Skip to content

Commit

Permalink
Switch to built-in security transports from core (opensearch-project#…
Browse files Browse the repository at this point in the history
…4119)

The security plugin does not need to provide the secure transports
anymore but SecureSettingsFactory so the core transport modules will be
able to configure those.

Closes opensearch-project#4118

Is this a backport? If so, please add backport PR # and/or commits #

[Please provide details of testing done: unit testing, integration
testing and manual testing]

- [ ] New functionality includes testing
- [ ] New functionality has been documented
- [ ] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

---------

Signed-off-by: Andriy Redko <[email protected]>
(cherry picked from commit e2a06f0)
  • Loading branch information
reta committed Mar 26, 2024
1 parent 80cee28 commit ebb5d5d
Show file tree
Hide file tree
Showing 15 changed files with 509 additions and 706 deletions.
47 changes: 29 additions & 18 deletions src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.atomic.AtomicReference;
import java.util.function.BiFunction;
Expand Down Expand Up @@ -112,6 +113,8 @@
import org.opensearch.plugins.ExtensionAwarePlugin;
import org.opensearch.plugins.IdentityPlugin;
import org.opensearch.plugins.MapperPlugin;
import org.opensearch.plugins.SecureSettingsFactory;
import org.opensearch.plugins.SecureTransportSettingsProvider;
import org.opensearch.repositories.RepositoriesService;
import org.opensearch.rest.RestController;
import org.opensearch.rest.RestHandler;
Expand Down Expand Up @@ -148,8 +151,8 @@
import org.opensearch.security.dlic.rest.validation.PasswordValidator;
import org.opensearch.security.filter.SecurityFilter;
import org.opensearch.security.filter.SecurityRestFilter;
import org.opensearch.security.http.SecurityHttpServerTransport;
import org.opensearch.security.http.SecurityNonSslHttpServerTransport;
import org.opensearch.security.http.NonSslHttpServerTransport;
import org.opensearch.security.http.SecureHttpServerTransport;
import org.opensearch.security.http.XFFResolver;
import org.opensearch.security.identity.SecurityTokenManager;
import org.opensearch.security.privileges.PrivilegesEvaluator;
Expand All @@ -165,11 +168,11 @@
import org.opensearch.security.securityconf.DynamicConfigFactory;
import org.opensearch.security.setting.OpensearchDynamicSetting;
import org.opensearch.security.setting.TransportPassiveAuthSetting;
import org.opensearch.security.ssl.OpenSearchSecureSettingsFactory;
import org.opensearch.security.ssl.OpenSearchSecuritySSLPlugin;
import org.opensearch.security.ssl.SslExceptionHandler;
import org.opensearch.security.ssl.http.netty.ValidatingDispatcher;
import org.opensearch.security.ssl.transport.DefaultPrincipalExtractor;
import org.opensearch.security.ssl.transport.SecuritySSLNettyTransport;
import org.opensearch.security.ssl.util.SSLConfigConstants;
import org.opensearch.security.support.ConfigConstants;
import org.opensearch.security.support.GuardedSearchOperationWrapper;
Expand Down Expand Up @@ -197,6 +200,7 @@
import org.opensearch.transport.TransportRequestOptions;
import org.opensearch.transport.TransportResponseHandler;
import org.opensearch.transport.TransportService;
import org.opensearch.transport.netty4.ssl.SecureNetty4Transport;
import org.opensearch.watcher.ResourceWatcherService;

import static org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.ENDPOINTS_WITH_PERMISSIONS;
Expand Down Expand Up @@ -855,44 +859,44 @@ public <T extends TransportResponse> void sendRequest(
}

@Override
public Map<String, Supplier<Transport>> getTransports(
public Map<String, Supplier<Transport>> getSecureTransports(
Settings settings,
ThreadPool threadPool,
PageCacheRecycler pageCacheRecycler,
CircuitBreakerService circuitBreakerService,
NamedWriteableRegistry namedWriteableRegistry,
NetworkService networkService,
SecureTransportSettingsProvider secureTransportSettingsProvider,
Tracer tracer
) {
Map<String, Supplier<Transport>> transports = new HashMap<String, Supplier<Transport>>();

if (SSLConfig.isSslOnlyMode()) {
return super.getTransports(
return super.getSecureTransports(
settings,
threadPool,
pageCacheRecycler,
circuitBreakerService,
namedWriteableRegistry,
networkService,
secureTransportSettingsProvider,
tracer
);
}

if (transportSSLEnabled) {
transports.put(
"org.opensearch.security.ssl.http.netty.SecuritySSLNettyTransport",
() -> new SecuritySSLNettyTransport(
settings,
() -> new SecureNetty4Transport(
migrateSettings(settings),
Version.CURRENT,
threadPool,
networkService,
pageCacheRecycler,
namedWriteableRegistry,
circuitBreakerService,
sks,
evaluateSslExceptionHandler(),
sharedGroupFactory,
SSLConfig,
secureTransportSettingsProvider,
tracer
)
);
Expand All @@ -901,7 +905,7 @@ public Map<String, Supplier<Transport>> getTransports(
}

@Override
public Map<String, Supplier<HttpServerTransport>> getHttpTransports(
public Map<String, Supplier<HttpServerTransport>> getSecureHttpTransports(
Settings settings,
ThreadPool threadPool,
BigArrays bigArrays,
Expand All @@ -911,11 +915,12 @@ public Map<String, Supplier<HttpServerTransport>> getHttpTransports(
NetworkService networkService,
Dispatcher dispatcher,
ClusterSettings clusterSettings,
SecureTransportSettingsProvider secureTransportSettingsProvider,
Tracer tracer
) {

if (SSLConfig.isSslOnlyMode()) {
return super.getHttpTransports(
return super.getSecureHttpTransports(
settings,
threadPool,
bigArrays,
Expand All @@ -925,6 +930,7 @@ public Map<String, Supplier<HttpServerTransport>> getHttpTransports(
networkService,
dispatcher,
clusterSettings,
secureTransportSettingsProvider,
tracer
);
}
Expand All @@ -940,17 +946,16 @@ public Map<String, Supplier<HttpServerTransport>> getHttpTransports(
evaluateSslExceptionHandler()
);
// TODO close odshst
final SecurityHttpServerTransport odshst = new SecurityHttpServerTransport(
settings,
final SecureHttpServerTransport odshst = new SecureHttpServerTransport(
migrateSettings(settings),
networkService,
bigArrays,
threadPool,
sks,
evaluateSslExceptionHandler(),
xContentRegistry,
validatingDispatcher,
clusterSettings,
sharedGroupFactory,
secureTransportSettingsProvider,
tracer,
securityRestHandler
);
Expand All @@ -959,15 +964,16 @@ public Map<String, Supplier<HttpServerTransport>> getHttpTransports(
} else if (!client) {
return Collections.singletonMap(
"org.opensearch.security.http.SecurityHttpServerTransport",
() -> new SecurityNonSslHttpServerTransport(
settings,
() -> new NonSslHttpServerTransport(
migrateSettings(settings),
networkService,
bigArrays,
threadPool,
xContentRegistry,
dispatcher,
clusterSettings,
sharedGroupFactory,
secureTransportSettingsProvider,
tracer,
securityRestHandler
)
Expand Down Expand Up @@ -2003,6 +2009,11 @@ public SecurityTokenManager getTokenManager() {
return tokenManager;
}

@Override
public Optional<SecureSettingsFactory> getSecureSettingFactory(Settings settings) {
return Optional.of(new OpenSearchSecureSettingsFactory(settings, sks, sslExceptionHandler));
}

public static class GuiceHolder implements LifecycleComponent {

private static RepositoriesService repositoriesService;
Expand Down
11 changes: 11 additions & 0 deletions src/main/java/org/opensearch/security/filter/NettyAttribute.java
Original file line number Diff line number Diff line change
@@ -1,3 +1,14 @@
/*
* SPDX-License-Identifier: Apache-2.0
*
* The OpenSearch Contributors require contributions made to
* this file be licensed under the Apache-2.0 license or a
* compatible open source license.
*
* Modifications Copyright OpenSearch Contributors. See
* GitHub history for details.
*/

package org.opensearch.security.filter;

import java.util.Optional;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -69,10 +69,10 @@

import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX;
import static org.opensearch.security.OpenSearchSecurityPlugin.PLUGINS_PREFIX;
import static org.opensearch.security.http.SecurityHttpServerTransport.CONTEXT_TO_RESTORE;
import static org.opensearch.security.http.SecurityHttpServerTransport.EARLY_RESPONSE;
import static org.opensearch.security.http.SecurityHttpServerTransport.IS_AUTHENTICATED;
import static org.opensearch.security.http.SecurityHttpServerTransport.UNCONSUMED_PARAMS;
import static org.opensearch.security.http.SecureHttpServerTransport.CONTEXT_TO_RESTORE;
import static org.opensearch.security.http.SecureHttpServerTransport.EARLY_RESPONSE;
import static org.opensearch.security.http.SecureHttpServerTransport.IS_AUTHENTICATED;
import static org.opensearch.security.http.SecureHttpServerTransport.UNCONSUMED_PARAMS;

public class SecurityRestFilter {

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,8 @@
import org.opensearch.core.xcontent.NamedXContentRegistry;
import org.opensearch.http.HttpHandlingSettings;
import org.opensearch.http.netty4.Netty4HttpServerTransport;
import org.opensearch.http.netty4.ssl.SecureNetty4HttpServerTransport;
import org.opensearch.plugins.SecureTransportSettingsProvider;
import org.opensearch.security.filter.SecurityRestFilter;
import org.opensearch.security.ssl.http.netty.Netty4ConditionalDecompressor;
import org.opensearch.security.ssl.http.netty.Netty4HttpRequestHeaderVerifier;
Expand All @@ -44,11 +46,11 @@
import io.netty.channel.ChannelHandler;
import io.netty.channel.ChannelInboundHandlerAdapter;

