Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Switch to built-in security transports from core #4119

Merged
merged 4 commits into from
Mar 26, 2024
Merged

Switch to built-in security transports from core #4119

merged 4 commits into from
Mar 26, 2024

Conversation

reta
Copy link
Collaborator

@reta reta commented Mar 15, 2024

Description

The security plugin does not need to provide the secure transports anymore but SecureSettingsFactory so the core transport modules will be able to configure those.

Issues Resolved

Closes #4118

Is this a backport? If so, please add backport PR # and/or commits #

Testing

[Please provide details of testing done: unit testing, integration testing and manual testing]

Check List

  • New functionality includes testing
  • New functionality has been documented
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@reta reta force-pushed the issue-4118 branch 2 times, most recently from 0d71bb9 to d29db0e Compare March 18, 2024 14:26
@peternied peternied self-assigned this Mar 18, 2024
@reta reta force-pushed the issue-4118 branch 2 times, most recently from 02f1041 to 342dc69 Compare March 21, 2024 14:10
@reta reta marked this pull request as ready for review March 25, 2024 17:38
@codecov Codecov
Copy link

codecov bot commented Mar 25, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 94.91525% with 3 lines in your changes are missing coverage. Please review.

Project coverage is 65.90%. Comparing base (a731e62) to head (f2e2209).

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #4119      +/-   ##
==========================================
- Coverage   66.04%   65.90%   -0.14%     
==========================================
  Files         300      298       -2     
  Lines       21554    21425     -129     
  Branches     3488     3475      -13     
==========================================
- Hits        14235    14121     -114     
+ Misses       5571     5563       -8     
+ Partials     1748     1741       -7
Files Coverage Δ
.../opensearch/security/OpenSearchSecurityPlugin.java 84.79% <100.00%> (+0.04%) ⬆️
...opensearch/security/filter/SecurityRestFilter.java 70.37% <ø> (ø)
...earch/security/http/NonSslHttpServerTransport.java 100.00% <ø> (ø)
...earch/security/http/SecureHttpServerTransport.java 100.00% <100.00%> (ø)
.../security/ssl/OpenSearchSecureSettingsFactory.java 100.00% <100.00%> (ø)
.../ssl/http/netty/Netty4ConditionalDecompressor.java 100.00% <ø> (ø)
...sl/http/netty/Netty4HttpRequestHeaderVerifier.java 85.71% <ø> (ø)
...arch/security/ssl/OpenSearchSecuritySSLPlugin.java 86.25% <90.32%> (+1.13%) ⬆️

... and 6 files with indirect coverage changes

@reta
Copy link
Collaborator Author

reta commented Mar 25, 2024

The work is not done :) but this is a first step towards removing secure transport part from the plugin, there are a few gaps that will be covered by opensearch-project/OpenSearch#12903 shortly

cwperks
cwperks reviewed Mar 25, 2024
View reviewed changes
Copy link
Member

@cwperks cwperks left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @reta! The changes look good to me, I just left 2 small cosmetic comments.

I would be interested in seeing bwc tests for switching to secure transport in core while configured from the security plugin and eventually switching all configuration to core.

Have you tested this in a mixed cluster where some nodes are using the transport from core and some from the security plugin?

src/main/java/org/opensearch/security/http/SecurityHttpServerTransport.java Outdated Show resolved Hide resolved
src/main/java/org/opensearch/security/http/SecurityNonSslHttpServerTransport.java Outdated Show resolved Hide resolved
@reta
Address code review comments
2f50ee9 
Signed-off-by: Andriy Redko <[email protected]>
@reta
Copy link
Collaborator Author

reta commented Mar 25, 2024
edited
Loading

Have you tested this in a mixed cluster where some nodes are using the transport from core and some from the security plugin?

Thanks @cwperks ! No, I have not tested it yet but I test migrations for sure, thank you. The current implementation is cheating a bit since the secure transports are still provided by security plugin (although the implementation moved), but the next iteration (opensearch-project/OpenSearch#12907) should make it 100% fair.

@reta
Copy link
Collaborator Author

reta commented Mar 26, 2024

@cwperks mind please retaking a look? thank you!

@cwperks
Copy link
Member

cwperks commented Mar 26, 2024

Looks good to me!

@reta reta merged commit e2a06f0 into opensearch-project:main Mar 26, 2024
81 of 82 checks passed
@reta reta added the backport 2.x backport to 2.x branch label Mar 26, 2024
@opensearch-trigger-bot
Copy link
Contributor

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 128

To backport manually, run these commands in your terminal:

# Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/security/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/security/backport-2.x
# Create a new branch
git switch --create backport/backport-4119-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 e2a06f001154d558c4c717c2a2bc54b9f57d1654
# Push it to GitHub
git push --set-upstream origin backport/backport-4119-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/security/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport/backport-4119-to-2.x.

reta added a commit to reta/security that referenced this pull request Mar 26, 2024
@reta
Switch to built-in security transports from core (opensearch-project#…
ebb5d5d 
…4119)

The security plugin does not need to provide the secure transports
anymore but SecureSettingsFactory so the core transport modules will be
able to configure those.

Closes opensearch-project#4118

Is this a backport? If so, please add backport PR # and/or commits #

[Please provide details of testing done: unit testing, integration
testing and manual testing]

- [ ] New functionality includes testing
- [ ] New functionality has been documented
- [ ] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

---------

Signed-off-by: Andriy Redko <[email protected]>
(cherry picked from commit e2a06f0)
@reta reta mentioned this pull request Mar 26, 2024
Merged
peternied pushed a commit that referenced this pull request Mar 26, 2024
@reta
[Backport] [2.x] Switch to built-in security transports from core (#4119
f4705b2 
) (#4174)

Backport of #4119 to
`2.x`
dlin2028 pushed a commit to dlin2028/security that referenced this pull request May 1, 2024
@reta @dlin2028
Switch to built-in security transports from core (opensearch-project#…
882bb4a 
…4119)

### Description
The security plugin does not need to provide the secure transports
anymore but SecureSettingsFactory so the core transport modules will be
able to configure those.

### Issues Resolved
Closes opensearch-project#4118

Is this a backport? If so, please add backport PR # and/or commits #

### Testing
[Please provide details of testing done: unit testing, integration
testing and manual testing]

### Check List
- [ ] New functionality includes testing
- [ ] New functionality has been documented
- [ ] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

---------

Signed-off-by: Andriy Redko <[email protected]>
@reta reta mentioned this pull request Sep 10, 2024
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@peternied peternied peternied approved these changes

@cwperks cwperks cwperks approved these changes

@cliu123 cliu123 Awaiting requested review from cliu123

@DarshitChanpura DarshitChanpura Awaiting requested review from DarshitChanpura DarshitChanpura is a code owner

@davidlago davidlago Awaiting requested review from davidlago

@RyanL1997 RyanL1997 Awaiting requested review from RyanL1997 RyanL1997 is a code owner

@stephen-crawford stephen-crawford Awaiting requested review from stephen-crawford stephen-crawford is a code owner

@willyborankin willyborankin Awaiting requested review from willyborankin willyborankin is a code owner

Assignees

@peternied peternied

Labels
backport 2.x backport to 2.x branch
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[FEATURE] Switch to built-in security transports from core
4 participants
@reta @cwperks @peternied @DarshitChanpura