Querying over QIPC
Prerequisites
- You have access to a running version of kdb Insights Enterprise. For more information, refer to the installation guide.
- You have installed the kdb Insights Command Line (KXI CLI) following the installation guide.
Authentication and Authorization
Acquire an access token
First, acquire an INSIGHTS_TOKEN
from a client that has the insights.query.*
roles:
You can create a new user to do this with the KXI CLI:
Administrator password
The administrator password mentioned below is defined during the installation of your kdb Insights Enterprise deployment. For more information, refer to the Administration Passwords documentation.
kxi user create john@kx.com --password mySecretPassword123! --admin-password <adminPassword> --not-temporary
INSIGHTS_ROLES="insights.client.create,insights.query.*"
kxi user assign-roles john@kx.com --roles $INSIGHTS_ROLES --admin-password <adminPassword>
export INSIGHTS_TOKEN=$(kxi auth print-token)
Acquire the endpoint by enrolling a client
Step 1 - Enroll a client
kxi client enrol --name query-client --insert-topic ext-taxi
{
"message": "success",
"detail": "Client enrolled",
"url": "5ed6e5b7c80c8e35d07249d12f32d9eb",
"config_url": "https://my-insights.kx.com/informationservice/details/5ed6e5b7c80c8e35d07249d12f32d9eb"
}
Step 2 - Curl the authenticated kdb Insights Enterprise client URL (KXI_CONFIG_URL
)
Copy the value returned for the config_url
key returned when the client is enrolled and run curl
against it:
KXI_CONFIG_URL=https://my-insights.kx.com/informationservice/details/5ed6e5b7c80c8e35d07249d12f32d9eb
curl $KXI_CONFIG_URL | jq
{
"name": "query-client",
"topics": {
"insert": "ext-taxi",
"query": "requests"
},
"ca": "-----BEGIN CERTIFICATE-----\nMIID .. ==\n-----END CERTIFICATE-----\n",
"cert": "-----BEGIN CERTIFICATE-----\nMII ... ==\n-----END CERTIFICATE-----\n",
"key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEp ... ==\n-----END CERTIFICATE-----\n",
"insert": {
"insert": [
":hostname-0:5000",
":hostname-1:5000",
":hostname-2:5000"
],
"query": []
},
"query": [
"k8s-insights-875d1037f3.elb.us-east-2.amazonaws.com:6050"
]
}
Step 3 - Define your query endpoint
export INSIGHTS_QUERY=k8s-insights-875d1037f3.elb.us-east-2.amazonaws.com:6050
Step 4 - Define your SSL certificates
You can use Secure Sockets Layer (SSL)/Transport Layer Security (TLS) to encrypt connections using the OpenSSL libraries. You can define your certificates using the code below. You can find more information on securing this traffic on the kdb+ and TLS page.
PATH_TO_CERTS=/tmp/certs
mkdir -p /tmp/certs
curl $KXI_CONFIG_URL | jq .ca | xargs printf > $PATH_TO_CERTS/ca.pem
export KX_SSL_CA_CERT_FILE=$PATH_TO_CERTS/ca.pem
Query
Use the username token
and the INSIGHTS_TOKEN
as the tcps
password, with the hostname and port of the load balancer:
h:hopen `$":tcps://",getenv[`INSIGHTS_QUERY],":token:",getenv `INSIGHTS_TOKEN;
h (`.kxi.getMeta;()!();`;()!())
Considerations
- Access tokens can expire, and using this with PyKX/q probably means we should get the tokens with
.kurl
and maintain them... - The Load Balancers for AWS will close
h
due to inactivity at a mere 30s, by default. You need to keep making requests to use this OR update the AWS settings. See https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-idle-timeout.html - There is no readiness check for SSL currently, so its possible to query the GW before the SSL port is up. You will get
'hop. OS reports: Protocol error
.