[Backport 1.3] Add early rejection from RestHandler for unauthorized requests (#3418) #3675
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Peter Nied <petern@amazon.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Signed-off-by: Peter Nied <petern@amazon.com>
…ion (opensearch-project#3430) Backport of f20cc68 from opensearch-project#3430 Introduced a new abstraction, SecurityRequest & SecurityRequestChannel, to streamline and secure the authentication process in the OpenSearch Security plugin. By isolating the essential request components needed for authentication, we minimize potential risks associated with previous designs and provide a more maintainable architecture. Signed-off-by: Peter Nied <petern@amazon.com> (cherry picked from commit f20cc68)
Signed-off-by: Peter Nied <petern@amazon.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Signed-off-by: Peter Nied <petern@amazon.com>
…action Signed-off-by: Peter Nied <petern@amazon.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Signed-off-by: Peter Nied <petern@amazon.com>
…requests (opensearch-project#3418) (opensearch-project#3495) Backport of 6b0b682 from opensearch-project#3418 Previously unauthorized requests were fully processed and rejected once they reached the RestHandler. This allocations more memory and resources for these requests that might not be useful if they are already detected as unauthorized. Using the headerVerifer and decompressor customization from [1], perform an early authorization check when only the headers are available, save an 'early response' for transmission and do not perform the decompression on the request to speed up closing out the connection. - Resolves opensearch-project/OpenSearch#10260 Signed-off-by: Peter Nied <petern@amazon.com> Signed-off-by: Craig Perkins <cwperx@amazon.com> Signed-off-by: Craig Perkins <craig5008@gmail.com> Co-authored-by: Craig Perkins <cwperx@amazon.com> Signed-off-by: Peter Nied <petern@amazon.com>
|
I've tested this change locally - CI won't start passing until the related change in core has been merged [1]. |
Signed-off-by: Peter Nied <petern@amazon.com>
12 tasks
Signed-off-by: Peter Nied <peternied@hotmail.com>
Signed-off-by: Peter Nied <peternied@hotmail.com>
Signed-off-by: Peter Nied <petern@amazon.com>
…ejection Signed-off-by: Peter Nied <petern@amazon.com>
… asRestResponse (opensearch-project#3717) (opensearch-project#3721) Backport opensearch-project#3717 to 2.11 Signed-off-by: Craig Perkins <cwperx@amazon.com>
…ation (opensearch-project#3599) Backport 499db78 from opensearch-project#3583. --------- Signed-off-by: Craig Perkins <craig5008@gmail.com> Signed-off-by: Craig Perkins <cwperx@amazon.com> Signed-off-by: Peter Nied <petern@amazon.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Signed-off-by: Darshit Chanpura <dchanp@amazon.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Peter Nied <petern@amazon.com> Co-authored-by: Darshit Chanpura <dchanp@amazon.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Signed-off-by: Peter Nied <petern@amazon.com>
peternied
changed the title
peternied
requested review from
cwperks,
DarshitChanpura,
davidlago,
RyanL1997,
stephen-crawford,
reta and
willyborankin
as code owners
cwperks
approved these changes
Nov 27, 2023
willyborankin
approved these changes
Nov 27, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Includes:
Previously unauthorized requests were fully processed and rejected once they reached the RestHandler. This allocations more memory and resources for these requests that might not be useful if they are already detected as unauthorized. Using the headerVerifer and decompressor customization from [1], perform an early authorization check when only the headers are available, save an 'early response' for transmission and do not perform the decompression on the request to speed up closing out the connection.
graph TD oA["Receive Request Headers<br>(Orginal)"] --> oB[Decompress Request] oB --> oC[RestHandler] oC --> osrf[Intercept Request] subgraph sp[Security Plugin] osrf --> oD[Check Authorization] oD --> oE{Authorized?} oE -->|Yes| oF[Process and Respond] oE -->|No| oG[Reject Request] end oF --> oH[Forward to Request Handler] H["Receive Request Headers<br>(Updated)"] --> I[HeaderVerifier] subgraph nsp[Security Plugin] I --> J{Authorized?} J -->|Yes| K[Decompress Request] J -->|No| N[Save Early Response] end K --> L[RestHandler] N --> L L --> M[Intercept Request] subgraph n2sp[Security Plugin] M --> n2D["Check Authorization<br>(Cached)"] n2D --> nE{Authorized?} nE -->|Yes| nF[Process and Respond] nE -->|No| nG[Reject Request] end nF --> nH[Forward to Request Handler] class oA,oB old; class H,I,K,N,n2D new; classDef old fill:#f9d0c4,stroke:#f28b82; classDef new fill:#cfe8fc,stroke:#68a9ef;Issues Resolved
Check List
New functionality has been documentedBy submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.