[Backport 2.11] Add early rejection from RestHandler for unauthorized requests (#3418) #3495

peternied · 2023-10-06T23:02:55Z

Description

Backport of 6b0b682 from #3418

Previously unauthorized requests were fully processed and rejected once they reached the RestHandler. This allocations more memory and resources for these requests that might not be useful if they are already detected as unauthorized. Using the headerVerifer and decompressor customization from [1], perform an early authorization check when only the headers are available, save an 'early response' for transmission and do not perform the decompression on the request to speed up closing out the connection.

Resolves [Feature] Improve compressed request handling OpenSearch#10260

Check List

New functionality includes testing
New functionality has been documented
Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

… requests (opensearch-project#3418) Previously unauthorized requests were fully processed and rejected once they reached the RestHandler. This allocations more memory and resources for these requests that might not be useful if they are already detected as unauthorized. Using the headerVerifer and decompressor customization from [1], perform an early authorization check when only the headers are available, save an 'early response' for transmission and do not perform the decompression on the request to speed up closing out the connection. - Resolves opensearch-project/OpenSearch#10260 Signed-off-by: Peter Nied <petern@amazon.com> Signed-off-by: Craig Perkins <cwperx@amazon.com> Signed-off-by: Craig Perkins <craig5008@gmail.com> Co-authored-by: Peter Nied <petern@amazon.com>

Signed-off-by: Peter Nied <petern@amazon.com>

cwperks · 2023-10-06T23:07:25Z

@peternied Can you fix the failing code hygiene check?

> Task :checkstyleIntegrationTest FAILED
Error: eckstyle] [ERROR] /home/runner/work/security/security/src/integrationTest/java/org/opensearch/security/ResourceFocusedTests.java:142: Do not use System.out.println [RegexpSinglelineJava]
Error: eckstyle] [ERROR] /home/runner/work/security/security/src/integrationTest/java/org/opensearch/security/ResourceFocusedTests.java:162: Do not use System.out.println [RegexpSinglelineJava]
Error: eckstyle] [ERROR] /home/runner/work/security/security/src/integrationTest/java/org/opensearch/security/ResourceFocusedTests.java:210: Do not use System.out.println [RegexpSinglelineJava]
Error: eckstyle] [ERROR] /home/runner/work/security/security/src/integrationTest/java/org/opensearch/security/ResourceFocusedTests.java:226: Do not use System.out.println [RegexpSinglelineJava]
Error: eckstyle] [ERROR] /home/runner/work/security/security/src/integrationTest/java/org/opensearch/security/ResourceFocusedTests.java:239: Do not use System.out.println [RegexpSinglelineJava]
Error: eckstyle] [ERROR] /home/runner/work/security/security/src/integrationTest/java/org/opensearch/security/ResourceFocusedTests.java:246: Do not use System.out.println [RegexpSinglelineJava]
Error: eckstyle] [ERROR] /home/runner/work/security/security/src/integrationTest/java/org/opensearch/security/ResourceFocusedTests.java:253: Do not use System.out.println [RegexpSinglelineJava]

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':checkstyleIntegrationTest'.
> A failure occurred while executing org.gradle.api.plugins.quality.internal.CheckstyleAction
   > Checkstyle rule violations were found. See the report at: file:///home/runner/work/security/security/build/reports/checkstyle/integrationTest.html
     Checkstyle files with violations: 1
     Checkstyle violations by severity: [error:7]

cwperks · 2023-10-06T23:08:16Z

bwc build fails with:

> Task :licenseHeaders FAILED

Files with unapproved licenses:

  /home/runner/work/security/security/bwc-test/src/test/java/SecurityBackwardsCompatibilityIT.java

Signed-off-by: Peter Nied <petern@amazon.com>

codecov · 2023-10-06T23:34:32Z

Codecov Report

Merging #3495 (9cc4f73) into 2.11 (ef1d27c) will increase coverage by 0.12%.
Report is 1 commits behind head on 2.11.
The diff coverage is 79.76%.

@@             Coverage Diff              @@
##               2.11    #3495      +/-   ##
============================================
+ Coverage     64.69%   64.81%   +0.12%     
- Complexity     3566     3610      +44     
============================================
  Files           267      273       +6     
  Lines         19893    20025     +132     
  Branches       3329     3346      +17     
============================================
+ Hits          12870    12980     +110     
- Misses         5383     5399      +16     
- Partials       1640     1646       +6

Files	Coverage Δ
...zon/dlic/auth/http/saml/HTTPSamlAuthenticator.java	`68.44% <ø> (ø)`
.../opensearch/security/OpenSearchSecurityPlugin.java	`84.58% <ø> (ø)`
...arch/security/filter/OpenSearchRequestChannel.java	`41.66% <ø> (-8.34%)`	⬇️
...search/security/filter/SecurityRequestFactory.java	`75.00% <100.00%> (+8.33%)`	⬆️
...rch/security/http/SecurityHttpServerTransport.java	`100.00% <100.00%> (ø)`
...curity/http/SecurityNonSslHttpServerTransport.java	`100.00% <100.00%> (ø)`
...arch/security/ssl/OpenSearchSecuritySSLPlugin.java	`85.11% <ø> (ø)`
.../ssl/http/netty/Netty4ConditionalDecompressor.java	`100.00% <100.00%> (ø)`
...ttp/netty/SecuritySSLNettyHttpServerTransport.java	`95.83% <100.00%> (+0.83%)`	⬆️
...dlic/auth/http/saml/AuthTokenProcessorHandler.java	`46.40% <0.00%> (ø)`
... and 9 more

