :secret_access_key, :string, :default => "", secret: true

      config_param :assume_role_arn, :string, :default => nil

      config_param :ecs_container_credentials_relative_uri, :string, :default => nil #Set with AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variable value

      config_param :assume_role_session_name, :string, :default => "fluentd"

      config_param :assume_role_web_identity_token_file, :string, :default => nil

      config_param :sts_credentials_region, :string, :default => nil

      config_param :refresh_credentials_interval, :time, :default => "5h"

      config_param :aws_service_name, :enum, list: [:es, :aoss], :default => :es

    config_section :buffer do

      config_set_default :@type, DEFAULT_BUFFER_TYPE

      config_set_default :chunk_keys, ['tag']

      config_set_default :timekey_use_utc, true

    include Fluent::OpenSearchIndexTemplate

    include Fluent::Plugin::OpenSearchConstants

    include Fluent::Plugin::OpenSearchTLS

    def initialize

      super

    def aws_credentials(conf)

      credentials = nil

      unless conf[:access_key_id].empty? || conf[:secret_access_key].empty?

        credentials = Aws::Credentials.new(conf[:access_key_id], conf[:secret_access_key])

      raise "No valid AWS credentials found." unless credentials.set?

      credentials

    def sts_creds_region(conf)

    def configure(conf)

      compat_parameters_convert(conf, :buffer)

      super

      if @endpoint

        @reload_connections = false

      if placeholder_substitution_needed_for_template?

      elsif not @buffer_config.chunk_keys.include? "tag" and

        raise Fluent::ConfigError, "'tag' or '_index' in chunk_keys is required."

      @time_parser = create_time_parser

      @backend_options = backend_options

      @ssl_version_options = set_tls_minmax_version_config(@ssl_version, @ssl_max_version, @ssl_min_version)

      if @remove_keys

        @remove_keys = @remove_keys.split(/\s*,\s*/)

      if @target_index_key && @target_index_key.is_a?(String)

        @target_index_key = @target_index_key.split '.'

      if @remove_keys_on_update && @remove_keys_on_update.is_a?(String)

        @remove_keys_on_update = @remove_keys_on_update.split ','

      raise Fluent::ConfigError, "'max_retry_putting_template' must be greater than or equal to zero." if @max_retry_putting_template < 0

      raise Fluent::ConfigError, "'max_retry_get_os_version' must be greater than or equal to zero." if @max_retry_get_os_version < 0

      valid_host_placeholder = placeholder?(:host_placeholder, @host)

      if valid_host_placeholder && (@template_name && @template_file || @templates)

        if @verify_os_version_at_startup

          raise Fluent::ConfigError, "host placeholder, template installation, and verify OpenSearch version at startup are exclusive feature at same time. Please specify verify_os_version_at_startup as `false` when host placeholder and template installation are enabled."

        log.info "host placeholder and template installation makes your OpenSearch cluster a bit slow down(beta)."

      @template_names = []

      if !dry_run?

        if @template_name && @template_file

          if @logstash_format || placeholder_substitution_needed_for_template?

            class << self

              alias_method :template_installation, :template_installation_actual

            template_installation_actual(@template_name, @customize_template, @application_name, @index_name)

        if @templates

          retry_operate(@max_retry_putting_template,

            templates_hash_install(@templates, @template_overwrite)

      @truncate_mutex = Mutex.new

      if @truncate_caches_interval

      @credential_mutex = Mutex.new

      if @endpoint

        @_aws_credentials = aws_credentials(@endpoint)

        if @endpoint.refresh_credentials_interval

          timer_execute(:out_opensearch_expire_credentials, @endpoint.refresh_credentials_interval) do

            log.debug('Recreate the AWS credentials')

            @credential_mutex.synchronize do

              @_os = nil

                @_aws_credentials = aws_credentials(@endpoint)

                log.error("Failed to get new AWS credentials: #{e}")

      @serializer_class = nil

        require 'oj'

        @dump_proc = Oj.method(:dump)

        if @prefer_oj_serializer

      raise Fluent::ConfigError, "`password` must be present if `user` is present" if @user && @password.nil?

      if @user && m = @user.match(/%{(?<user>.*)}/)

        @user = URI.encode_www_form_component(m["user"])

      if @password && m = @password.match(/%{(?<password>.*)}/)

        @password = URI.encode_www_form_component(m["password"])

      @transport_logger = nil

      if @with_transporter_log

        @transport_logger = log

        log_level = conf['@log_level'] || conf['log_level']

        log.warn "Consider to specify log_level with @log_level." unless log_level

      @sniffer_class = nil

        @sniffer_class = Object.const_get(@sniffer_class_name) if @sniffer_class_name

      @selector_class = nil

        @selector_class = Object.const_get(@selector_class_name) if @selector_class_name

      @last_seen_major_version = if major_version = handle_last_seen_os_major_version

                                   major_version

                                   @default_opensearch_version

      if @validate_client_version && !dry_run?

        if @last_seen_major_version != client_library_version.to_i

          raise Fluent::ConfigError, <<-EOC

      if @last_seen_major_version >= 1

        case @ssl_version

          if @scheme == :https

            log.warn "Detected OpenSearch 1.x or above and enabled insecure security:

      if @ssl_version && @scheme == :https

        if !@http_backend_excon_nonblock

          log.warn "TLS handshake will be stucked with block connection.

      @id_key = convert_compat_id_key(@id_key) if @id_key

      @parent_key = convert_compat_id_key(@parent_key) if @parent_key

      @routing_key = convert_compat_id_key(@routing_key) if @routing_key

      @routing_key_name = configure_routing_key_name

      @meta_config_map = create_meta_config_map

      @current_config = nil

      @compressable_connection = false

      @ignore_exception_classes = @ignore_exceptions.map do |exception|

        unless Object.const_defined?(exception)

          Object.const_get(exception)

      if @bulk_message_request_threshold < 0

        class << self

          alias_method :split_request?, :split_request_size_uncheck?

        class << self

          alias_method :split_request?, :split_request_size_check?

    def dry_run?

      if Fluent::Engine.respond_to?(:dry_run_mode)

      elsif Fluent::Engine.respond_to?(:supervisor_mode)

        Fluent::Engine.supervisor_mode

    def placeholder?(name, param)

      placeholder_validities = []

      placeholder_validators(name, param).each do |v|

          v.validate!

          placeholder_validities << true

          log.debug("'#{name} #{param}' is tested built-in placeholder(s) but there is no valid placeholder(s). error: #{e}")

          placeholder_validities << false

      placeholder_validities.include?(true)

    def emit_error_label_event?

      !!@emit_error_label_event

    def compression

      !(@compression_level == :no_compression)

    def compression_strategy

      case @compression_level

        Zlib::DEFAULT_COMPRESSION

        Zlib::BEST_COMPRESSION

        Zlib::BEST_SPEED

    def backend_options

      case @http_backend

        { client_key: @client_key, client_cert: @client_cert, client_key_pass: @client_key_pass, nonblock: @http_backend_excon_nonblock }

    def handle_last_seen_os_major_version

      if @verify_os_version_at_startup && !dry_run?

        retry_operate(@max_retry_get_os_version,

          detect_os_major_version

    def detect_os_major_version

      @_os_info ||= client.info

        unless version = @_os_info.dig("version", "number")

      version.to_i

    def client_library_version

    def configure_routing_key_name

      'routing'.freeze

    def convert_compat_id_key(key)

      if key.include?('.') && !key.start_with?('$[')

        key = "$.#{key}" unless key.start_with?('$.')

      key

    def create_meta_config_map

      result = []

      result << [record_accessor_create(@id_key), '_id'] if @id_key

      result << [record_accessor_create(@parent_key), '_parent'] if @parent_key

      result << [record_accessor_create(@routing_key), @routing_key_name] if @routing_key

      result

    def create_time_parser

      if @time_key_format

          strptime = Strptime.new(@time_key_format)

          Proc.new { |value|

            value = convert_numeric_time_into_string(value, @time_key_format) if value.is_a?(Numeric)

            strptime.exec(value).to_datetime

          Proc.new { |value|

            value = convert_numeric_time_into_string(value, @time_key_format) if value.is_a?(Numeric)

            DateTime.strptime(value, @time_key_format)

        Proc.new { |value|

          value = convert_numeric_time_into_string(value) if value.is_a?(Numeric)

          DateTime.parse(value)

    def convert_numeric_time_into_string(numeric_time, time_key_format = "%Y-%m-%d %H:%M:%S.%N%z")

      numeric_time_parser = Fluent::NumericTimeParser.new(:float)

      Time.at(numeric_time_parser.parse(numeric_time).to_r).strftime(time_key_format)

    def parse_time(value, event_time, tag)

      @time_parser.call(value)

      if emit_error_label_event?

        router.emit_error_event(@time_parse_error_tag, Fluent::Engine.now, {'tag' => tag, 'time' => event_time, 'format' => @time_key_format, 'value' => value}, e)

      return Time.at(event_time).to_datetime

    def client(host = nil, compress_connection = false)

      connection_options = get_connection_options(host)

      @_os = nil unless is_existing_connection(connection_options[:hosts])

      @_os = nil unless @compressable_connection == compress_connection

      @_os ||= begin

        @compressable_connection = compress_connection

        @current_config = connection_options[:hosts].clone

        adapter_conf = if @endpoint

                         lambda {|f| f.adapter @http_backend, @backend_options }

        local_reload_connections = @reload_connections

        if local_reload_connections && @reload_after > DEFAULT_RELOAD_AFTER

          local_reload_connections = @reload_after

        gzip_headers = if compress_connection

                         {'Content-Encoding' => 'gzip'}

                         {}

        headers = {}.merge(@custom_headers)

        ssl_options = { verify: @ssl_verify, ca_file: @ca_file}.merge(@ssl_version_options)

        transport = OpenSearch::Transport::Transport::HTTP::Faraday.new(connection_options.merge(

        OpenSearch::Client.new transport: transport

    def get_escaped_userinfo(host_str)

      if m = host_str.match(/(?<scheme>.*)%{(?<user>.*)}:%{(?<password>.*)}(?<path>@.*)/)

        m["scheme"] +

        host_str

    def get_connection_options(con_host=nil)

      hosts = if @endpoint # For AWS OpenSearch Service

      elsif con_host || @hosts

        (con_host || @hosts).split(',').map do |host_str|

          if host_str.match(%r{^[^:]+(\:\d+)?$})

              host:   host_str.split(':')[0],

              port:   (host_str.split(':')[1] || @port).to_i,

            uri = URI(get_escaped_userinfo(host_str))

            %w(user password path).inject(host: uri.host, port: uri.port, scheme: uri.scheme) do |hash, key|

              hash[key.to_sym] = uri.public_send(key) unless uri.public_send(key).nil? || uri.public_send(key) == ''

              hash

        if Resolv::IPv6::Regex.match(@host)

          [{host: "[#{@host}]", scheme: @scheme.to_s, port: @port}]

          [{host: @host, port: @port, scheme: @scheme.to_s}]

        host.merge!(user: @user, password: @password) if !host[:user] && @user

        host.merge!(path: @path) if !host[:path] && @path

        hosts: hosts

    def connection_options_description(con_host=nil)

      get_connection_options(con_host)[:hosts].map do |host_info|

        attributes = host_info.dup

        attributes[:password] = 'obfuscated' if attributes.has_key?(:password)

        attributes.inspect

    def append_record_to_messages(op, meta, header, record, msgs)

      case op

        if meta.has_key?(ID_FIELD)

          header[UPDATE_OP] = meta

          msgs << @dump_proc.call(header) << BODY_DELIMITER

          msgs << @dump_proc.call(update_body(record, op)) << BODY_DELIMITER

          return true

        if meta.has_key?(ID_FIELD)

          header[CREATE_OP] = meta

          msgs << @dump_proc.call(header) << BODY_DELIMITER

          msgs << @dump_proc.call(record) << BODY_DELIMITER

          return true

        header[INDEX_OP] = meta

        msgs << @dump_proc.call(header) << BODY_DELIMITER

        msgs << @dump_proc.call(record) << BODY_DELIMITER

        return true

      return false

    def update_body(record, op)

      update = remove_keys(record)

      if @suppress_doc_wrap

        return update

      body = {"doc".freeze => update}

      if op == UPSERT_OP

        if update == record

          body["doc_as_upsert".freeze] = true

          body[UPSERT_OP] = record

      body

    def remove_keys(record)

      keys = record[@remove_keys_on_update_key] || @remove_keys_on_update || []

      record.delete(@remove_keys_on_update_key)

      return record unless keys.any?

      record = record.dup

      keys.each { |key| record.delete(key) }

      record

    def flatten_record(record, prefix=[])