Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Refactor CachingUsernamePassword realm #32646

Merged

Conversation

albertzaharovits
Copy link
Contributor

@albertzaharovits albertzaharovits commented Aug 6, 2018

This is a refactoring of the gnarly caching logic in CachingUsernamePasswordRealm. I've been mulling over #30794 (review).
The refactoring concerns the authenticateWithCache method; lookupWithCache has only been revamped so that it follows the same pattern.

There is now a distinction between the listener of the in-flight authn request and the listeners of requests returned from cache. This greatly simplifies branching, removing redundancy and dead branches.

@albertzaharovits albertzaharovits added >non-issue review v7.0.0 :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) v6.5.0 labels Aug 6, 2018
@albertzaharovits albertzaharovits self-assigned this Aug 6, 2018
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security

@albertzaharovits
Copy link
Contributor Author

Build timed out (after 400 minutes). Marking the build as failed.

@elasticmachine test this please

final AtomicBoolean cachedAuthentication = new AtomicBoolean(true);
final ListenableFuture<UserWithHash> listenableCacheEntry = cache.computeIfAbsent(token.principal(), k -> {
final ListenableFuture<UserWithHash> created = new ListenableFuture<>();
// forward a new authenticate request to the external system
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is a nit but the authentication system may be internal too. So I'd update the comment to say something like attempt authentication against authentication source

// notify the listener of the inflight authentication request
listener.onFailure(e);
}));
cachedAuthentication.set(false);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we should move this to before the call to doAuthenticate. Even though doAuthenticate is asynchronous there is no requirement that another thread is forked.

Copy link
Contributor Author

@albertzaharovits albertzaharovits Aug 23, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think it makes any difference if setting this flag is before or after the doAuthenticate.
It is not used in the doAuthenticate listeners.
I have moved it nonetheless because it is closer to where the flag is declared and it is probably easier to reason about it.

authenticatedUser.set(user);
final UserWithHash userWithHash = new UserWithHash(user, token.credentials(), cacheHasher);
future.onResponse(new Tuple<>(result, userWithHash));
final AtomicBoolean cachedAuthentication = new AtomicBoolean(true);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we rename this to authenticationInCache? cachedAuthentication could mean a few different things to me such as creating the future and putting it in the cache

logger.debug("realm [{}] authenticated user [{}], with roles [{}]",
name(), token.principal(), user.roles());
// notify the listener of the inflight authentication request
listener.onResponse(authResult);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I understand correctly, the listener is not added to the future because we don't want to create a loop in the failure cases? If so, can you please document this aspect.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I understand correctly, the listener is not added to the future because we don't want to create a loop in the failure cases?

Yes, the if (authenticationInCache) only adds a listener if this is not the inflight request. The listener retries the request if passwords don't match or the authn failed (when the inflight request returns). The inflight request's result, however, is definitive, it will not be retried, it has reached to the "source of truth" and if it has failed, there is no point in retrying. This strategy, of not retrying requests if they have reached to the source of truth, has the consequence of avoiding the loop in the failure case; given a set of requests that have to be retried, at least one will be handled in the next loop (and not retried anymore) - the one that had reached to the source of authentication.

This has not changed in this refactoring.
I have added comments about when retries happen (and don't happen). I hope it is clearer now.

try {
final ListenableFuture<UserWithHash> listenableCacheEntry = cache.computeIfAbsent(username, key -> {
final ListenableFuture<UserWithHash> created = new ListenableFuture<>();
// forward a new lookup request to the external system
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same comment about external system changing to authentication source.

@albertzaharovits
Copy link
Contributor Author

albertzaharovits commented Aug 23, 2018

@jaymode I have addressed your review.
In addition, I have changed the call sites ofcache.invalidate(token.principal(), listenableCacheEntry). They were problematic if, as suggested in a previous comment, the handler for doAuthenticate is not forked.
Now, the thread doing the retrial, does the cache invalidation (otherwise retrial will hit the cache and so on).

Please take it to another inspection when you get some cycles :)

Copy link
Member

@jaymode jaymode left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Copy link
Contributor

@tvernum tvernum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, if you can fix the 1 misleading comment.

try {
final ListenableFuture<UserWithHash> listenableCacheEntry = cache.computeIfAbsent(username, key -> {
final ListenableFuture<UserWithHash> created = new ListenableFuture<>();
// attempt authentication against authentication source
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This comment is incorrect - there's no "authentication" taking place here.

@albertzaharovits
Copy link
Contributor Author

albertzaharovits commented Aug 24, 2018

Soooo, I can already hear the providential "I told you so".

It turns out FileRealm.doAuthenticate does not fork the listener which is unfortunate because doAuthenticate is called inside the cache.computeIfAbsent's closure. Under some circumstances, this causes a dreaded deadlock in the token API with the password grant type, because there you authenticate twice with the same username which is from the file realm.
I have moved doAuthenticate out of the computeIfAbsent, as the logic was has been before the refactoring.

I would still merge it, without straining your eyes again, since the change is minor - moving the function call outside of the computeIfAbsent closure, where the logic was before refactoring.

Here is the stacktrace:

        at java.util.concurrent.locks.LockSupport.park(java.base@10.0.1/LockSupport.java:194)
        at java.util.concurrent.CompletableFuture$Signaller.block(java.base@10.0.1/CompletableFuture.java:1796)
        at java.util.concurrent.ForkJoinPool.managedBlock(java.base@10.0.1/ForkJoinPool.java:3156)
        at java.util.concurrent.CompletableFuture.waitingGet(java.base@10.0.1/CompletableFuture.java:1823)
        at java.util.concurrent.CompletableFuture.get(java.base@10.0.1/CompletableFuture.java:1998)
        at org.elasticsearch.common.cache.Cache$CacheSegment.get(Cache.java:216)
        at org.elasticsearch.common.cache.Cache.get(Cache.java:365)
        at org.elasticsearch.common.cache.Cache.computeIfAbsent(Cache.java:391)
        at org.elasticsearch.xpack.security.authc.support.CachingUsernamePasswordRealm.authenticateWithCache(CachingUsernamePasswordRealm.java:102)
        at org.elasticsearch.xpack.security.authc.support.CachingUsernamePasswordRealm.authenticate(CachingUsernamePasswordRealm.java:80)
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$consumeToken$13(AuthenticationService.java:262)
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator$$Lambda$2874/984721769.accept(Unknown Source)
        at org.elasticsearch.xpack.core.common.IteratingActionListener.run(IteratingActionListener.java:81)
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.consumeToken(AuthenticationService.java:300)
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.authenticateToken(AuthenticationService.java:447)
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.access$100(AuthenticationService.java:131)
        at org.elasticsearch.xpack.security.authc.AuthenticationService.authenticate(AuthenticationService.java:114)
        at org.elasticsearch.xpack.security.action.token.TransportCreateTokenAction.doExecute(TransportCreateTokenAction.java:54)
        at org.elasticsearch.xpack.security.action.token.TransportCreateTokenAction.doExecute(TransportCreateTokenAction.java:33)
        at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:143)
        at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.lambda$apply$0(SecurityActionFilter.java:92)
        at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter$$Lambda$2735/1108574229.accept(Unknown Source)
        at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:60)
        at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.lambda$authorizeRequest$4(SecurityActionFilter.java:181)
        at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter$$Lambda$2740/547138660.accept(Unknown Source)
        at org.elasticsearch.xpack.security.authz.AuthorizationUtils$AsyncAuthorizer.maybeRun(AuthorizationUtils.java:173)
        at org.elasticsearch.xpack.security.authz.AuthorizationUtils$AsyncAuthorizer.setRunAsRoles(AuthorizationUtils.java:167)
        at org.elasticsearch.xpack.security.authz.AuthorizationUtils$AsyncAuthorizer.authorize(AuthorizationUtils.java:155)
        at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.authorizeRequest(SecurityActionFilter.java:183)
        at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.lambda$applyInternal$3(SecurityActionFilter.java:161)
        at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter$$Lambda$2738/1448121039.accept(Unknown Source)
        at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:60)
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$authenticateAsync$2(AuthenticationService.java:172)
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator$$Lambda$2694/655507933.accept(Unknown Source)
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$lookForExistingAuthentication$4(AuthenticationService.java:205)
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator$$Lambda$2695/390779409.run(Unknown Source)
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lookForExistingAuthentication(AuthenticationService.java:216)
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.authenticateAsync(AuthenticationService.java:170)
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.access$000(AuthenticationService.java:131)
        at org.elasticsearch.xpack.security.authc.AuthenticationService.authenticate(AuthenticationService.java:101)
        at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.applyInternal(SecurityActionFilter.java:160)
        at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.apply(SecurityActionFilter.java:113)
        at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:141)
        at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:119)
        at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:62)
        at org.elasticsearch.client.node.NodeClient.executeLocally(NodeClient.java:83)
        at org.elasticsearch.client.node.NodeClient.doExecute(NodeClient.java:72)
        at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:388)
        at org.elasticsearch.xpack.security.rest.action.oauth2.RestGetTokenAction.lambda$innerPrepareRequest$2(RestGetTokenAction.java:76)
        at org.elasticsearch.xpack.security.rest.action.oauth2.RestGetTokenAction$$Lambda$2887/1566402091.accept(Unknown Source)
        at org.elasticsearch.rest.BaseRestHandler.handleRequest(BaseRestHandler.java:97)
        at org.elasticsearch.xpack.security.rest.SecurityRestFilter.lambda$handleRequest$0(SecurityRestFilter.java:58)
        at org.elasticsearch.xpack.security.rest.SecurityRestFilter$$Lambda$2871/1167417636.accept(Unknown Source)
        at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:60)
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$writeAuthToContext$23(AuthenticationService.java:434)
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator$$Lambda$2852/282488026.run(Unknown Source)
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.writeAuthToContext(AuthenticationService.java:443)
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.finishAuthentication(AuthenticationService.java:424)
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.consumeUser(AuthenticationService.java:365)
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$consumeToken$14(AuthenticationService.java:296)
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator$$Lambda$2875/336384625.accept(Unknown Source)
        at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:60)
        at org.elasticsearch.xpack.core.common.IteratingActionListener.onResponse(IteratingActionListener.java:102)
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$consumeToken$11(AuthenticationService.java:267)
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator$$Lambda$2877/75287501.accept(Unknown Source)
        at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:60)
        at org.elasticsearch.xpack.security.authc.support.CachingUsernamePasswordRealm.lambda$authenticateWithCache$0(CachingUsernamePasswordRealm.java:118)
        at org.elasticsearch.xpack.security.authc.support.CachingUsernamePasswordRealm$$Lambda$2883/790843962.accept(Unknown Source)
        at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:60)
        at org.elasticsearch.xpack.security.authc.file.FileRealm.doAuthenticate(FileRealm.java:44)
        at org.elasticsearch.xpack.security.authc.support.CachingUsernamePasswordRealm.lambda$authenticateWithCache$2(CachingUsernamePasswordRealm.java:106)
        at org.elasticsearch.xpack.security.authc.support.CachingUsernamePasswordRealm$$Lambda$2879/1855572050.load(Unknown Source)
        at org.elasticsearch.common.cache.Cache.computeIfAbsent(Cache.java:433)
        at org.elasticsearch.xpack.security.authc.support.CachingUsernamePasswordRealm.authenticateWithCache(CachingUsernamePasswordRealm.java:102)
        at org.elasticsearch.xpack.security.authc.support.CachingUsernamePasswordRealm.authenticate(CachingUsernamePasswordRealm.java:80)
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$consumeToken$13(AuthenticationService.java:262)
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator$$Lambda$2874/984721769.accept(Unknown Source)
        at org.elasticsearch.xpack.core.common.IteratingActionListener.onResponse(IteratingActionListener.java:99)
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$consumeToken$11(AuthenticationService.java:281)
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator$$Lambda$2877/75287501.accept(Unknown Source)
        at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:60)
        at org.elasticsearch.xpack.security.authc.support.CachingUsernamePasswordRealm.lambda$authenticateWithCache$0(CachingUsernamePasswordRealm.java:118)
        at org.elasticsearch.xpack.security.authc.support.CachingUsernamePasswordRealm$$Lambda$2883/790843962.accept(Unknown Source)
        at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:60)
        at org.elasticsearch.xpack.security.authc.esnative.ReservedRealm.doAuthenticate(ReservedRealm.java:89)
        at org.elasticsearch.xpack.security.authc.support.CachingUsernamePasswordRealm.lambda$authenticateWithCache$2(CachingUsernamePasswordRealm.java:106)
        at org.elasticsearch.xpack.security.authc.support.CachingUsernamePasswordRealm$$Lambda$2879/1855572050.load(Unknown Source)
        at org.elasticsearch.common.cache.Cache.computeIfAbsent(Cache.java:433)
        at org.elasticsearch.xpack.security.authc.support.CachingUsernamePasswordRealm.authenticateWithCache(CachingUsernamePasswordRealm.java:102)
        at org.elasticsearch.xpack.security.authc.support.CachingUsernamePasswordRealm.authenticate(CachingUsernamePasswordRealm.java:80)
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$consumeToken$13(AuthenticationService.java:262)
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator$$Lambda$2874/984721769.accept(Unknown Source)
        at org.elasticsearch.xpack.core.common.IteratingActionListener.run(IteratingActionListener.java:81)
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.consumeToken(AuthenticationService.java:300)
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator$$Lambda$2849/799190908.accept(Unknown Source)
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$extractToken$9(AuthenticationService.java:234)
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator$$Lambda$2873/1413705348.run(Unknown Source)
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.extractToken(AuthenticationService.java:244)
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$authenticateAsync$0(AuthenticationService.java:178)
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator$$Lambda$2847/1681395474.accept(Unknown Source)
        at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:60)
        at org.elasticsearch.xpack.security.authc.TokenService.getAndValidateToken(TokenService.java:275)
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$authenticateAsync$2(AuthenticationService.java:174)
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator$$Lambda$2694/655507933.accept(Unknown Source)
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$lookForExistingAuthentication$4(AuthenticationService.java:205)
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator$$Lambda$2695/390779409.run(Unknown Source)
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lookForExistingAuthentication(AuthenticationService.java:216)
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.authenticateAsync(AuthenticationService.java:170)
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.access$000(AuthenticationService.java:131)
        at org.elasticsearch.xpack.security.authc.AuthenticationService.authenticate(AuthenticationService.java:84)
        at org.elasticsearch.xpack.security.rest.SecurityRestFilter.handleRequest(SecurityRestFilter.java:55)
        at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:239)

}
} else {
doLookupUser(username, listener);
listenableCacheEntry.addListener(ActionListener.wrap(userWithHash -> {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this should be in an else block IMO

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no, for lookup there is, and there was, no retrying; the listener for the the reaching-out-request is notified just like all the other listeners.
When a lookup returns negatively, it clears the cache, but deferred requests will not be retried, they return negatively as well.

lookupInCache.set(false);
return new ListenableFuture<>();
});
if (false == lookupInCache.get()) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we invert this condition to make it more like the authenticate version? so the actual lookup happens in the else of this if statement

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lookupInCache is tailored to be similar to authenticationInCache, just that, in the if branch, there is no action (cf. the next comment https://github.com/elastic/elasticsearch/pull/32646/files#r212724950).
Should I still invert it?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No need

Copy link
Member

@jaymode jaymode left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks for pointing out where I misunderstood.

@albertzaharovits
Copy link
Contributor Author

20:26:18 > Task :x-pack:qa:sql:security:ssl:check
20:26:18 Skipping task ':x-pack:qa:sql:security:ssl:check' as it has no actions.
20:26:18 :x-pack:qa:sql:security:ssl:check (Thread[Task worker for ':' Thread 12,5,main]) completed. Took 0.0 secs.
20:26:18 :x-pack:qa:sql:security:ssl:build (Thread[Task worker for ':' Thread 12,5,main]) started.
20:26:18 
20:26:18 > Task :x-pack:qa:sql:security:ssl:build
20:26:18 Skipping task ':x-pack:qa:sql:security:ssl:build' as it has no actions.
20:26:18 :x-pack:qa:sql:security:ssl:build (Thread[Task worker for ':' Thread 12,5,main]) completed. Took 0.0 secs.
20:26:18 
20:26:18 BUILD SUCCESSFUL in 1h 59m 16s
20:26:18 5912 actionable tasks: 3800 executed, 2112 up-to-date
20:26:18 runbld>>> <<<<<<<<<<<< SCRIPT EXECUTION END <<<<<<<<<<<<
20:26:18 runbld>>> DURATION: 7662201ms
20:26:18 runbld>>> STDOUT: 30995106 bytes
20:26:18 runbld>>> STDERR: 175230 bytes
20:26:18 runbld>>> WRAPPED PROCESS: SUCCESS (0)
20:26:18 runbld>>> Searching for build metadata in /var/lib/jenkins/workspace/elastic+elasticsearch+pull-request
20:26:29 runbld>>> Storing build metadata: bwc_refspec_distribution:bwc:next-minor-snapshot=e2dfd9c0b0baff12faaea9ef5630895c1f4967c4;bwc_refspec_distribution:bwc:next-bugfix-snapshot=ea4231675de17d34e48057a03b6b814a771e879c
20:26:58 runbld>>> FAILURES: 0
20:26:59 runbld>>> BUILD: https://c150076387b5421f9154dfbf536e5c60.us-west1.gcp.cloud.es.io:9243/build-1531848254847/t/20180824181834-03FBE67F
20:26:59 runbld>>> NO MAIL GENERATED
20:27:04 Sending e-mails to: infra-root+build@elastic.co
20:27:04 Setting status of a85e7df85f6e233e67740f51bd88d6ddcb084431 to SUCCESS with url https://elasticsearch-ci.elastic.co/job/elastic+elasticsearch+pull-request/15955/ and message: 'Build finished. '
20:27:04 Using context: elasticsearch-ci
20:27:04 Finished: SUCCESS

Build was successful, but GUI looks stuck in pending, I will retry out of diligence.

@elasticmachine test this please

@albertzaharovits albertzaharovits merged commit c567ec4 into elastic:master Aug 26, 2018
@albertzaharovits albertzaharovits deleted the caching_realm_refactor branch August 26, 2018 11:09
albertzaharovits added a commit that referenced this pull request Aug 26, 2018
Refactors the logic of authentication and lookup caching in
`CachingUsernamePasswordRealm`. Nothing changed about
the single-inflight-request or positive caching.
jasontedor added a commit to jasontedor/elasticsearch that referenced this pull request Aug 26, 2018
* master:
  Fix a mappings update test (elastic#33146)
  Reload Secure Settings REST specs & docs (elastic#32990)
  Refactor CachingUsernamePassword realm (elastic#32646)
  Add proxy support to RemoteClusterConnection (elastic#33062)
jasontedor added a commit that referenced this pull request Aug 27, 2018
* master:
  Adjust BWC version on mapping version
  Token API supports the client_credentials grant (#33106)
  Build: forked compiler max memory matches jvmArgs (#33138)
  Introduce mapping version to index metadata (#33147)
  SQL: Enable aggregations to create a separate bucket for missing values (#32832)
  Fix grammar in contributing docs
  SECURITY: Fix Compile Error in ReservedRealmTests (#33166)
  APM server monitoring (#32515)
  Support only string `format` in date, root object & date range (#28117)
  [Rollup] Move toBuilders() methods out of rollup config objects (#32585)
  Fix forbiddenapis on java 11  (#33116)
  Apply publishing to genreate pom (#33094)
  Have circuit breaker succeed on unknown mem usage
  Do not lose default mapper on metadata updates (#33153)
  Fix a mappings update test (#33146)
  Reload Secure Settings REST specs & docs (#32990)
  Refactor CachingUsernamePassword realm (#32646)
jasontedor added a commit that referenced this pull request Aug 27, 2018
* 6.x:
  Introduce mapping version to index metadata (#33147)
  Move non duplicated actions back into xpack core (#32952)
  HLRC: Create server agnostic request and response (#32912)
  Build: forked compiler max memory matches jvmArgs (#33138)
  * Added breaking change section for GROUP BY behavior: now it considers null or empty values as a separate group/bucket. Previously, they were ignored. * This is part of backporting of #32832
  SQL: Enable aggregations to create a separate bucket for missing values (#32832)
  [TEST] version guard for reload rest-api-spec
  Fix grammar in contributing docs
  APM server monitoring (#32515)
  Support only string `format` in date, root object & date range (#28117)
  [Rollup] Move toBuilders() methods out of rollup config objects (#32585)
  Accept Gradle build scan agreement (#30645)
  Fix forbiddenapis on java 11  (#33116)
  Run forbidden api checks with runtimeJavaVersion (#32947)
  Apply publishing to genreate pom (#33094)
  Fix a mappings update test (#33146)
  Reload Secure Settings REST specs & docs (#32990)
  Refactor CachingUsernamePassword realm (#32646)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
>non-issue :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) v6.5.0 v7.0.0-beta1
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants