Preserve request headers in a mixed version cluster #79412
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When rewriting authentication for requests crossing nodes of different versions, we now preserve all request headers except the authentication one which needs to be rewritten. Previously all other request headers were dropped and it caused issue like an operator user not being recognised on the remote node. Other now preserved headers include audit and system index access. This new behaviour is more correct because we would never drop these headers if the nodes are on the same version. Resolves: elastic#79354
ywangd
added
>bug
:Security/Authorization
|
Pinging @elastic/es-security (Team:Security) |
ywangd
commented
Oct 19, 2021
Comment on lines
160
to
176
| public void executeAfterRewritingAuthentication(Consumer<StoredContext> consumer, Version version) { | ||
| // Preserve request headers other than authentication | ||
| final Map<String, String> existingRequestHeaders = threadContext.getRequestHeadersOnly(); | ||
| final StoredContext original = threadContext.newStoredContext(true); | ||
| final Authentication authentication = getAuthentication(); | ||
| try (ThreadContext.StoredContext ignore = threadContext.stashContext()) { | ||
| setAuthentication(new Authentication(authentication.getUser(), authentication.getAuthenticatedBy(), | ||
| authentication.getLookedUpBy(), version, authentication.getAuthenticationType(), | ||
| rewriteMetadataForApiKeyRoleDescriptors(version, authentication))); | ||
| existingRequestHeaders.forEach((k, v) -> { | ||
| if (false == AuthenticationField.AUTHENTICATION_KEY.equals(k)) { | ||
| threadContext.putHeader(k, v); | ||
| } | ||
| }); | ||
| consumer.accept(original); | ||
| } | ||
| } |
There was a problem hiding this comment.
This method does not preserve response headers because the original threadContext is wrapped in a restorable that does not propogate the response headers:
But I believe the response headers are actually preserved without this rewriting, i.e. when nodes are on the same version:
I don't think it needs to be addressed in this PR since it's been there for a long while and no issue has been raised AFAIK. But maybe in a follow-up?
tvernum
approved these changes
Oct 19, 2021
...ling-upgrade/src/test/resources/rest-api-spec/test/mixed_cluster/130_operator_privileges.yml
Outdated
Show resolved
Hide resolved
...ling-upgrade/src/test/resources/rest-api-spec/test/mixed_cluster/130_operator_privileges.yml
Show resolved
Hide resolved
Co-authored-by: Tim Vernum <[email protected]>
💔 Backport failed
You can use sqren/backport to manually backport by running |
ywangd
added a commit
to ywangd/elasticsearch
that referenced
this pull request
Oct 19, 2021
When rewriting authentication for requests crossing nodes of different versions, we now preserve all request headers except the authentication one which needs to be rewritten. Previously all other request headers were dropped and it caused issue like an operator user not being recognised on the remote node. Other now preserved headers include audit and system index access. This new behaviour is more correct because we would never drop these headers if the nodes are on the same version. Resolves: elastic#79354
ywangd
added a commit
to ywangd/elasticsearch
that referenced
this pull request
Oct 19, 2021
When rewriting authentication for requests crossing nodes of different versions, we now preserve all request headers except the authentication one which needs to be rewritten. Previously all other request headers were dropped and it caused issue like an operator user not being recognised on the remote node. Other now preserved headers include audit and system index access. This new behaviour is more correct because we would never drop these headers if the nodes are on the same version. Resolves: elastic#79354
elasticsearchmachine
pushed a commit
that referenced
this pull request
Oct 19, 2021
* Preserve request headers in a mixed version cluster (#79412) When rewriting authentication for requests crossing nodes of different versions, we now preserve all request headers except the authentication one which needs to be rewritten. Previously all other request headers were dropped and it caused issue like an operator user not being recognised on the remote node. Other now preserved headers include audit and system index access. This new behaviour is more correct because we would never drop these headers if the nodes are on the same version. Resolves: #79354 * for for 7.x quirks
elasticsearchmachine
pushed a commit
that referenced
this pull request
Oct 19, 2021
When rewriting authentication for requests crossing nodes of different versions, we now preserve all request headers except the authentication one which needs to be rewritten. Previously all other request headers were dropped and it caused issue like an operator user not being recognised on the remote node. Other now preserved headers include audit and system index access. This new behaviour is more correct because we would never drop these headers if the nodes are on the same version. Resolves: #79354 Co-authored-by: Elastic Machine <[email protected]>
weizijun
added a commit
to weizijun/elasticsearch
that referenced
this pull request
Oct 19, 2021
* upstream/master: Validate tsdb's routing_path (elastic#79384) Adjust the BWC version for the return200ForClusterHealthTimeout field (elastic#79436) API for adding and removing indices from a data stream (elastic#79279) Exposing the ability to log deprecated settings at non-critical level (elastic#79107) Convert operator privilege license object to LicensedFeature (elastic#79407) Mute SnapshotBasedIndexRecoveryIT testSeqNoBasedRecoveryIsUsedAfterPrimaryFailOver (elastic#79456) Create cache files with CREATE_NEW & SPARSE options (elastic#79371) Revert "[ML] Use a new annotations index for future annotations (elastic#79151)" [ML] Use a new annotations index for future annotations (elastic#79151) [ML] Removing legacy code from ML/transform auditor (elastic#79434) Fix rate agg with custom `_doc_count` (elastic#79346) Optimize SLM Policy Queries (elastic#79341) Fix execution of exists query within nested queries on field with doc_values disabled (elastic#78841) Stricter UpdateSettingsRequest parsing on the REST layer (elastic#79227) Do not release snapshot file download permit during recovery retries (elastic#79409) Preserve request headers in a mixed version cluster (elastic#79412) Adjust versions after elastic#79044 backport to 7.x (elastic#79424) Mute BulkByScrollUsesAllScrollDocumentsAfterConflictsIntegTests (elastic#79429) Fail on SSPL licensed x-pack sources (elastic#79348) # Conflicts: # server/src/test/java/org/elasticsearch/index/TimeSeriesModeTests.java
ywangd
added a commit
to ywangd/elasticsearch
that referenced
this pull request
Oct 28, 2021
In elastic#79412 we fixed a bug that request headers got dropped when the request is sent across to a node of different version. The fix is to restore all existing request headers during the threadContext rewriting. However, there are headers that are always automatically preserved by the ThreadContext infrastructure, e.g. x-opaque-id. This causes failures when the code tries to re-add the x-opaque-id header since it already exists. An example of this issue is for CCS where the remote cluster is often on a different version compared to the local cluster. Resolves: elastic#79412
ywangd
added a commit
that referenced
this pull request
Oct 28, 2021
In #79412 we fixed a bug that request headers got dropped when the request is sent across to a node of different version. The fix is to restore all existing request headers during the threadContext rewriting. However, there are headers that are always automatically preserved by the ThreadContext infrastructure, e.g. x-opaque-id. This causes failures when the code tries to re-add the x-opaque-id header since it already exists. An example of this issue is for CCS where the remote cluster is often on a different version compared to the local cluster. Resolves: #79412
ywangd
added a commit
to ywangd/elasticsearch
that referenced
this pull request
Oct 28, 2021
…79973) In elastic#79412 we fixed a bug that request headers got dropped when the request is sent across to a node of different version. The fix is to restore all existing request headers during the threadContext rewriting. However, there are headers that are always automatically preserved by the ThreadContext infrastructure, e.g. x-opaque-id. This causes failures when the code tries to re-add the x-opaque-id header since it already exists. An example of this issue is for CCS where the remote cluster is often on a different version compared to the local cluster. Resolves: elastic#79412
ywangd
added a commit
to ywangd/elasticsearch
that referenced
this pull request
Oct 28, 2021
…79973) In elastic#79412 we fixed a bug that request headers got dropped when the request is sent across to a node of different version. The fix is to restore all existing request headers during the threadContext rewriting. However, there are headers that are always automatically preserved by the ThreadContext infrastructure, e.g. x-opaque-id. This causes failures when the code tries to re-add the x-opaque-id header since it already exists. An example of this issue is for CCS where the remote cluster is often on a different version compared to the local cluster. Resolves: elastic#79412
ywangd
added a commit
to ywangd/elasticsearch
that referenced
this pull request
Oct 28, 2021
…79973) In elastic#79412 we fixed a bug that request headers got dropped when the request is sent across to a node of different version. The fix is to restore all existing request headers during the threadContext rewriting. However, there are headers that are always automatically preserved by the ThreadContext infrastructure, e.g. x-opaque-id. This causes failures when the code tries to re-add the x-opaque-id header since it already exists. An example of this issue is for CCS where the remote cluster is often on a different version compared to the local cluster. Resolves: elastic#79412
elasticsearchmachine
pushed a commit
that referenced
this pull request
Oct 28, 2021
…79985) In #79412 we fixed a bug that request headers got dropped when the request is sent across to a node of different version. The fix is to restore all existing request headers during the threadContext rewriting. However, there are headers that are always automatically preserved by the ThreadContext infrastructure, e.g. x-opaque-id. This causes failures when the code tries to re-add the x-opaque-id header since it already exists. An example of this issue is for CCS where the remote cluster is often on a different version compared to the local cluster. Resolves: #79412
elasticsearchmachine
pushed a commit
that referenced
this pull request
Oct 28, 2021
…79984) In #79412 we fixed a bug that request headers got dropped when the request is sent across to a node of different version. The fix is to restore all existing request headers during the threadContext rewriting. However, there are headers that are always automatically preserved by the ThreadContext infrastructure, e.g. x-opaque-id. This causes failures when the code tries to re-add the x-opaque-id header since it already exists. An example of this issue is for CCS where the remote cluster is often on a different version compared to the local cluster. Resolves: #79412
elasticsearchmachine
pushed a commit
that referenced
this pull request
Oct 28, 2021
…79983) In #79412 we fixed a bug that request headers got dropped when the request is sent across to a node of different version. The fix is to restore all existing request headers during the threadContext rewriting. However, there are headers that are always automatically preserved by the ThreadContext infrastructure, e.g. x-opaque-id. This causes failures when the code tries to re-add the x-opaque-id header since it already exists. An example of this issue is for CCS where the remote cluster is often on a different version compared to the local cluster. Resolves: #79412 Co-authored-by: Elastic Machine <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When rewriting authentication for requests crossing nodes of different
versions, we now preserve all request headers except the authentication
one which needs to be rewritten. Previously all other request headers
were dropped and it caused issue like an operator user not being
recognised on the remote node. Other now preserved headers include audit
and system index access. This new behaviour is more correct because we
would never drop these headers if the nodes are on the same version.
Resolves: #79354