public class SecurityNonSslHttpServerTransport extends Netty4HttpServerTransport {
public class NonSslHttpServerTransport extends SecureNetty4HttpServerTransport {

private final ChannelInboundHandlerAdapter headerVerifier;

public SecurityNonSslHttpServerTransport(
public NonSslHttpServerTransport(
final Settings settings,
final NetworkService networkService,
final BigArrays bigArrays,
Expand All @@ -57,6 +59,7 @@ public SecurityNonSslHttpServerTransport(
final Dispatcher dispatcher,
final ClusterSettings clusterSettings,
final SharedGroupFactory sharedGroupFactory,
final SecureTransportSettingsProvider secureTransportSettingsProvider,
final Tracer tracer,
final SecurityRestFilter restFilter
) {
Expand All @@ -69,6 +72,7 @@ public SecurityNonSslHttpServerTransport(
dispatcher,
clusterSettings,
sharedGroupFactory,
secureTransportSettingsProvider,
tracer
);
headerVerifier = new Netty4HttpRequestHeaderVerifier(restFilter, threadPool, settings);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -34,19 +34,21 @@
import org.opensearch.common.util.BigArrays;
import org.opensearch.common.util.concurrent.ThreadContext;
import org.opensearch.core.xcontent.NamedXContentRegistry;
import org.opensearch.http.netty4.ssl.SecureNetty4HttpServerTransport;
import org.opensearch.plugins.SecureTransportSettingsProvider;
import org.opensearch.security.filter.SecurityResponse;
import org.opensearch.security.filter.SecurityRestFilter;
import org.opensearch.security.ssl.SecurityKeyStore;
import org.opensearch.security.ssl.SslExceptionHandler;
import org.opensearch.security.ssl.http.netty.SecuritySSLNettyHttpServerTransport;
import org.opensearch.security.ssl.http.netty.Netty4ConditionalDecompressor;
import org.opensearch.security.ssl.http.netty.Netty4HttpRequestHeaderVerifier;
import org.opensearch.security.ssl.http.netty.ValidatingDispatcher;
import org.opensearch.telemetry.tracing.Tracer;
import org.opensearch.threadpool.ThreadPool;
import org.opensearch.transport.SharedGroupFactory;

import io.netty.channel.ChannelInboundHandlerAdapter;
import io.netty.util.AttributeKey;

public class SecurityHttpServerTransport extends SecuritySSLNettyHttpServerTransport {
public class SecureHttpServerTransport extends SecureNetty4HttpServerTransport {

public static final AttributeKey<SecurityResponse> EARLY_RESPONSE = AttributeKey.newInstance("opensearch-http-early-response");
public static final AttributeKey<Set<String>> UNCONSUMED_PARAMS = AttributeKey.newInstance("opensearch-http-request-consumed-params");
Expand All @@ -56,17 +58,18 @@ public class SecurityHttpServerTransport extends SecuritySSLNettyHttpServerTrans
public static final AttributeKey<Boolean> SHOULD_DECOMPRESS = AttributeKey.newInstance("opensearch-http-should-decompress");
public static final AttributeKey<Boolean> IS_AUTHENTICATED = AttributeKey.newInstance("opensearch-http-is-authenticated");

public SecurityHttpServerTransport(
private final ChannelInboundHandlerAdapter headerVerifier;

public SecureHttpServerTransport(
final Settings settings,
final NetworkService networkService,
final BigArrays bigArrays,
final ThreadPool threadPool,
final SecurityKeyStore odsks,
final SslExceptionHandler sslExceptionHandler,
final NamedXContentRegistry namedXContentRegistry,
final ValidatingDispatcher dispatcher,
final ClusterSettings clusterSettings,
SharedGroupFactory sharedGroupFactory,
final SecureTransportSettingsProvider secureTransportSettingsProvider,
Tracer tracer,
SecurityRestFilter restFilter
) {
Expand All @@ -75,14 +78,24 @@ public SecurityHttpServerTransport(
networkService,
bigArrays,
threadPool,
odsks,
namedXContentRegistry,
dispatcher,
sslExceptionHandler,
clusterSettings,
sharedGroupFactory,
tracer,
restFilter
secureTransportSettingsProvider,
tracer
);

headerVerifier = new Netty4HttpRequestHeaderVerifier(restFilter, threadPool, settings);
}

@Override
protected ChannelInboundHandlerAdapter createHeaderVerifier() {
return headerVerifier;
}

@Override
protected ChannelInboundHandlerAdapter createDecompressor() {
return new Netty4ConditionalDecompressor();
}
}
Loading

0 comments on commit ebb5d5d

Please sign in to comment.