Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add the means to extract the contextual properties from HttpChannel, TcpChannel and TrasportChannel without excessive typecasting #10562

Merged
merged 2 commits into from
Oct 11, 2023
Merged

Add the means to extract the contextual properties from HttpChannel, TcpChannel and TrasportChannel without excessive typecasting #10562

merged 2 commits into from
Oct 11, 2023

Conversation

reta
Copy link
Collaborator

@reta reta commented Oct 11, 2023
edited
Loading

Description

While instrumenting the transports (both TCP and HTTP), we found out that security plugin heavily depends on netty transport (in fact, it does not support anything else) but it is excessive typecasting the different transport object to their Netty4Xxx equivalents for accessing handlers and attributes. It significantly complicates any instrumentation efforts and needs general mechanism to access contextual information without typecasting.

Related Issues

Related to opensearch-project/security#3515

Check List

  • New functionality includes testing.
    • All tests pass
  • New functionality has been documented.
    • New functionality has javadoc added
  • Commits are signed per the DCO using --signoff
  • Commit changes are listed out in CHANGELOG.md file (See: Changelog)
  • Public documentation issue/PR created

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@reta reta added the enhancement Enhancement or improvement to existing feature or request label Oct 11, 2023
@reta
Copy link
Collaborator Author

reta commented Oct 11, 2023

@peternied @Gaganjuneja fyi

@reta reta mentioned this pull request Oct 11, 2023
Closed
3 tasks
@reta
Copy link
Collaborator Author

reta commented Oct 11, 2023

(I will add changelog entry right when Gradle check fails, since it should)

@reta reta added the backport 2.x Backport to 2.x branch label Oct 11, 2023
@cwperks
Copy link
Member

cwperks commented Oct 11, 2023
edited
Loading

Thank you @reta! There are a couple of areas that the security plugin is coupled to netty:

  1. The security plugin's implementation of SSL relies on adding a step to the netty pipeline. The SSL Handler is the first step of the pipeline: https://github.com/opensearch-project/security/blob/c5f8c83cba3b4d6dfb7f9ec268a23874f7909003/src/main/java/org/opensearch/security/ssl/http/netty/SecuritySSLNettyHttpServerTransport.java#L147-L152
  2. As part of Add early rejection from RestHandler for unauthorized requests security#3418, a step in the netty pipeline was added before decompression to verify the request based on headers and uses netty channel attributes

As far as I can see, there are no automated tests to verify the behavior amongst other http engines

@reta
Copy link
Collaborator Author

reta commented Oct 11, 2023

I think for the instrumentation part with this change we should be set, what do you think?

The security plugin would need to set attributes as well. Can that be added?

Which ones?

@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

@github-actions
Copy link
Contributor

github-actions bot commented Oct 11, 2023
edited
Loading

Compatibility status:

Checks if related components are compatible with change 1c184e2

Incompatible components

Incompatible components: [https://github.com/opensearch-project/ml-commons.git, https://github.com/opensearch-project/performance-analyzer.git]

Skipped components

Compatible components

Compatible components: [https://github.com/opensearch-project/security-analytics.git, https://github.com/opensearch-project/security.git, https://github.com/opensearch-project/custom-codecs.git, https://github.com/opensearch-project/opensearch-oci-object-storage.git, https://github.com/opensearch-project/index-management.git, https://github.com/opensearch-project/geospatial.git, https://github.com/opensearch-project/sql.git, https://github.com/opensearch-project/notifications.git, https://github.com/opensearch-project/job-scheduler.git, https://github.com/opensearch-project/neural-search.git, https://github.com/opensearch-project/observability.git, https://github.com/opensearch-project/k-nn.git, https://github.com/opensearch-project/alerting.git, https://github.com/opensearch-project/cross-cluster-replication.git, https://github.com/opensearch-project/performance-analyzer-rca.git, https://github.com/opensearch-project/anomaly-detection.git, https://github.com/opensearch-project/asynchronous-search.git, https://github.com/opensearch-project/common-utils.git, https://github.com/opensearch-project/reporting.git]

@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

  • RESULT: UNSTABLE ❕
  • TEST FAILURES:
      2 org.opensearch.repositories.azure.AzureBlobContainerRetriesTests.testReadRangeBlobWithRetries

@codecov
Copy link

codecov bot commented Oct 11, 2023
edited
Loading

Codecov Report

Merging #10562 (1c184e2) into main (9bcd7ea) will increase coverage by 0.00%.
Report is 2 commits behind head on main.
The diff coverage is 0.00%.

