-
Notifications
You must be signed in to change notification settings - Fork 272
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Introducing passive_intertransport_auth to facilitate communication b… #1156
Merged
vengadanathan-s
merged 10 commits into
opensearch-project:main
from
dhiAmzn:transport_passive_mode
Jun 9, 2021
Merged
Introducing passive_intertransport_auth to facilitate communication b… #1156
vengadanathan-s
merged 10 commits into
opensearch-project:main
from
dhiAmzn:transport_passive_mode
Jun 9, 2021
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
vrozov
reviewed
May 8, 2021
src/main/java/com/amazon/opendistroforelasticsearch/security/OpenDistroSecurityPlugin.java
Outdated
Show resolved
Hide resolved
vrozov
reviewed
May 8, 2021
src/main/java/com/amazon/opendistroforelasticsearch/security/configuration/CompatConfig.java
Outdated
Show resolved
Hide resolved
src/main/java/com/amazon/opendistroforelasticsearch/security/configuration/CompatConfig.java
Outdated
Show resolved
Hide resolved
src/main/java/com/amazon/opendistroforelasticsearch/security/user/User.java
Outdated
Show resolved
Hide resolved
...test/java/com/amazon/opendistroforelasticsearch/security/AdvancedSecurityMigrationTests.java
Show resolved
Hide resolved
dhiAmzn
force-pushed
the
transport_passive_mode
branch
from
May 13, 2021 10:27
1d6a3b7
to
e5a90d7
Compare
vengadanathan-s
previously approved these changes
May 13, 2021
vrozov
reviewed
May 17, 2021
src/main/java/com/amazon/opendistroforelasticsearch/security/securityconf/impl/v7/ConfigV7.java
Outdated
Show resolved
Hide resolved
dhiAmzn
force-pushed
the
transport_passive_mode
branch
2 times, most recently
from
May 28, 2021 21:19
c7853af
to
974087a
Compare
Codecov Report
@@ Coverage Diff @@
## main #1156 +/- ##
============================================
+ Coverage 64.61% 64.65% +0.04%
- Complexity 3178 3193 +15
============================================
Files 245 247 +2
Lines 17140 17191 +51
Branches 3034 3042 +8
============================================
+ Hits 11075 11115 +40
- Misses 4519 4526 +7
- Partials 1546 1550 +4
Continue to review full report at Codecov.
|
vengadanathan-s
previously approved these changes
Jun 3, 2021
src/main/java/org/opensearch/security/setting/TransportPassiveAuthSetting.java
Outdated
Show resolved
Hide resolved
vrozov
reviewed
Jun 4, 2021
src/main/java/org/opensearch/security/setting/OpensearchDynamicSetting.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/security/transport/SecurityRequestHandler.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/security/transport/SecurityRequestHandler.java
Outdated
Show resolved
Hide resolved
dhiAmzn
force-pushed
the
transport_passive_mode
branch
from
June 4, 2021 04:38
9d714f8
to
eb8b5b2
Compare
vengadanathan-s
previously approved these changes
Jun 4, 2021
…etween nodes with adv sec enabled and nodes without adv sec enabled. Changes to ssl_dual_mode_enabled to support the same. Signed-off-by: Dhiresh Jain <dhireshj@amazon.com>
Signed-off-by: Dhiresh Jain <dhireshj@amazon.com>
…r setting instead of opendistro config Signed-off-by: Dhiresh Jain <dhireshj@amazon.com>
Signed-off-by: Dhiresh Jain <dhireshj@amazon.com>
Signed-off-by: Dhiresh Jain <dhireshj@amazon.com>
Signed-off-by: Dhiresh Jain <dhireshj@amazon.com>
Signed-off-by: Dhiresh Jain <dhireshj@amazon.com>
dhiAmzn
force-pushed
the
transport_passive_mode
branch
from
June 4, 2021 17:35
eb8b5b2
to
ada9ef5
Compare
Signed-off-by: Dhiresh Jain <dhireshj@amazon.com>
vrozov
reviewed
Jun 7, 2021
src/test/java/org/opensearch/security/test/AbstractSecurityUnitTest.java
Show resolved
Hide resolved
niravpi
pushed a commit
to niravpi/security
that referenced
this pull request
Jun 18, 2021
…etween nodes with adv sec enabled and nodes without adv sec enabled.(opensearch-project#1156) (Cherry picked from commit 9adcd20)
niravpi
pushed a commit
to niravpi/security
that referenced
this pull request
Jun 18, 2021
…etween nodes with adv sec enabled and nodes without adv sec enabled.(opensearch-project#1156) (Cherry picked from commit 9adcd20)
niravpi
pushed a commit
to niravpi/security
that referenced
this pull request
Jun 18, 2021
…etween nodes with adv sec enabled and nodes without adv sec enabled.(opensearch-project#1156) (Cherry picked from commit 9adcd20)
niravpi
pushed a commit
to niravpi/security
that referenced
this pull request
Jun 18, 2021
…etween nodes with adv sec enabled and nodes without adv sec enabled.(opensearch-project#1156) (Cherry picked from commit 9adcd20)
niravpi
pushed a commit
to niravpi/security
that referenced
this pull request
Jun 18, 2021
…etween nodes with adv sec enabled and nodes without adv sec enabled.(opensearch-project#1156) (Cherry picked from commit 9adcd20)
niravpi
pushed a commit
to niravpi/security
that referenced
this pull request
Jun 18, 2021
…etween nodes with adv sec enabled and nodes without adv sec enabled.(opensearch-project#1156) (Cherry picked from commit 9adcd20)
niravpi
pushed a commit
to niravpi/security
that referenced
this pull request
Jun 18, 2021
…etween nodes with adv sec enabled and nodes without adv sec enabled.(opensearch-project#1156) (Cherry picked from commit 9adcd20)
niravpi
pushed a commit
to niravpi/security
that referenced
this pull request
Jun 18, 2021
…etween nodes with adv sec enabled and nodes without adv sec enabled.(opensearch-project#1156) (Cherry picked from commit 9adcd20)
niravpi
pushed a commit
to niravpi/security
that referenced
this pull request
Jun 21, 2021
…etween nodes with adv sec enabled and nodes without adv sec enabled.(opensearch-project#1156) (Cherry picked from commit 9adcd20)
niravpi
pushed a commit
to niravpi/security
that referenced
this pull request
Jun 21, 2021
…etween nodes with adv sec enabled and nodes without adv sec enabled.(opensearch-project#1156) (Cherry picked from commit 9adcd20)
cliu123
pushed a commit
that referenced
this pull request
Jul 15, 2021
* Correcting setupSslOnlyMode to use AbstractSecurityUnitTest.hasCustomTransportSettings() (#1057) (cherry picked from commit 70a4f70) * Introducing passive_intertransport_auth to facilitate communication between nodes with adv sec enabled and nodes without adv sec enabled.(#1156) (Cherry picked from commit 9adcd20) Co-authored-by: Debjani Banerjee <56744681+debjanibnrj@users.noreply.github.com> Co-authored-by: dhiAmzn <81139246+dhiAmzn@users.noreply.github.com>
cliu123
pushed a commit
that referenced
this pull request
Jul 15, 2021
* Correcting setupSslOnlyMode to use AbstractSecurityUnitTest.hasCustomTransportSettings() (#1057) (cherry picked from commit 70a4f70) * Introducing passive_intertransport_auth to facilitate communication between nodes with adv sec enabled and nodes without adv sec enabled.(#1156) (Cherry picked from commit 9adcd20) Co-authored-by: Debjani Banerjee <56744681+debjanibnrj@users.noreply.github.com> Co-authored-by: dhiAmzn <81139246+dhiAmzn@users.noreply.github.com>
cliu123
pushed a commit
that referenced
this pull request
Jul 16, 2021
* Correcting setupSslOnlyMode to use AbstractSecurityUnitTest.hasCustomTransportSettings() (#1057) (cherry picked from commit 70a4f70) * Introducing passive_intertransport_auth to facilitate communication between nodes with adv sec enabled and nodes without adv sec enabled.(#1156) (Cherry picked from commit 9adcd20) Co-authored-by: Debjani Banerjee <56744681+debjanibnrj@users.noreply.github.com> Co-authored-by: dhiAmzn <81139246+dhiAmzn@users.noreply.github.com>
lbreinig
pushed a commit
to lbreinig/security
that referenced
this pull request
Dec 23, 2021
opensearch-project#1156) * Introducing passive_intertransport_auth to facilitate communication between nodes with adv sec enabled and nodes without adv sec enabled. Changes to ssl_dual_mode_enabled to support the same. Signed-off-by: Dhiresh Jain <dhireshj@amazon.com> * Addressed comments Signed-off-by: Dhiresh Jain <dhireshj@amazon.com> * Minor fix Signed-off-by: Dhiresh Jain <dhireshj@amazon.com> * Modifying transportInterClusterPassiveAuth to be controlled by cluster setting instead of opendistro config Signed-off-by: Dhiresh Jain <dhireshj@amazon.com> * Fixing unit tests Signed-off-by: Dhiresh Jain <dhireshj@amazon.com> * Resolving conflicts with mainline Signed-off-by: Dhiresh Jain <dhireshj@amazon.com> * Removing Filtered property from new setting, improving code readability Signed-off-by: Dhiresh Jain <dhireshj@amazon.com> * Fixing UTs where node space causing shards to be unassigned Signed-off-by: Dhiresh Jain <dhireshj@amazon.com> * Reverting cluster setting in UT Signed-off-by: Dhiresh Jain <dhireshj@amazon.com> * Addressing minor comment on UT Signed-off-by: Dhiresh Jain <dhireshj@amazon.com>
wuychn
pushed a commit
to ochprince/security
that referenced
this pull request
Mar 16, 2023
