Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security authn via netty channel validator #95112

Merged
merged 94 commits into from May 4, 2023
Merged

Security authn via netty channel validator #95112

merged 94 commits into from May 4, 2023

Conversation

albertzaharovits
Copy link
Contributor

@albertzaharovits albertzaharovits commented Apr 10, 2023
edited

Hooks "REST" authN, as a "validator", into the new netty channel interceptor for http headers.

@albertzaharovits albertzaharovits self-assigned this Apr 10, 2023
@albertzaharovits albertzaharovits force-pushed the security-early-authn-with-header-validator branch from 979b40a to 322f4e9 Compare April 12, 2023 16:57
@albertzaharovits albertzaharovits added the :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) label Apr 12, 2023
@albertzaharovits albertzaharovits merged commit bedaf3c into elastic:main May 4, 2023
15 checks passed
@albertzaharovits albertzaharovits deleted the security-early-authn-with-header-validator branch May 4, 2023 14:56
@albertzaharovits albertzaharovits mentioned this pull request May 5, 2023
Merged
albertzaharovits added a commit that referenced this pull request May 8, 2023
@albertzaharovits
Test that malformed HTTP request is not validated (#95886)
fc2fa4d 
This PR tests that malformed HTTP requests that
fail at the decoding stage don't go through validation
and are further dispatched as bad requests.

Related: #95112
This was referenced May 9, 2023
Merged
Merged
albertzaharovits added a commit that referenced this pull request May 12, 2023
@albertzaharovits
Handle Unauthenticated OPTIONS requests (#96061)
1f8d6eb 
This address HTTP OPTIONS requests following
the authentication refactoring in #95112.

Relates #95112
@albertzaharovits albertzaharovits mentioned this pull request May 18, 2023
Merged
albertzaharovits added a commit that referenced this pull request May 18, 2023
@albertzaharovits
ES APM traces for HTTP requests include authn duration (#96205)
669c50c 
Following the changes in #95112, which relocated the calls
into the AuthenticationService that authenticate HTTP
requests, the authentication duration was no longer
comprised in between the Tracer#startTrace and
Tracer#stopTrace. Consequently, the span records
didn't cover the authentication duration any longer.

This PR remedies that by changing the Tracer
implementation, i.e. APMTracer, to look for the trace start
time instant in the transient thread context and use that
when starting traces (overriding the now default).
The trace start time is set in the thread context when
the request-wise thread context is first populated
(with HTTP request headers).
@albertzaharovits albertzaharovits mentioned this pull request May 26, 2023
Merged
albertzaharovits added a commit that referenced this pull request May 29, 2023
@albertzaharovits
Reject OPTIONS requests with a body (#96357)
0e95bb4 
Instead of not authN and letting them through,
this PR rejects OPTIONS requests with a body (400).

Relates #95112
jdconrad pushed a commit to jdconrad/elasticsearch that referenced this pull request May 30, 2023
@albertzaharovits @jdconrad
Reject OPTIONS requests with a body (elastic#96357)
ff3f1c9 
Instead of not authN and letting them through,
this PR rejects OPTIONS requests with a body (400).

Relates elastic#95112
albertzaharovits added a commit to albertzaharovits/elasticsearch that referenced this pull request Jun 14, 2023
@albertzaharovits
Security authn via netty channel validator (elastic#95112)
da48499 
Hooks "REST" authN, as a "validator", into the
new netty channel interceptor for http headers.
albertzaharovits added a commit to albertzaharovits/elasticsearch that referenced this pull request Jun 14, 2023
@albertzaharovits
Security authn via netty channel validator (elastic#95112)
b3cb29a 
Hooks "REST" authN, as a "validator", into the
new netty channel interceptor for http headers.
albertzaharovits added a commit to albertzaharovits/elasticsearch that referenced this pull request Jun 14, 2023
@albertzaharovits
Security authn via netty channel validator (elastic#95112)
1af36fc 
Hooks "REST" authN, as a "validator", into the
new netty channel interceptor for http headers.
albertzaharovits added a commit to albertzaharovits/elasticsearch that referenced this pull request Jun 14, 2023
@albertzaharovits
Security authn via netty channel validator (elastic#95112)
3a9dcbd 
Hooks "REST" authN, as a "validator", into the
new netty channel interceptor for http headers.
albertzaharovits added a commit to albertzaharovits/elasticsearch that referenced this pull request Jun 14, 2023
@albertzaharovits
Security authn via netty channel validator (elastic#95112)
ca34caa 
Hooks "REST" authN, as a "validator", into the
new netty channel interceptor for http headers.
albertzaharovits added a commit to albertzaharovits/elasticsearch that referenced this pull request Jun 15, 2023
@albertzaharovits
Security authn via netty channel validator (elastic#95112)
b1a1499 
Hooks "REST" authN, as a "validator", into the
new netty channel interceptor for http headers.
albertzaharovits added a commit to albertzaharovits/elasticsearch that referenced this pull request Jun 15, 2023
@albertzaharovits
Security authn via netty channel validator (elastic#95112)
f61af24 
Hooks "REST" authN, as a "validator", into the
new netty channel interceptor for http headers.
albertzaharovits added a commit to albertzaharovits/elasticsearch that referenced this pull request Jun 15, 2023
@albertzaharovits
Handle Unauthenticated OPTIONS requests (elastic#96061)
477ea6a 
This address HTTP OPTIONS requests following
the authentication refactoring in elastic#95112.

Relates elastic#95112
albertzaharovits added a commit to albertzaharovits/elasticsearch that referenced this pull request Jun 15, 2023
@albertzaharovits
Reject OPTIONS requests with a body (elastic#96357)
7dc2d2a 
Instead of not authN and letting them through,
this PR rejects OPTIONS requests with a body (400).

Relates elastic#95112
albertzaharovits added a commit to albertzaharovits/elasticsearch that referenced this pull request Jun 15, 2023
@albertzaharovits
Security authn via netty channel validator (elastic#95112)
f409613 
Hooks "REST" authN, as a "validator", into the
new netty channel interceptor for http headers.
albertzaharovits added a commit to albertzaharovits/elasticsearch that referenced this pull request Jun 15, 2023
@albertzaharovits
Handle Unauthenticated OPTIONS requests (elastic#96061)
c3bfd9f 
This address HTTP OPTIONS requests following
the authentication refactoring in elastic#95112.

Relates elastic#95112
albertzaharovits added a commit to albertzaharovits/elasticsearch that referenced this pull request Jun 15, 2023
@albertzaharovits
Reject OPTIONS requests with a body (elastic#96357)
454af7e 
Instead of not authN and letting them through,
this PR rejects OPTIONS requests with a body (400).

Relates elastic#95112
albertzaharovits added a commit to albertzaharovits/elasticsearch that referenced this pull request Jun 15, 2023
@albertzaharovits
Handle Unauthenticated OPTIONS requests (elastic#96061)
250dcf8 
This address HTTP OPTIONS requests following
the authentication refactoring in elastic#95112.

Relates elastic#95112
albertzaharovits added a commit to albertzaharovits/elasticsearch that referenced this pull request Jun 15, 2023
@albertzaharovits
Reject OPTIONS requests with a body (elastic#96357)
f76d8a0 
Instead of not authN and letting them through,
this PR rejects OPTIONS requests with a body (400).

Relates elastic#95112
albertzaharovits added a commit to albertzaharovits/elasticsearch that referenced this pull request Jun 19, 2023
@albertzaharovits
Test that malformed HTTP request is not validated (elastic#95886)
928d910 
This PR tests that malformed HTTP requests that
fail at the decoding stage don't go through validation
and are further dispatched as bad requests.

Related: elastic#95112
@albertzaharovits albertzaharovits mentioned this pull request Jun 20, 2023
Merged
albertzaharovits added a commit that referenced this pull request Aug 23, 2023
@albertzaharovits
Netty4 HTTP authn enhancements (#92220) (#96703)
0df52c8 
This is a backport of multiple work items related to authentication enhancements for HTTP,
which were originally merged in the 8.8 - 8.9 releases.
Hence, the HTTP (only the netty4-based implementation (default), not the NIO one) authentication
implementation gets a throughput boost (especially for requests failing authn).

Relates to: ES-6188 #92220 #95112
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jakelandis jakelandis jakelandis approved these changes

Assignees

@albertzaharovits albertzaharovits

Labels
>enhancement :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) Team:Security Meta label for security team v8.9.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@albertzaharovits @elasticsearchmachine @jakelandis @gmarouli