diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java index 815f96f0c5..31e341b915 100644 --- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java +++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java @@ -73,6 +73,7 @@ import org.opensearch.action.support.ActionFilter; import org.opensearch.client.Client; import org.opensearch.cluster.metadata.IndexNameExpressionResolver; +import org.opensearch.cluster.node.DiscoveryNode; import org.opensearch.cluster.node.DiscoveryNodes; import org.opensearch.cluster.service.ClusterService; import org.opensearch.common.component.Lifecycle.State; @@ -1189,6 +1190,7 @@ public static class GuiceHolder implements LifecycleComponent { private static RemoteClusterService remoteClusterService; private static IndicesService indicesService; private static PitService pitService; + private static DiscoveryNode localNode; // CS-SUPPRESS-SINGLE: RegexpSingleline Extensions manager used to allow/disallow TLS connections to extensions private static ExtensionsManager extensionsManager; @@ -1201,6 +1203,7 @@ public GuiceHolder(final RepositoriesService repositoriesService, GuiceHolder.indicesService = indicesService; GuiceHolder.pitService = pitService; GuiceHolder.extensionsManager = extensionsManager; + GuiceHolder.localNode = remoteClusterService.getLocalNode(); } // CS-ENFORCE-SINGLE @@ -1222,6 +1225,7 @@ public static IndicesService getIndicesService() { public static ExtensionsManager getExtensionsManager() { return extensionsManager; } // CS-ENFORCE-SINGLE + public static DiscoveryNode getLocalNode() { return localNode; } @Override public void close() { diff --git a/src/main/java/org/opensearch/security/transport/SecurityInterceptor.java b/src/main/java/org/opensearch/security/transport/SecurityInterceptor.java index 44ed65ff36..d21ca45970 100644 --- a/src/main/java/org/opensearch/security/transport/SecurityInterceptor.java +++ b/src/main/java/org/opensearch/security/transport/SecurityInterceptor.java @@ -43,6 +43,7 @@ import org.opensearch.action.get.GetRequest; import org.opensearch.action.search.SearchAction; import org.opensearch.action.search.SearchRequest; +import org.opensearch.cluster.node.DiscoveryNode; import org.opensearch.cluster.service.ClusterService; import org.opensearch.common.io.stream.StreamInput; import org.opensearch.common.settings.Settings; @@ -68,6 +69,7 @@ import org.opensearch.transport.TransportRequestOptions; import org.opensearch.transport.TransportResponse; import org.opensearch.transport.TransportResponseHandler; +import org.opensearch.transport.TransportService; import static org.opensearch.security.OpenSearchSecurityPlugin.isActionTraceEnabled; @@ -85,14 +87,16 @@ public class SecurityInterceptor { private final ClusterInfoHolder clusterInfoHolder; private final SSLConfig SSLConfig; + private final DiscoveryNode localNode; + public SecurityInterceptor(final Settings settings, - final ThreadPool threadPool, final BackendRegistry backendRegistry, - final AuditLog auditLog, final PrincipalExtractor principalExtractor, - final InterClusterRequestEvaluator requestEvalProvider, - final ClusterService cs, - final SslExceptionHandler sslExceptionHandler, - final ClusterInfoHolder clusterInfoHolder, - final SSLConfig SSLConfig) { + final ThreadPool threadPool, final BackendRegistry backendRegistry, + final AuditLog auditLog, final PrincipalExtractor principalExtractor, + final InterClusterRequestEvaluator requestEvalProvider, + final ClusterService cs, + final SslExceptionHandler sslExceptionHandler, + final ClusterInfoHolder clusterInfoHolder, + final SSLConfig SSLConfig) { this.backendRegistry = backendRegistry; this.auditLog = auditLog; this.threadPool = threadPool; @@ -103,6 +107,7 @@ public SecurityInterceptor(final Settings settings, this.sslExceptionHandler = sslExceptionHandler; this.clusterInfoHolder = clusterInfoHolder; this.SSLConfig = SSLConfig; + this.localNode = OpenSearchSecurityPlugin.GuiceHolder.getLocalNode(); } public SecurityRequestHandler getHandler(String action, @@ -127,12 +132,14 @@ public void sendRequestDecorate(AsyncSender sender final String origCCSTransientMf = getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_MASKED_FIELD_CCS); final boolean isDebugEnabled = log.isDebugEnabled(); - boolean isSameNodeRequest = false; - try { - isSameNodeRequest = cs.localNode().equals(connection.getNode()); // using DiscoveryNode equals comparison here - } catch (AssertionError e) { - // do nothing - } + boolean isSameNodeRequest = localNode != null && localNode.equals(connection.getNode()); +// try { +// isSameNodeRequest = cs.localNode().equals(connection.getNode()); // using DiscoveryNode equals comparison here +// } catch (AssertionError e) { +// // do nothing +// log.info(e); +// } + try (ThreadContext.StoredContext stashedContext = getThreadContext().stashContext()) { final TransportResponseHandler restoringHandler = new RestoringTransportResponseHandler(handler, stashedContext);