opensearch-project#1156) * Introducing passive_intertransport_auth to facilitate communication between nodes with adv sec enabled and nodes without adv sec enabled. Changes to ssl_dual_mode_enabled to support the same. Signed-off-by: Dhiresh Jain <dhireshj@amazon.com> * Addressed comments Signed-off-by: Dhiresh Jain <dhireshj@amazon.com> * Minor fix Signed-off-by: Dhiresh Jain <dhireshj@amazon.com> * Modifying transportInterClusterPassiveAuth to be controlled by cluster setting instead of opendistro config Signed-off-by: Dhiresh Jain <dhireshj@amazon.com> * Fixing unit tests Signed-off-by: Dhiresh Jain <dhireshj@amazon.com> * Resolving conflicts with mainline Signed-off-by: Dhiresh Jain <dhireshj@amazon.com> * Removing Filtered property from new setting, improving code readability Signed-off-by: Dhiresh Jain <dhireshj@amazon.com> * Fixing UTs where node space causing shards to be unassigned Signed-off-by: Dhiresh Jain <dhireshj@amazon.com> * Reverting cluster setting in UT Signed-off-by: Dhiresh Jain <dhireshj@amazon.com> * Addressing minor comment on UT Signed-off-by: Dhiresh Jain <dhireshj@amazon.com>
2 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
…etween nodes with adv sec enabled and nodes without adv sec enabled.
Changes to ssl_dual_mode_enabled to support the same.
Signed-off-by: Dhiresh Jain dhireshj@amazon.com
opendistro-for-elasticsearch/security pull request intake form
Please provide as much details as possible to get feedback/acceptance on your PR quickly
NOTE: This commit has been moved from opendistro repo to opensearch. The manual test was done using docker in opendistro. Docker testing is currently unavailable in opensearch so did not perform a manual test here yet.
Category: New feature
Github Issue # or road-map entry, if available:
Description of changes: Introducing opendistro security dynamic config feature flag "passive_intertransport_auth".
Additionally, making changes to ssl_dual_node behaviour.
The changes allow transport communication between nodes with advanced security enabled and nodes without advanced security enabled (ssl only or plugin disabled).
The feature flag should be used transiently to facilitate migration of cluster to using advanced security.
Why these changes are required?
Currently, migrating to advanced security requires a full cluster restart as any other kind of migration process causes transport communication to break between old and newer nodes. These changes will allow a cluster to be migrated to use advanced security without any downtime, by allowing old and new nodes to successfully communicate at the transport layer.
NOTE: There is an existing feature
disable_intertransport_auth
that if enabled will cause transport level authorization to be skipped. However, the side affect of this is that any non-super admin user will be able to update opendistro_security during migration.passive_intertransport_auth
does not skip authorization, instead it injects a default user, which you can map to the permissions you want to give during this transient phase of migration.What is the old behavior before changes and new behavior after changes? (Please add any example/logs/screen-shot if available)
Old Behaviour: Transport communication from old node to a new node fails at the new nodes with the error:
No user found for...
New Behaviour: Transport communication from old node to a new node succeeds. When a user is not found and this feature flag is set to true, we inject a default user. Note that this user should have all index and cluster permissions.
Testing done: (Please provide details of testing done: Unit testing, integration testing and manual testing)
Extensive UTs to cover all cases.
By making a contribution to this project, I certify that:
(a) The contribution was created in whole or in part by me and I
have the right to submit it under the open source license
indicated in the file; or
(b) The contribution is based upon previous work that, to the best
of my knowledge, is covered under an appropriate open source
license and I have the right under that license to submit that
work with modifications, whether created in whole or in part
by me, under the same open source license (unless I am
permitted to submit under a different license), as indicated
in the file; or
(c) The contribution was provided directly to me by some other
person who certified (a), (b) or (c) and I have not modified
it.
(d) I understand and agree that this project and the contribution
are public and that a record of the contribution (including all
personal information I submit with it, including my sign-off) is
maintained indefinitely and may be redistributed consistent with
this project or the open source license(s) involved.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.