@@            Coverage Diff            @@
##               main   #10562   +/-   ##
=========================================
  Coverage     71.16%   71.16%           
- Complexity    58399    58403    +4     
=========================================
  Files          4844     4844           
  Lines        275289   275306   +17     
  Branches      40083    40086    +3     
=========================================
+ Hits         195898   195928   +30     
+ Misses        62997    62956   -41     
- Partials      16394    16422   +28
Files Coverage Δ
...src/main/java/org/opensearch/http/HttpChannel.java 50.00% <0.00%> (-50.00%) ⬇️
...lemetry/tracing/channels/TraceableHttpChannel.java 54.54% <0.00%> (-2.60%) ⬇️
...tracing/channels/TraceableTcpTransportChannel.java 83.87% <0.00%> (-2.80%) ⬇️
...org/opensearch/transport/TaskTransportChannel.java 80.00% <0.00%> (-5.72%) ⬇️
...main/java/org/opensearch/transport/TcpChannel.java 85.71% <0.00%> (-14.29%) ⬇️
.../org/opensearch/transport/TcpTransportChannel.java 76.66% <0.00%> (-2.65%) ⬇️
...ava/org/opensearch/transport/TransportChannel.java 40.00% <0.00%> (-4.45%) ⬇️
.../opensearch/transport/netty4/Netty4TcpChannel.java 81.13% <0.00%> (-6.63%) ⬇️
.../org/opensearch/http/netty4/Netty4HttpChannel.java 65.38% <0.00%> (-19.62%) ⬇️

... and 469 files with indirect coverage changes

@reta reta changed the title Add the means to extract the contextual properties from HttpChannel, TcpCChannel and TrasportChannel without excessive typecasting Add the means to extract the contextual properties from HttpChannel, TcpChannel and TrasportChannel without excessive typecasting Oct 11, 2023
@reta
Add the means to extract the contextual properties from HttpChannel, …
ab4140c 
…TcpChannel and TrasportChannel without excessive typecasting

Signed-off-by: Andriy Redko <andriy.redko@aiven.io>
@reta
Copy link
Collaborator Author

reta commented Oct 11, 2023

The security plugin would need to set attributes as well. Can that be added?

Discussed with @cwperks offline, we'll looking into that separately

peternied
peternied reviewed Oct 11, 2023
View reviewed changes
Copy link
Member

@peternied peternied left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for making access to this more generic - I much prefer this approach rather than downstream 'peaking' of the types. Couple of minor comments around the new interface.

modules/transport-netty4/src/main/java/org/opensearch/http/netty4/Netty4HttpChannel.java Outdated Show resolved Hide resolved
server/src/main/java/org/opensearch/http/HttpChannel.java Outdated Show resolved Hide resolved
@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

@reta
Address code review comments
1c184e2 
Signed-off-by: Andriy Redko <andriy.redko@aiven.io>
@reta
Copy link
Collaborator Author

reta commented Oct 11, 2023
edited
Loading

@cwperks @peternied @Gaganjuneja thanks for the review folks, the attributes issue is more complicated, looking if we even need that, but in any case the solution would be different and it would make sense to have a dedicated pull request for it.

@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

@Gaganjuneja
Copy link
Contributor

LGTM.

@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

@reta reta merged commit c55e1b4 into opensearch-project:main Oct 11, 2023
15 of 16 checks passed
opensearch-trigger-bot bot pushed a commit that referenced this pull request Oct 11, 2023
@github-actions
Add the means to extract the contextual properties from HttpChannel, …
d06c58a 
…TcpChannel and TrasportChannel without excessive typecasting (#10562)

* Add the means to extract the contextual properties from HttpChannel, TcpChannel and TrasportChannel without excessive typecasting

Signed-off-by: Andriy Redko <andriy.redko@aiven.io>

* Address code review comments

Signed-off-by: Andriy Redko <andriy.redko@aiven.io>

---------

Signed-off-by: Andriy Redko <andriy.redko@aiven.io>
(cherry picked from commit c55e1b4)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
@opensearch-trigger-bot opensearch-trigger-bot bot mentioned this pull request Oct 11, 2023
Merged
reta pushed a commit that referenced this pull request Oct 11, 2023
@github-actions @reta
Add the means to extract the contextual properties from HttpChannel, …
570dac9 
…TcpChannel and TrasportChannel without excessive typecasting (#10562)

* Add the means to extract the contextual properties from HttpChannel, TcpChannel and TrasportChannel without excessive typecasting

Signed-off-by: Andriy Redko <andriy.redko@aiven.io>

* Address code review comments

Signed-off-by: Andriy Redko <andriy.redko@aiven.io>

---------

Signed-off-by: Andriy Redko <andriy.redko@aiven.io>
(cherry picked from commit c55e1b4)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Signed-off-by: Andriy Redko <andriy.redko@aiven.io>
reta pushed a commit that referenced this pull request Oct 11, 2023
@opensearch-trigger-bot @github-actions
Add the means to extract the contextual properties from HttpChannel, …
97efcfe 
…TcpChannel and TrasportChannel without excessive typecasting (#10562) (#10570)

* Add the means to extract the contextual properties from HttpChannel, TcpChannel and TrasportChannel without excessive typecasting



