Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ensure that dual mode enabled flag from cluster settings can get propagated to core #4820

Merged
merged 5 commits into from
Oct 21, 2024

Conversation

cwperks
Copy link
Member

@cwperks cwperks commented Oct 18, 2024

Description

Companion core PR: opensearch-project/OpenSearch#16387

Overrides a new method in the SecureTransportSettingsProvider interface to allow the security plugin to feed this value to core. This is required since the security plugin has a listener on cluster settings and allows this setting to be changed dynamically irrespective of the value in opensearch.yml

  • Category (Enhancement, New feature, Bug fix, Test fix, Refactoring, Maintenance, Documentation)

Bug fix

Testing

latest-dual-mode.zip

^ Attached above is a sample docker configuration for a 3 node cluster. node1 is commented out originally. All paths in the volumes are paths on my local machine and would need to change for a reproduction.

  1. Apply this change and companion core change on top of 2.17 branches of respective repos
    • For core repo run ./gradlew localDistro to create local snapshot jars for your distro
    • For security run ./gradlew assemble to create snapshot jars that get placed in build/distributions/ directory
  2. Update all volume mounts to reference the location of the snapshot jars on your local machine.
  3. Spin up nodes 2 and 3 from the attached config using docker compose down -v && docker compose up
    • These nodes come up with:
plugins.security_config.ssl_dual_mode_enabled: true
plugins.security.ssl_only: true
  1. Ensure that nodes come up successfully
  2. Dynamically change DualMode from true to false
curl -XPUT https://localhost:9201/_cluster/settings -k -H "Content-Type: application/json" -d '{"persistent": {"plugins.security_config.ssl_dual_mode_enabled": false}}'
  1. Uncomment node 1 and bring it up in a new terminal window: docker compose up opensearch-node1
  2. OpenSearch node 1 should successfully join the cluster with this change and companion PR applied

Check List

  • New functionality includes testing
  • New functionality has been documented
  • New Roles/Permissions have a corresponding security dashboards plugin PR
  • API changes companion pull request created
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

…agated to core

Signed-off-by: Craig Perkins <cwperx@amazon.com>
Signed-off-by: Craig Perkins <cwperx@amazon.com>
Signed-off-by: Craig Perkins <cwperx@amazon.com>
Copy link

codecov bot commented Oct 18, 2024

Codecov Report

Attention: Patch coverage is 83.33333% with 1 line in your changes missing coverage. Please review.

Project coverage is 70.77%. Comparing base (703d40f) to head (73d3a25).
Report is 11 commits behind head on main.

Files with missing lines Patch % Lines
...arch/security/ssl/OpenSearchSecuritySSLPlugin.java 0.00% 1 Missing ⚠️
Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #4820      +/-   ##
==========================================
- Coverage   70.99%   70.77%   -0.22%     
==========================================
  Files         310      310              
  Lines       20938    20942       +4     
  Branches     3326     3326              
==========================================
- Hits        14865    14822      -43     
- Misses       4325     4374      +49     
+ Partials     1748     1746       -2     
Files with missing lines Coverage Δ
.../opensearch/security/OpenSearchSecurityPlugin.java 84.97% <100.00%> (+0.02%) ⬆️
.../security/ssl/OpenSearchSecureSettingsFactory.java 81.25% <100.00%> (+1.93%) ⬆️
...arch/security/ssl/OpenSearchSecuritySSLPlugin.java 86.30% <0.00%> (ø)

... and 9 files with indirect coverage changes

Signed-off-by: Craig Perkins <cwperx@amazon.com>
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@willyborankin willyborankin merged commit 811f26d into opensearch-project:main Oct 21, 2024
41 of 42 checks passed
@willyborankin willyborankin added the backport 2.x backport to 2.x branch label Oct 21, 2024
opensearch-trigger-bot bot pushed a commit that referenced this pull request Oct 21, 2024
…agated to core (#4820)

Signed-off-by: Craig Perkins <cwperx@amazon.com>
(cherry picked from commit 811f26d)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport 2.x backport to 2.x branch
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants