-
Notifications
You must be signed in to change notification settings - Fork 285
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix cluster default initialization #1 #4002
Fix cluster default initialization #1 #4002
Conversation
627b33a
to
eb90543
Compare
Hi @cliu123, @cwperks, @DarshitChanpura, @davidlago, @peternied , @RyanL1997, @scrawfor99 and @reta, |
5fc0627
to
26e1adf
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #4002 +/- ##
==========================================
+ Coverage 66.04% 66.23% +0.18%
==========================================
Files 300 302 +2
Lines 21554 21698 +144
Branches 3488 3501 +13
==========================================
+ Hits 14235 14371 +136
- Misses 5571 5574 +3
- Partials 1748 1753 +5
|
now all tests passed |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice work @willyborankin!
Overall comment, it looks like much of code you've added isn't getting registering code coverage hits - something might be wrong with the test execution, can you look into that?
src/main/java/org/opensearch/security/configuration/ConfigurationRepository.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/security/state/SecurityMetadata.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/security/state/SecurityClusterNonManagerListener.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/security/state/SecurityClusterNonManagerListener.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/security/state/SecurityClusterNonManagerListener.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/security/securityconf/impl/CType.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/security/configuration/ConfigurationRepository.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/security/configuration/ConfigurationRepository.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/security/configuration/ConfigurationRepository.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/security/configuration/ConfigurationRepository.java
Outdated
Show resolved
Hide resolved
Hi @peternied, thanks for your feedback. I will reorganize the code a bit. The way I implemented the index initialization is a bit wrong. The initialization needs to be done by the generic executor and changing of the cluster state via it. The management executor has a 20-second timeout, so it could lead to problems if the index initialization takes more than 20 seconds. |
26e1adf
to
416dcb8
Compare
Hi @peternied, the latest version which includes:
I think we can extend tests for the functionality I added. Lets discuss additional tests. |
2ea90e4
to
ea16e01
Compare
src/main/java/org/opensearch/security/state/SecurityClusterStateListeners.java
Outdated
Show resolved
Hide resolved
3cf6118
to
b51cc85
Compare
@peternied Looks like tests failures are note related. the new cluster permission appears:
|
b80d321
to
1a7560d
Compare
@peternied now all tests passed |
1a7560d
to
dce3e8b
Compare
dce3e8b
to
60f56b2
Compare
I'd like to see better coverage in of buildDynamicConfiguration before merging
Signed-off-by: Andrey Pleskach <[email protected]>
60f56b2
to
27791b4
Compare
@peternied I think coverage now around 99 or 98 % for the SecutyIndexHandler :-) |
@peternied the final score is 87.6 which is good I think |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changes look good to me! Thank you for this change and adding a comprehensive test suite @willyborankin!
The backport to
To backport manually, run these commands in your terminal: # Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/security/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/security/backport-2.x
# Create a new branch
git switch --create backport/backport-4002-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 b0d26ddbfd584a76cb7eb48ee36c461fd0e9e19b
# Push it to GitHub
git push --set-upstream origin backport/backport-4002-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/security/backport-2.x Then, create a pull request where the |
Signed-off-by: Andrey Pleskach <[email protected]> (cherry picked from commit b0d26dd)
Signed-off-by: Andrey Pleskach <[email protected]> (cherry picked from commit b0d26dd)
Signed-off-by: Andrey Pleskach <[email protected]> (cherry picked from commit b0d26dd)
Signed-off-by: Andrey Pleskach <[email protected]>
Description
Change the way how the security plugin initialize its configuration.
The current solution uses poll to upload the default security configuration from each node in the cluster. As result it could lead to the races during initialization of the security index.
To solve the problem with possible races the new solution uses cluster state and initializes the default configuration only on the management node and after that sends updated cluster state on all other nodes to load the configuration from the index.
Initialization using cluster state makes things much more simpler and security admin shell script can be removed in the future.
the cluster state for the security plugin is this:
Next steps as a separate PRs:
Issues Resolved
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.