-
Notifications
You must be signed in to change notification settings - Fork 280
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] SecurityRestFilter drops the headers from ThreadContext #4799
Comments
@cwperks would it make sense to allow additional headers be supported instead of just |
Yes definitely, this is a bug. These are my initial thoughts, I will analyze this issue further and provide more updates later today. A couple of options:
|
For additional context, I think this is a bug introduced in 2.11 but it was not noticed since the only The change that the Security plugin introduced in 2.11 was to move auth further up the netty pipeline before decompression: opensearch-project/OpenSearch#10261 The reason that security has to restore a previous context is that core has a call to stashContext in the last handler of the netty pipeline here. Before 2.11, security would authenticate a request after the call to stashContext and in the process of authenticating the request it would populate a bunch of TC headers including transient headers like the object corresponding to the authenticated user and other information such as the IP address where the request originated. After authentication was moved up the netty pipeline, security would populate the TC before the call to stashContext from above. To get around this issue the security plugin uses netty channel attributes to carry the context down the pipeline and restore it in the SecurityRestFilter. |
Thanks @cwperks! for suggesting the approaches. I agree the change in extension point is intrusive and causes wider |
If Option 3 is implemented, then there should be a corresponding integTest that asserts the correct behavior. Writing an integ test will take a little more effort, but I think I can dig up some examples. IMO for an integ test we should create an |
There is one more bug in |
What is the bug?
SecurityLayer should not drop information from ThreadContext which is a opensearch construct.
In current setup
SecurityRestFilter
drops the request headers populated inThreadContext
for a request. OpenSearch process controls the valid list of headers that can be propagated from http layer toThreadContext
by defining them inside theActionModule
. ButSecurityFilter
does not consider all the whitelisted headers and abruptly drops all headers exceptX_OPAQUE_ID
.Problematic code line: https://github.com/opensearch-project/security/blob/main/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java#L139C13-L142C19
How can one reproduce the bug?
Steps to reproduce the behavior:
curl -X GET https://localhost:9200/_search -u 'admin:passwd123456789@' --insecure -H 'queryGroupId: 9oguoImmRMy1qYe2M6W3dA'
RestHandler
(RestSearchAction)What is the expected behavior?
Security plugin should retain all whitelisted headers.
What is your host/environment?
Do you have any screenshots?
If applicable, add screenshots to help explain your problem.
Do you have any additional context?
Add any other context about the problem.
The text was updated successfully, but these errors were encountered: