Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Segment Replication support: How to handle segment replication with the Security Index #2898

Closed
stephen-crawford opened this issue Jun 23, 2023 · 2 comments
Closed

Segment Replication support: How to handle segment replication with the Security Index #2898

stephen-crawford opened this issue Jun 23, 2023 · 2 comments
Labels
triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable.

Comments

@stephen-crawford
Copy link
Contributor

stephen-crawford commented Jun 23, 2023
edited by peternied
Loading

This issue is intended to be a discussion forum for figuring out how we want to handle segment replication. As part of the changes introduced with segment replication features (opensearch-project/OpenSearch#8182, opensearch-project/OpenSearch#8158) replication of the security index has been brought up.

A description of the situation can be found here: opensearch-project/OpenSearch#8182 (comment) and is provided by one of the Segment Replication contributors. Copying from their description, the major point of concern is:

However there are perf implications here that need to be called out. SegRep will on average increase the amount of time that replica shards are inconsistent from their primaries due to the time required to copy out segments (time dependent on cluster config/hardware etc). System indices are generally small and should copy out quickly, so I wouldn't expect this to be of major concern. Are there are cases where stronger read/write consistency is desired on the system index? If this is the case plugins would need to opensearch-project/OpenSearch#7375 for searches.

This means that there are potentially issues with replicated Security Indices are not consistent with the original and could lead to hypothetical areas of concern.

We should use this issue to determine the extent to which this would impact the security posture and be able to provide guidance to the Seg. Rep. developers on what we will need to uphold the highest security standards possible.
@stephen-crawford stephen-crawford added enhancement New feature or request untriaged Require the attention of the repository maintainers and may need to be prioritized labels Jun 23, 2023
@stephen-crawford stephen-crawford mentioned this issue Jun 23, 2023
Closed
@stephen-crawford stephen-crawford removed the enhancement New feature or request label Jun 23, 2023
@cwperks
Copy link
Member

cwperks commented Jun 23, 2023

@scrawfor99 I think the security codebase needs to update the ConfigurationLoader to set a preference to use the primary shard when reloading the security index in the cache on every node.

In this section of code the security plugin can also set preference to _primary to instruct the mget request to run the query against the primary shard which will have the freshest data.

@cwperks cwperks mentioned this issue Jun 26, 2023
Closed
3 tasks
@DarshitChanpura DarshitChanpura added triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable. and removed untriaged Require the attention of the repository maintainers and may need to be prioritized labels Jun 26, 2023
@davidlago davidlago added the v2.9.0 v2.9.0 label Jun 29, 2023
@davidlago davidlago removed the v2.9.0 v2.9.0 label Jul 31, 2023
@davidlago
Copy link

not taking any action at this point

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@davidlago @cwperks @DarshitChanpura @stephen-crawford