Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Backport 2.x] Add early rejection from RestHandler for unauthorized requests (#3418) #3496

Merged
merged 2 commits into from
Oct 9, 2023
Merged

[Backport 2.x] Add early rejection from RestHandler for unauthorized requests (#3418) #3496

merged 2 commits into from
Oct 9, 2023

Conversation

opensearch-trigger-bot[bot]
Copy link
Contributor

Backport f7c47af from #3495

@peternied @github-actions
[Backport 2.11] Add early rejection from RestHandler for unauthorized…
c312ad2 
… requests (#3418) (#3495)

### Description

Backport of 6b0b682 from #3418

Previously unauthorized requests were fully processed and rejected once
they reached the RestHandler. This allocations more memory and resources
for these requests that might not be useful if they are already detected
as unauthorized. Using the headerVerifer and decompressor customization
from [1], perform an early authorization check when only the headers are
available, save an 'early response' for transmission and do not perform
the decompression on the request to speed up closing out the connection.

- Resolves opensearch-project/OpenSearch#10260

Signed-off-by: Peter Nied <[email protected]>
Signed-off-by: Craig Perkins <[email protected]>
Signed-off-by: Craig Perkins <[email protected]>
Co-authored-by: Craig Perkins <[email protected]>
(cherry picked from commit f7c47af)
@peternied
Remove debug statement
48bc298 
Signed-off-by: Peter Nied <[email protected]>
@peternied peternied changed the title [Backport 2.x] [Backport 2.11] Add early rejection from RestHandler for unauthorized requests (#3418) [Backport 2.x] Add early rejection from RestHandler for unauthorized requests (#3418) Oct 7, 2023
@codecov
Copy link

codecov bot commented Oct 7, 2023
edited
Loading

Codecov Report

Merging #3496 (48bc298) into 2.x (f20cc68) will increase coverage by 0.13%.
The diff coverage is 79.76%.

Impacted file tree graph

@@             Coverage Diff              @@
##                2.x    #3496      +/-   ##
============================================
+ Coverage     64.73%   64.86%   +0.13%     
- Complexity     3570     3613      +43     
============================================
  Files           267      273       +6     
  Lines         19893    20025     +132     
  Branches       3329     3346      +17     
============================================
+ Hits          12877    12989     +112     
- Misses         5377     5389      +12     
- Partials       1639     1647       +8
Files Coverage Δ
...zon/dlic/auth/http/saml/HTTPSamlAuthenticator.java 68.44% <ø> (ø)
.../opensearch/security/OpenSearchSecurityPlugin.java 84.58% <ø> (ø)
...arch/security/filter/OpenSearchRequestChannel.java 41.66% <ø> (-8.34%) ⬇️
...search/security/filter/SecurityRequestFactory.java 75.00% <100.00%> (+8.33%) ⬆️
...rch/security/http/SecurityHttpServerTransport.java 100.00% <100.00%> (ø)
...curity/http/SecurityNonSslHttpServerTransport.java 100.00% <100.00%> (ø)
...arch/security/ssl/OpenSearchSecuritySSLPlugin.java 85.11% <ø> (ø)
.../ssl/http/netty/Netty4ConditionalDecompressor.java 100.00% <100.00%> (ø)
...ttp/netty/SecuritySSLNettyHttpServerTransport.java 95.83% <100.00%> (+0.83%) ⬆️
...dlic/auth/http/saml/AuthTokenProcessorHandler.java 46.40% <0.00%> (ø)
... and 9 more

... and 5 files with indirect coverage changes

@stephen-crawford stephen-crawford merged commit 0de30e2 into 2.x Oct 9, 2023
66 checks passed
@stephen-crawford stephen-crawford deleted the backport/backport-3495-to-2.x branch October 9, 2023 17:42
peternied added a commit to peternied/security that referenced this pull request Oct 9, 2023
@opensearch-trigger-bot @peternied
[Backport 2.x] Add early rejection from RestHandler for unauthorized …
8b74d6f 
…requests (opensearch-project#3418) (opensearch-project#3496)

Backport f7c47af from opensearch-project#3495

---------

Signed-off-by: Peter Nied <[email protected]>
Co-authored-by: Peter Nied <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DarshitChanpura DarshitChanpura DarshitChanpura approved these changes

@willyborankin willyborankin willyborankin approved these changes

@cliu123 cliu123 Awaiting requested review from cliu123

@cwperks cwperks Awaiting requested review from cwperks cwperks is a code owner

@davidlago davidlago Awaiting requested review from davidlago

@peternied peternied Awaiting requested review from peternied peternied is a code owner

@RyanL1997 RyanL1997 Awaiting requested review from RyanL1997 RyanL1997 is a code owner

@stephen-crawford stephen-crawford Awaiting requested review from stephen-crawford

@reta reta Awaiting requested review from reta reta is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@willyborankin @DarshitChanpura @stephen-crawford @peternied