Skip to content

Validate requests are not impacted during security cache invalidation#3637

Merged
peternied merged 10 commits intoopensearch-project:mainfrom
cwperks:optional-data-exception-fix
Nov 3, 2023
Merged

Validate requests are not impacted during security cache invalidation#3637
peternied merged 10 commits intoopensearch-project:mainfrom
cwperks:optional-data-exception-fix

Conversation

@cwperks
Copy link
Member

@cwperks cwperks commented Nov 1, 2023
edited
Loading

Description

Opening a PR that adds a test to ensure that requests during a cache invalidation succeed and fail if any unsuccessful status code is detected. This is related to adding an automated test for #1961

I'm currently encountering a couple of issues and am able to reproduce a separate concurrency error, but not the OptionalDataException.

This test will fail if both of these PRs are reverted:

When the above 2 PRs are reverted, the test case fails with:

Caused by: org.opensearch.OpenSearchException: Instance User [name=admin, backend_roles=[admin], requestedTenant=null] of class class org.opensearch.security.user.User is not serializable
        at org.opensearch.security.support.Base64CustomHelper.serializeObject(Base64CustomHelper.java:102) ~[main/:?]
        at org.opensearch.security.support.Base64Helper.serializeObject(Base64Helper.java:34) ~[main/:?]
        at org.opensearch.security.transport.SecurityInterceptor.ensureCorrectHeaders(SecurityInterceptor.java:312) ~[main/:?]
        at org.opensearch.security.transport.SecurityInterceptor.sendRequestDecorate(SecurityInterceptor.java:240) ~[main/:?]
        at org.opensearch.security.OpenSearchSecurityPlugin$6$2.sendRequest(OpenSearchSecurityPlugin.java:811) ~[main/:?]
        at org.opensearch.transport.TransportService.sendRequest(TransportService.java:913) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
        ... 21 more
Caused by: java.lang.NullPointerException: Cannot invoke "String.length()" because "str" is null
        at org.opensearch.core.common.io.stream.StreamOutput.writeString(StreamOutput.java:443) ~[opensearch-core-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
        at org.opensearch.core.common.io.stream.StreamOutput.writeCollection(StreamOutput.java:1187) ~[opensearch-core-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
        at org.opensearch.core.common.io.stream.StreamOutput.writeStringCollection(StreamOutput.java:1199) ~[opensearch-core-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
        at org.opensearch.security.user.User.writeTo(User.java:263) ~[main/:?]
        at org.opensearch.security.support.Base64CustomHelper.serializeObject(Base64CustomHelper.java:86) ~[main/:?]
        at org.opensearch.security.support.Base64Helper.serializeObject(Base64Helper.java:34) ~[main/:?]
        at org.opensearch.security.transport.SecurityInterceptor.ensureCorrectHeaders(SecurityInterceptor.java:312) ~[main/:?]
        at org.opensearch.security.transport.SecurityInterceptor.sendRequestDecorate(SecurityInterceptor.java:240) ~[main/:?]
        at org.opensearch.security.OpenSearchSecurityPlugin$6$2.sendRequest(OpenSearchSecurityPlugin.java:811) ~[main/:?]
        at org.opensearch.transport.TransportService.sendRequest(TransportService.java:913) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
        ... 21 more

This test provides assurances that there are no errors related to concurrency and cache invalidation. I had to update the integrationTest framework to add backendRoles onto the User object in the integration test suite.

  • Category (Enhancement, New feature, Bug fix, Test fix, Refactoring, Maintenance, Documentation)

Adds a test

Check List

  • New functionality includes testing
  • New functionality has been documented
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@cwperks
Add async test to ensure bulk requests succeed while cache is invalid…
1004ef7 
…ated

Signed-off-by: Craig Perkins <cwperx@amazon.com>
@cwperks
Change test name
7ebe917 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@cwperks cwperks changed the title Add async test to ensure bulk requests succeed while cache is invalidated Add async test with mix of requests including cache invalidation Nov 1, 2023
@cwperks
Remove Serializable from implementation list
9e1bfad 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@cwperks cwperks marked this pull request as ready for review November 2, 2023 19:57
@cwperks
Copy link
Member Author

cwperks commented Nov 2, 2023

To replicate the OptionalDataException you need to revert the 2 changes in the PR description and also change every instance of final boolean useJDKSerialization = connection.getVersion().before(ConfigConstants.FIRST_CUSTOM_SERIALIZATION_SUPPORTED_OS_VERSION); to final boolean useJDKSerialization = true;

@cwperks
Fix checkstyle
87a767f 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
peternied
peternied reviewed Nov 2, 2023
View reviewed changes
@cwperks
Address some code review comments
a65c4ff 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@cwperks
Reduce number of variables
8b06832 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@cwperks
Instantiate restclient with AdminUser
0ed3727 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@cwperks
Use client.delete and client.get
6a785c7 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@cwperks
Merge branch 'main' into optional-data-exception-fix
caa026c
peternied
peternied previously approved these changes Nov 2, 2023
View reviewed changes
@cwperks
Switch to postJson and remove shuffle
0ce56e7 
Signed-off-by: Craig Perkins <craig5008@gmail.com>
peternied
peternied approved these changes Nov 3, 2023
View reviewed changes
Copy link
Member

@peternied peternied left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great, thanks!

@peternied peternied changed the title Add async test with mix of requests including cache invalidation Validate requests are not impacted during security cache invalidation Nov 3, 2023
@peternied peternied merged commit 850b7dc into opensearch-project:main Nov 3, 2023
opensearch-trigger-bot bot pushed a commit that referenced this pull request Nov 3, 2023
@github-actions
Validate requests are not impacted during security cache invalidation (
3602e9f 
…#3637)

Signed-off-by: Craig Perkins <cwperx@amazon.com>
Signed-off-by: Craig Perkins <craig5008@gmail.com>
(cherry picked from commit 850b7dc)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
@opensearch-trigger-bot opensearch-trigger-bot bot mentioned this pull request Nov 3, 2023
Closed
cwperks added a commit to cwperks/security that referenced this pull request Nov 3, 2023
@cwperks
Validate requests are not impacted during security cache invalidation (
df84fcd 
…opensearch-project#3637)

Signed-off-by: Craig Perkins <cwperx@amazon.com>
Signed-off-by: Craig Perkins <craig5008@gmail.com>
@cwperks cwperks mentioned this pull request Nov 3, 2023
Merged
peternied pushed a commit that referenced this pull request Nov 3, 2023
@cwperks
[Backport 2.x] Validate requests are not impacted during security cac…
e3c8902 
…he invalidation (#3648)

Backport
850b7dc
from #3637.

---------

Signed-off-by: Craig Perkins <cwperx@amazon.com>
Signed-off-by: Craig Perkins <craig5008@gmail.com>
@peternied peternied mentioned this pull request Nov 16, 2023
Merged
3 tasks
willyborankin pushed a commit that referenced this pull request Nov 17, 2023
@stephen-crawford @peternied
[Backport 1.3] Prevent OptionalDataException from User data structures (
a51ad53 
#3725)

### Description
This change backports #1970 in order to fix the OptionalDataException
issue encountered on the 1.3.x line.
The original change did not have any tests but #3637 added tests, so I
backported those as well and the changes required to support them. This
resulted in changes to the TestSecurityConfig.User class, the addition
of a IndexStateIsEqualToMatcher and User.java.

### Issues Resolved
- Resolves #3531
- Backports #1970 
- Backports #3637

### Check List
- [X] New functionality includes testing
- [ ] ~New functionality has been documented~
- [x] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

---------

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Co-authored-by: Peter Nied <petern@amazon.com>
peternied pushed a commit to peternied/security that referenced this pull request Nov 30, 2023
@cwperks @peternied
Validate requests are not impacted during security cache invalidation (
570cf90 
…opensearch-project#3637)

Signed-off-by: Craig Perkins <cwperx@amazon.com>
Signed-off-by: Craig Perkins <craig5008@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DarshitChanpura DarshitChanpura DarshitChanpura approved these changes

@cliu123 cliu123 Awaiting requested review from cliu123

@davidlago davidlago Awaiting requested review from davidlago

@RyanL1997 RyanL1997 Awaiting requested review from RyanL1997 RyanL1997 is a code owner

@stephen-crawford stephen-crawford Awaiting requested review from stephen-crawford

@reta reta Awaiting requested review from reta reta is a code owner

@willyborankin willyborankin Awaiting requested review from willyborankin willyborankin is a code owner

+1 more reviewer

@peternied peternied peternied approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cwperks @peternied @DarshitChanpura