Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Backport 2.11] Add early rejection from RestHandler for unauthorized requests (#3418) #3495

Merged

Conversation

peternied
Copy link
Member

Description

Backport of 6b0b682 from #3418

Previously unauthorized requests were fully processed and rejected once they reached the RestHandler. This allocations more memory and resources for these requests that might not be useful if they are already detected as unauthorized. Using the headerVerifer and decompressor customization from [1], perform an early authorization check when only the headers are available, save an 'early response' for transmission and do not perform the decompression on the request to speed up closing out the connection.

Check List

  • New functionality includes testing
  • New functionality has been documented
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

… requests (opensearch-project#3418)

Previously unauthorized requests were fully processed and rejected once
they reached the RestHandler. This allocations more memory and resources
for these requests that might not be useful if they are already detected
as unauthorized. Using the headerVerifer and decompressor customization
from [1], perform an early authorization check when only the headers are
available, save an 'early response' for transmission and do not perform
the decompression on the request to speed up closing out the connection.

- Resolves opensearch-project/OpenSearch#10260

Signed-off-by: Peter Nied <[email protected]>
Signed-off-by: Craig Perkins <[email protected]>
Signed-off-by: Craig Perkins <[email protected]>
Co-authored-by: Peter Nied <[email protected]>
Signed-off-by: Peter Nied <[email protected]>
@cwperks
Copy link
Member

cwperks commented Oct 6, 2023

@peternied Can you fix the failing code hygiene check?

> Task :checkstyleIntegrationTest FAILED
Error: eckstyle] [ERROR] /home/runner/work/security/security/src/integrationTest/java/org/opensearch/security/ResourceFocusedTests.java:142: Do not use System.out.println [RegexpSinglelineJava]
Error: eckstyle] [ERROR] /home/runner/work/security/security/src/integrationTest/java/org/opensearch/security/ResourceFocusedTests.java:162: Do not use System.out.println [RegexpSinglelineJava]
Error: eckstyle] [ERROR] /home/runner/work/security/security/src/integrationTest/java/org/opensearch/security/ResourceFocusedTests.java:210: Do not use System.out.println [RegexpSinglelineJava]
Error: eckstyle] [ERROR] /home/runner/work/security/security/src/integrationTest/java/org/opensearch/security/ResourceFocusedTests.java:226: Do not use System.out.println [RegexpSinglelineJava]
Error: eckstyle] [ERROR] /home/runner/work/security/security/src/integrationTest/java/org/opensearch/security/ResourceFocusedTests.java:239: Do not use System.out.println [RegexpSinglelineJava]
Error: eckstyle] [ERROR] /home/runner/work/security/security/src/integrationTest/java/org/opensearch/security/ResourceFocusedTests.java:246: Do not use System.out.println [RegexpSinglelineJava]
Error: eckstyle] [ERROR] /home/runner/work/security/security/src/integrationTest/java/org/opensearch/security/ResourceFocusedTests.java:253: Do not use System.out.println [RegexpSinglelineJava]

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':checkstyleIntegrationTest'.
> A failure occurred while executing org.gradle.api.plugins.quality.internal.CheckstyleAction
   > Checkstyle rule violations were found. See the report at: file:///home/runner/work/security/security/build/reports/checkstyle/integrationTest.html
     Checkstyle files with violations: 1
     Checkstyle violations by severity: [error:7]

@cwperks
Copy link
Member

cwperks commented Oct 6, 2023

bwc build fails with:

> Task :licenseHeaders FAILED

Files with unapproved licenses:

  /home/runner/work/security/security/bwc-test/src/test/java/SecurityBackwardsCompatibilityIT.java

cwperks
cwperks previously approved these changes Oct 6, 2023
DarshitChanpura
DarshitChanpura previously approved these changes Oct 6, 2023
@codecov
Copy link

codecov bot commented Oct 6, 2023

Codecov Report

Merging #3495 (9cc4f73) into 2.11 (ef1d27c) will increase coverage by 0.12%.
Report is 1 commits behind head on 2.11.
The diff coverage is 79.76%.

Impacted file tree graph

@@             Coverage Diff              @@
##               2.11    #3495      +/-   ##
============================================
+ Coverage     64.69%   64.81%   +0.12%     
- Complexity     3566     3610      +44     
============================================
  Files           267      273       +6     
  Lines         19893    20025     +132     
  Branches       3329     3346      +17     
============================================
+ Hits          12870    12980     +110     
- Misses         5383     5399      +16     
- Partials       1640     1646       +6     
Files Coverage Δ
...zon/dlic/auth/http/saml/HTTPSamlAuthenticator.java 68.44% <ø> (ø)
.../opensearch/security/OpenSearchSecurityPlugin.java 84.58% <ø> (ø)
...arch/security/filter/OpenSearchRequestChannel.java 41.66% <ø> (-8.34%) ⬇️
...search/security/filter/SecurityRequestFactory.java 75.00% <100.00%> (+8.33%) ⬆️
...rch/security/http/SecurityHttpServerTransport.java 100.00% <100.00%> (ø)
...curity/http/SecurityNonSslHttpServerTransport.java 100.00% <100.00%> (ø)
...arch/security/ssl/OpenSearchSecuritySSLPlugin.java 85.11% <ø> (ø)
.../ssl/http/netty/Netty4ConditionalDecompressor.java 100.00% <100.00%> (ø)
...ttp/netty/SecuritySSLNettyHttpServerTransport.java 95.83% <100.00%> (+0.83%) ⬆️
...dlic/auth/http/saml/AuthTokenProcessorHandler.java 46.40% <0.00%> (ø)
... and 9 more

... and 3 files with indirect coverage changes

@peternied peternied dismissed stale reviews from DarshitChanpura and cwperks via 9cc4f73 October 6, 2023 23:56
@peternied peternied merged commit f7c47af into opensearch-project:2.11 Oct 7, 2023
55 of 58 checks passed
@peternied peternied deleted the backport/backport-3418-to-2.11 branch October 7, 2023 01:36
@peternied peternied added the backport 2.x backport to 2.x branch label Oct 7, 2023
opensearch-trigger-bot bot pushed a commit that referenced this pull request Oct 7, 2023
… requests (#3418) (#3495)

### Description

Backport of 6b0b682 from #3418

Previously unauthorized requests were fully processed and rejected once
they reached the RestHandler. This allocations more memory and resources
for these requests that might not be useful if they are already detected
as unauthorized. Using the headerVerifer and decompressor customization
from [1], perform an early authorization check when only the headers are
available, save an 'early response' for transmission and do not perform
the decompression on the request to speed up closing out the connection.

- Resolves opensearch-project/OpenSearch#10260

Signed-off-by: Peter Nied <[email protected]>
Signed-off-by: Craig Perkins <[email protected]>
Signed-off-by: Craig Perkins <[email protected]>
Co-authored-by: Craig Perkins <[email protected]>
(cherry picked from commit f7c47af)
stephen-crawford pushed a commit that referenced this pull request Oct 9, 2023
…requests (#3418) (#3496)

Backport f7c47af from #3495

---------

Signed-off-by: Peter Nied <[email protected]>
Co-authored-by: Peter Nied <[email protected]>
peternied added a commit to peternied/security that referenced this pull request Oct 9, 2023
peternied added a commit to peternied/security that referenced this pull request Nov 9, 2023
…requests (opensearch-project#3418) (opensearch-project#3495)

Backport of 6b0b682 from opensearch-project#3418

Previously unauthorized requests were fully processed and rejected once
they reached the RestHandler. This allocations more memory and resources
for these requests that might not be useful if they are already detected
as unauthorized. Using the headerVerifer and decompressor customization
from [1], perform an early authorization check when only the headers are
available, save an 'early response' for transmission and do not perform
the decompression on the request to speed up closing out the connection.

- Resolves opensearch-project/OpenSearch#10260

Signed-off-by: Peter Nied <[email protected]>
Signed-off-by: Craig Perkins <[email protected]>
Signed-off-by: Craig Perkins <[email protected]>
Co-authored-by: Craig Perkins <[email protected]>
Signed-off-by: Peter Nied <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport 2.x backport to 2.x branch
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants