[Question] How should WhoAmI and Health requests be handled with the header verifier? #3440
Comments
cwperks
added
enhancement
|
Thanks for filing - I'm pretty sure the ASC endpoint should be included in this list too. |
|
There are 2 acs endpoints for SAML:
I am trying to understand who and how both of these endpoints are called and will update this post with more info after diving further into the implementation of these endpoints. |
|
[Triage] Hi @cwperks, thank you for filing this issue. This seems like a tracking issue for work you are currently conducting. Please leave your findings here and then close or alternatively provide explicit action items & closure criteria for someone else to pick up. Otherwise great job investigating! |
stephen-crawford
removed
the
untriaged
|
These endpoints are both defined in the security plugin: Both endpoints do not accept a body with the request so in the headerverifier model, if gzipped content is present it should be ignored and assumed to be a malformed call. |
As part of work related to: opensearch-project/OpenSearch#10260
A new step in the netty pipeline is being introduced before decompression called
header_verifier. From the Draft implementation in #3418, it will skip decompression for unauthenticated requests since the body will only wind up being ignored.The security plugin has logic to skip authentication for 3 types of requests:
How should these be handled with conditional decompression? Its invalid for each of these requests to have a body so is it possible to reject them if they do? Since conditional decompression is an optimization to forgo decompressing a request if its unauthenticated, can we take advantage of that optimization and skip decompression if these requests have a body?
The text was updated successfully, but these errors were encountered: