Skip to content

[Backport 2.x] Add early rejection from RestHandler for unauthorized requests (#3418)#3496

Merged
stephen-crawford merged 2 commits into2.xfrom
backport/backport-3495-to-2.x
Oct 9, 2023
Merged

[Backport 2.x] Add early rejection from RestHandler for unauthorized requests (#3418)#3496
stephen-crawford merged 2 commits into2.xfrom
backport/backport-3495-to-2.x

Conversation

@opensearch-trigger-bot
Copy link
Copy Markdown
Contributor

@opensearch-trigger-bot opensearch-trigger-bot bot commented Oct 7, 2023

Backport f7c47af from #3495

@peternied @cwperks @github-actions
[Backport 2.11] Add early rejection from RestHandler for unauthorized…
c312ad2 
… requests (#3418) (#3495)

### Description

Backport of 6b0b682 from #3418

Previously unauthorized requests were fully processed and rejected once
they reached the RestHandler. This allocations more memory and resources
for these requests that might not be useful if they are already detected
as unauthorized. Using the headerVerifer and decompressor customization
from [1], perform an early authorization check when only the headers are
available, save an 'early response' for transmission and do not perform
the decompression on the request to speed up closing out the connection.

- Resolves opensearch-project/OpenSearch#10260

Signed-off-by: Peter Nied <petern@amazon.com>
Signed-off-by: Craig Perkins <cwperx@amazon.com>
Signed-off-by: Craig Perkins <craig5008@gmail.com>
Co-authored-by: Craig Perkins <cwperx@amazon.com>
(cherry picked from commit f7c47af)
@peternied
Remove debug statement
48bc298 
Signed-off-by: Peter Nied <petern@amazon.com>
@peternied peternied changed the title [Backport 2.x] [Backport 2.11] Add early rejection from RestHandler for unauthorized requests (#3418) [Backport 2.x] Add early rejection from RestHandler for unauthorized requests (#3418) Oct 7, 2023
@codecov
Copy link
Copy Markdown

codecov bot commented Oct 7, 2023
edited
Loading

Codecov Report

Merging #3496 (48bc298) into 2.x (f20cc68) will increase coverage by 0.13%.
The diff coverage is 79.76%.

Impacted file tree graph

@@             Coverage Diff              @@
##                2.x    #3496      +/-   ##
============================================
+ Coverage     64.73%   64.86%   +0.13%     
- Complexity     3570     3613      +43     
============================================
  Files           267      273       +6     
  Lines         19893    20025     +132     
  Branches       3329     3346      +17     
============================================
+ Hits          12877    12989     +112     
- Misses         5377     5389      +12     
- Partials       1639     1647       +8
Files Coverage Δ
...zon/dlic/auth/http/saml/HTTPSamlAuthenticator.java 68.44% <ø> (ø)
.../opensearch/security/OpenSearchSecurityPlugin.java 84.58% <ø> (ø)
...arch/security/filter/OpenSearchRequestChannel.java 41.66% <ø> (-8.34%) ⬇️
...search/security/filter/SecurityRequestFactory.java 75.00% <100.00%> (+8.33%) ⬆️
...rch/security/http/SecurityHttpServerTransport.java 100.00% <100.00%> (ø)
...curity/http/SecurityNonSslHttpServerTransport.java 100.00% <100.00%> (ø)
...arch/security/ssl/OpenSearchSecuritySSLPlugin.java 85.11% <ø> (ø)
.../ssl/http/netty/Netty4ConditionalDecompressor.java 100.00% <100.00%> (ø)
...ttp/netty/SecuritySSLNettyHttpServerTransport.java 95.83% <100.00%> (+0.83%) ⬆️
...dlic/auth/http/saml/AuthTokenProcessorHandler.java 46.40% <0.00%> (ø)
... and 9 more

... and 5 files with indirect coverage changes

@stephen-crawford stephen-crawford merged commit 0de30e2 into 2.x Oct 9, 2023
@stephen-crawford stephen-crawford deleted the backport/backport-3495-to-2.x branch October 9, 2023 17:42
peternied added a commit to peternied/security that referenced this pull request Oct 9, 2023
@opensearch-trigger-bot @peternied
[Backport 2.x] Add early rejection from RestHandler for unauthorized …
8b74d6f 
…requests (opensearch-project#3418) (opensearch-project#3496)

Backport f7c47af from opensearch-project#3495

---------

Signed-off-by: Peter Nied <petern@amazon.com>
Co-authored-by: Peter Nied <petern@amazon.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@willyborankin willyborankin willyborankin approved these changes

@DarshitChanpura DarshitChanpura DarshitChanpura approved these changes

@cliu123 cliu123 Awaiting requested review from cliu123

@cwperks cwperks Awaiting requested review from cwperks cwperks is a code owner

@davidlago davidlago Awaiting requested review from davidlago

@peternied peternied Awaiting requested review from peternied

@RyanL1997 RyanL1997 Awaiting requested review from RyanL1997 RyanL1997 is a code owner

@stephen-crawford stephen-crawford Awaiting requested review from stephen-crawford

@reta reta Awaiting requested review from reta reta is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@willyborankin @DarshitChanpura @stephen-crawford @peternied