* Address code review comments



---------


(cherry picked from commit c55e1b4)

Signed-off-by: Andriy Redko <andriy.redko@aiven.io>
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
deshsidd pushed a commit to deshsidd/OpenSearch that referenced this pull request Oct 19, 2023
@reta @deshsidd
Add the means to extract the contextual properties from HttpChannel, …
f6f765b 
…TcpChannel and TrasportChannel without excessive typecasting (opensearch-project#10562)

* Add the means to extract the contextual properties from HttpChannel, TcpChannel and TrasportChannel without excessive typecasting

Signed-off-by: Andriy Redko <andriy.redko@aiven.io>

* Address code review comments

Signed-off-by: Andriy Redko <andriy.redko@aiven.io>

---------

Signed-off-by: Andriy Redko <andriy.redko@aiven.io>
Signed-off-by: Siddhant Deshmukh <deshsid@amazon.com>
austintlee pushed a commit to austintlee/OpenSearch that referenced this pull request Oct 23, 2023
@reta @austintlee
Add the means to extract the contextual properties from HttpChannel, …
6f34b5d 
…TcpChannel and TrasportChannel without excessive typecasting (opensearch-project#10562)

* Add the means to extract the contextual properties from HttpChannel, TcpChannel and TrasportChannel without excessive typecasting

Signed-off-by: Andriy Redko <andriy.redko@aiven.io>

* Address code review comments

Signed-off-by: Andriy Redko <andriy.redko@aiven.io>

---------

Signed-off-by: Andriy Redko <andriy.redko@aiven.io>
@reta reta mentioned this pull request Jan 4, 2024
Merged
8 tasks
@BrewTestBot BrewTestBot mentioned this pull request Feb 21, 2024
Merged
shiv0408 pushed a commit to Gaurav614/OpenSearch that referenced this pull request Apr 25, 2024
@reta @shiv0408
Add the means to extract the contextual properties from HttpChannel, …
49061f1 
…TcpChannel and TrasportChannel without excessive typecasting (opensearch-project#10562)

* Add the means to extract the contextual properties from HttpChannel, TcpChannel and TrasportChannel without excessive typecasting

Signed-off-by: Andriy Redko <andriy.redko@aiven.io>

* Address code review comments

Signed-off-by: Andriy Redko <andriy.redko@aiven.io>

---------

Signed-off-by: Andriy Redko <andriy.redko@aiven.io>
Signed-off-by: Shivansh Arora <hishiv@amazon.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stephen-crawford stephen-crawford stephen-crawford approved these changes

@cwperks cwperks cwperks approved these changes

@peternied peternied peternied approved these changes

@anasalkouz anasalkouz Awaiting requested review from anasalkouz anasalkouz is a code owner

@andrross andrross Awaiting requested review from andrross andrross is a code owner

@Bukhtawar Bukhtawar Awaiting requested review from Bukhtawar Bukhtawar is a code owner

@CEHENKLE CEHENKLE Awaiting requested review from CEHENKLE CEHENKLE is a code owner

@dblock dblock Awaiting requested review from dblock dblock is a code owner

@gbbafna gbbafna Awaiting requested review from gbbafna gbbafna is a code owner

@setiah setiah Awaiting requested review from setiah

@kartg kartg Awaiting requested review from kartg

@kotwanikunal kotwanikunal Awaiting requested review from kotwanikunal kotwanikunal is a code owner

@mch2 mch2 Awaiting requested review from mch2 mch2 is a code owner

@nknize nknize Awaiting requested review from nknize nknize is a code owner

@owaiskazi19 owaiskazi19 Awaiting requested review from owaiskazi19 owaiskazi19 is a code owner

@Rishikesh1159 Rishikesh1159 Awaiting requested review from Rishikesh1159 Rishikesh1159 is a code owner

@ryanbogan ryanbogan Awaiting requested review from ryanbogan

@saratvemulapalli saratvemulapalli Awaiting requested review from saratvemulapalli saratvemulapalli is a code owner

@shwetathareja shwetathareja Awaiting requested review from shwetathareja shwetathareja is a code owner

@dreamer-89 dreamer-89 Awaiting requested review from dreamer-89

@VachaShah VachaShah Awaiting requested review from VachaShah VachaShah is a code owner

@dbwiddis dbwiddis Awaiting requested review from dbwiddis dbwiddis is a code owner

@sachinpkale sachinpkale Awaiting requested review from sachinpkale sachinpkale is a code owner

@sohami sohami Awaiting requested review from sohami sohami is a code owner

@msfroh msfroh Awaiting requested review from msfroh msfroh is a code owner

Assignees
No one assigned
Labels
backport 2.x Backport to 2.x branch enhancement Enhancement or improvement to existing feature or request skip-changelog
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@reta @cwperks @Gaganjuneja @peternied @stephen-crawford