... and 3 files with indirect coverage changes

Signed-off-by: Peter Nied <petern@amazon.com>

… requests (#3418) (#3495) ### Description Backport of 6b0b682 from #3418 Previously unauthorized requests were fully processed and rejected once they reached the RestHandler. This allocations more memory and resources for these requests that might not be useful if they are already detected as unauthorized. Using the headerVerifer and decompressor customization from [1], perform an early authorization check when only the headers are available, save an 'early response' for transmission and do not perform the decompression on the request to speed up closing out the connection. - Resolves opensearch-project/OpenSearch#10260 Signed-off-by: Peter Nied <petern@amazon.com> Signed-off-by: Craig Perkins <cwperx@amazon.com> Signed-off-by: Craig Perkins <craig5008@gmail.com> Co-authored-by: Craig Perkins <cwperx@amazon.com> (cherry picked from commit f7c47af)

…requests (#3418) (#3496) Backport f7c47af from #3495 --------- Signed-off-by: Peter Nied <petern@amazon.com> Co-authored-by: Peter Nied <petern@amazon.com>

…requests (opensearch-project#3418) (opensearch-project#3496) Backport f7c47af from opensearch-project#3495 --------- Signed-off-by: Peter Nied <petern@amazon.com> Co-authored-by: Peter Nied <petern@amazon.com>

…requests (opensearch-project#3418) (opensearch-project#3495) Backport of 6b0b682 from opensearch-project#3418 Previously unauthorized requests were fully processed and rejected once they reached the RestHandler. This allocations more memory and resources for these requests that might not be useful if they are already detected as unauthorized. Using the headerVerifer and decompressor customization from [1], perform an early authorization check when only the headers are available, save an 'early response' for transmission and do not perform the decompression on the request to speed up closing out the connection. - Resolves opensearch-project/OpenSearch#10260 Signed-off-by: Peter Nied <petern@amazon.com> Signed-off-by: Craig Perkins <cwperx@amazon.com> Signed-off-by: Craig Perkins <craig5008@gmail.com> Co-authored-by: Craig Perkins <cwperx@amazon.com> Signed-off-by: Peter Nied <petern@amazon.com>

peternied requested review from cliu123, cwperks, DarshitChanpura, davidlago, RyanL1997, stephen-crawford, reta and willyborankin as code owners October 6, 2023 23:02

Delete unneeded file

a47dfcb

Signed-off-by: Peter Nied <petern@amazon.com>

Switch to system.err.println to avoid checkstyle rules

ddbe342

Signed-off-by: Peter Nied <petern@amazon.com>

cwperks previously approved these changes Oct 6, 2023

View reviewed changes

DarshitChanpura previously approved these changes Oct 6, 2023

View reviewed changes

Change format of error message to match previous behavoir

9cc4f73

Signed-off-by: Peter Nied <petern@amazon.com>

peternied dismissed stale reviews from DarshitChanpura and cwperks via 9cc4f73 October 6, 2023 23:56

cwperks approved these changes Oct 6, 2023

View reviewed changes

DarshitChanpura approved these changes Oct 7, 2023

View reviewed changes

peternied merged commit f7c47af into opensearch-project:2.11 Oct 7, 2023
55 of 58 checks passed

peternied deleted the backport/backport-3418-to-2.11 branch October 7, 2023 01:36

peternied added the backport 2.x backport to 2.x branch label Oct 7, 2023

opensearch-trigger-bot bot mentioned this pull request Oct 7, 2023

[Backport 2.x] Add early rejection from RestHandler for unauthorized requests (#3418) #3496

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Backport 2.11] Add early rejection from RestHandler for unauthorized requests (#3418) #3495

[Backport 2.11] Add early rejection from RestHandler for unauthorized requests (#3418) #3495

peternied commented Oct 6, 2023

cwperks commented Oct 6, 2023

cwperks commented Oct 6, 2023

codecov bot commented Oct 6, 2023 •

edited

Loading

[Backport 2.11] Add early rejection from RestHandler for unauthorized requests (#3418) #3495

[Backport 2.11] Add early rejection from RestHandler for unauthorized requests (#3418) #3495

Conversation

peternied commented Oct 6, 2023

Description

Check List

cwperks commented Oct 6, 2023

cwperks commented Oct 6, 2023

codecov bot commented Oct 6, 2023 • edited Loading

Codecov Report

codecov bot commented Oct 6, 2023 •

edited

Loading