-
Notifications
You must be signed in to change notification settings - Fork 282
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve serialization speeds #2802
Improve serialization speeds #2802
Conversation
107798b
to
add8f29
Compare
src/main/java/org/opensearch/security/support/Base64Helper.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you @parasjain1! I took a first pass and left comments with a few questions that I have. Can you outline the steps you took to do backwards compatibility testing?
What does this look like during a rolling upgrade?
src/main/java/org/opensearch/security/configuration/DlsFlsValveImpl.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/security/transport/SecurityInterceptor.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/security/support/StreamableRegistry.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/security/support/Base64Helper.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/security/support/StreamableRegistry.java
Outdated
Show resolved
Hide resolved
I tested this by creating a cluster with OS2.5, kept some traffic flowing via OSB, and then triggered an upgrade to OS2.7 (the code was modified to have a check on OS2.5 instead of OS2.7 for testing). The upgrade succeeded and the cluster continued to operate normally. This signifies that the old and the new nodes were able to communicate properly. I've planned for a few additional rounds of testing especially with indices having DLS, FLS and Masked Field configurations. |
src/main/java/org/opensearch/security/support/StreamableRegistry.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for taking this on, seems like there are some big wins to make in this space to improve performance.
I would like to push this as far as we can into a change that can be merged into the 2.x line, still have some comments on the source issue #2780
src/main/java/org/opensearch/security/support/Base64Helper.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/security/support/Base64Helper.java
Outdated
Show resolved
Hide resolved
@parasjain1 Not sure if this would be helpful, but there was an issue with rolling upgrades from OS 1 to OS 2.x when there was a change in OS 2 to remove package replacement during serialization for the User object. From ODFE to OS 1 there was a change in the fully qualified package name of the user object from In this PR, it then kept track of the cluster state to know the minimum version of a node in the cluster to choose which serialization method to use. |
Correct. I see this is where the I just see this as another way of achieving the same result - i.e. to be able to decide what serialization protocol to use. Thoughts? |
Thought about it, we should be able to backport this as part of a new minor version in 2.x.x series. Can we take this PR to closure and have a separate issue for backporting this change? |
Lets keep iterating till we have a version of this change we feel confident can be backported. If this change is only targeting a 3.0 there is no time pressure, right? |
I was able to gather more understanding on the backporting and release process. Apologies for the confusion earlier. In below points, I'm clarifying and concluding the issue of backporting this PR -
|
add8f29
to
63197a1
Compare
Hi @parasjain1, I am reaching out to see what the status of this PR is? It seems like you looked into backporting the changes but may have decided to wait to make a contribution? Are you still planning on driving this forward or should we close this for now? |
3fbd880
to
5352128
Compare
Signed-off-by: Paras Jain <[email protected]>
45081b5
to
1904949
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is some organization around the BWC test I've called out, I'll try to address them with pushes before the end of my day. After those are fixed I'll approve.
Great work with the BWC tests to ensure this code works.
bwc-test/src/test/java/org/opensearch/security/bwc/SecurityBackwardsCompatibilityIT.java
Show resolved
Hide resolved
bwc-test/src/test/java/org/opensearch/security/bwc/SecurityBackwardsCompatibilityIT.java
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@parasjain1 Thank you for all of the patience and hard work on this PR. This change looks great to me and I don't have any further comments.
If we could refer to core's version of jackson in the bwc tests that would be ideal, but I won't let that hold up this PR.
I've restarted the CI on that failure and resolved the outstanding conversations after commenting. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great work @parasjain1. Especially around cleaning up BWC tests.
The backport to
To backport manually, run these commands in your terminal: # Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/security/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/security/backport-2.x
# Create a new branch
git switch --create backport/backport-2802-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 22f44d3bccf93a4af2562d26694094ec7151669f
# Push it to GitHub
git push --set-upstream origin backport/backport-2802-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/security/backport-2.x Then, create a pull request where the |
Use custom serialization in security plugin. - Resolves opensearch-project#2780 Signed-off-by: Paras Jain <[email protected]> Signed-off-by: Peter Nied <[email protected]> Co-authored-by: Paras Jain <[email protected]> Co-authored-by: Peter Nied <[email protected]> Signed-off-by: Paras Jain <[email protected]>
Signed-off-by: Paras Jain <[email protected]> Signed-off-by: Peter Nied <[email protected]> Signed-off-by: Craig Perkins <[email protected]> Co-authored-by: Paras Jain <[email protected]> Co-authored-by: Peter Nied <[email protected]>
This change will prevent new clusters from using the 'custom serialization' format that was causing performance impact with customers in OpenSearch 2.11. Background: the serialization changes from opensearch-project#2802 introduced issues where for certain serialization headers that were previously very small for over the wire transmission become much larger. The root cause of this was that the JDK serialization process was able to detect duplicate entries and then use an encoding format to make it compressible. Adding this logic into the serialization system from OpenSearch is non-trivial and is not being invested in. Signed-off-by: Peter Nied <[email protected]>
Description
Use custom serialization in security plugin.
Please refer #2780 for details.
Issues Resolved
Testing
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.