-
Notifications
You must be signed in to change notification settings - Fork 280
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for HTTP/2 (server-side) #2051
Conversation
a83b4f7
to
85a490c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice! Approach looks solid and straight forward.
You will see the BWC tests fail until opensearch-project/OpenSearch#3615 has been resolved but that shouldn't stop you from making progress in the other GitHub Action issues
Thanks a lot @peternied ! |
.applicationProtocolConfig( | ||
new ApplicationProtocolConfig( | ||
Protocol.ALPN, | ||
// NO_ADVERTISE is currently the only mode supported by both OpenSsl and JDK providers. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm curious about this comment. I see that the same comment is present on the Http2Client
example from netty: https://netty.io/4.1/xref/io/netty/example/http2/helloworld/client/Http2Client.html. Is the comment still true? In an effort to understand the default configuration here, would we ever consider using a different values for SelectorFailureBehavior
and SelectedListenerFailureBehavior
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm curious about this comment. I see that the same comment is present on the Http2Client example from netty: https://netty.io/4.1/xref/io/netty/example/http2/helloworld/client/Http2Client.html.
That is correct, it was picked up from there since we could use JDK and OpenSSL providers.
Is the comment still true?
I suspect it is relevant since it is coming from Netty project.
In an effort to understand the default configuration here, would we ever consider using a different values for SelectorFailureBehavior and SelectedListenerFailureBehavior?
Sure, seems to be a sensitive setting, we could always expose it for configuration if need arrives, thoughts?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@reta Thank you for checking.
.sessionCacheSize(0).sessionTimeout(0).sslProvider(sslProvider); | ||
.sessionCacheSize(0).sessionTimeout(0).sslProvider(sslProvider) | ||
.applicationProtocolConfig( | ||
new ApplicationProtocolConfig( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like this default configuration is repeated down below. Should we consider making this a static constant?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
May be better as a function if we consider future possibility to configure SelectorFailureBehavior
and SelectedListenerFailureBehavior
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds reasonable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done, thanks @cwperks !
0363410
to
e9da7b2
Compare
bbd2eee
to
f1536e7
Compare
Signed-off-by: Andriy Redko <andriy.redko@aiven.io>
Signed-off-by: Andriy Redko <andriy.redko@aiven.io>
Signed-off-by: Andriy Redko <andriy.redko@aiven.io>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the contribution, I am happy to merge these changes assuming the CI checks get fixed, please let us know if you need any help look into the CI failures.
Thanks @peternied , looking into failures now |
Http2SecurityUtil.CIPHERS.stream(), | ||
StreamSupport.stream(ciphers.spliterator(), false)) | ||
.collect(Collectors.toSet()), SupportedCipherSuiteFilter.INSTANCE) | ||
.clientAuth(Objects.requireNonNull(authMode)) // https://github.com/netty/netty/issues/4722 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems like the mentioned netty issue was fixed a while ago but this comment wasn't removed. Should we remove it? I know it maybe out of scope of this PR but wanted to know your thoughts
SslHandler sslhandler = (SslHandler) httpChannel.getNettyChannel().pipeline().get("ssl_http"); | ||
if(sslhandler == null && httpChannel.inboundPipeline() != null) { | ||
sslhandler = (SslHandler) httpChannel.inboundPipeline().get("ssl_http"); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For my curiosity, Can you help me understand the reason behind retrieving sslHandler from an inboundPipeline() and why is this check required?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@DarshitChanpura if you look into previous code, it looked at channel's pipeline to find out the SSL handler. Now, with HTTP/2, the new pipeline is created (hence, the inbound channel pipeline is "lost") and the SSL handler is not accessible anymore. The solution (sort of): keep inbound pipeline reference so the SSL handler could be retrieved.
Signed-off-by: Andriy Redko <andriy.redko@aiven.io>
@peternied could you please help me with this Github action [1] https://github.com/opensearch-project/security/actions/runs/3115185145/jobs/5051826328 |
Signed-off-by: Andriy Redko <andriy.redko@aiven.io>
Signed-off-by: Andriy Redko <andriy.redko@aiven.io>
Those BWC tests are stalling out this PR from merging, I've created a pull request #2108 to disable them, so this change could update our the main branch to v3.0 as you've already done the hard work. |
Thanks a lot @peternied , will try to help with BWC + 3.0 track |
Rev'ed version number and fixed compilation issues Signed-off-by: Andriy Redko <andriy.redko@aiven.io> Signed-off-by: Peter Nied <petern@amazon.com>
Good news, BWC tests have started working with the 2.4.0 build, I've got #2112 which has incorperated the fixes from this change into it. This should rev the build number so your PR can focus around HTTP/2 support only. Its been a long journey, nearly there... |
Signed-off-by: Peter Nied <petern@amazon.com>
Thanks a mill @peternied ! |
Merge from main - will fix all CI checks
Codecov Report
@@ Coverage Diff @@
## main #2051 +/- ##
============================================
- Coverage 61.04% 61.03% -0.01%
- Complexity 3230 3232 +2
============================================
Files 256 256
Lines 18077 18102 +25
Branches 3224 3229 +5
============================================
+ Hits 11035 11049 +14
- Misses 5468 5471 +3
- Partials 1574 1582 +8
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
🥳 thanks a lot for help @peternied ! |
@opensearch-project/security Could we get another review on this change? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ty @reta !
* Support for HTTP/2 (server-side) Signed-off-by: Andriy Redko <andriy.redko@aiven.io> * Addressing code review comments Signed-off-by: Andriy Redko <andriy.redko@aiven.io> * Fixed ClusterManager compilation issues Signed-off-by: Andriy Redko <andriy.redko@aiven.io> * Fixing bwc test version Signed-off-by: Andriy Redko <andriy.redko@aiven.io> * Removed outdated comment Signed-off-by: Andriy Redko <andriy.redko@aiven.io> * Fixing exception propagation from Http2OrHttpHandler to server transport Signed-off-by: Andriy Redko <andriy.redko@aiven.io> * Switch to OpenSearch v3.0 Rev'ed version number and fixed compilation issues Signed-off-by: Andriy Redko <andriy.redko@aiven.io> Signed-off-by: Peter Nied <petern@amazon.com> Signed-off-by: Andriy Redko <andriy.redko@aiven.io> Signed-off-by: Peter Nied <petern@amazon.com> Co-authored-by: Peter Nied <petern@amazon.com> Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Andriy Redko andriy.redko@aiven.io
Description
Implement SSL/TLS support for HTTP/2, see [1]
[1] opensearch-project/OpenSearch#3651
Issues Resolved
Testing
TODO: tests for HTTP/2
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.