[Feature] Improve compressed request handling #10260
Comments
|
We been exploring two approaches to address how compressed requests are handled within our system. Here's a overview of both: Header Verifier with early request exit [1]Craig is looking into adjusting the timing and manner in which certain components, specifically the "rest controller components", are triggered within the core of OpenSearch. In essence, this approach brings existing request functionalities into broader usage. Pros:
Cons:
PRs
Minimal Header Verifier [2]Peter is focusing on the security side of things. Specifically, he's rethinking how the security plugin responds to verification (or "authentication") requests. Pros:
Cons:
PRs
As we delve deeper, we'll keep everyone updated on our progress and the potential implications of each approach. Feedback and thoughts are always welcome! |
@peternied could you please give an example of invalid request? I am thinking about wrong auth credentials fe, is that the case? I think if we need to inspect headers and reject the request even before consuming the content, there are two options:
Something to be aware of, with #9672 the request body is consumed lazily (as a stream), so the headers could be consulted before processing the request body. |
|
@reta Here is an example of what a request could look likehttps://github.com/opensearch-project/security/pull/3417/files#r1343153212 I think having validation processes that only use headers vs a latter part of the pipeline get the request body (whole vs stream) seems like a good way to separate these concerns of validation vs processing while lowers the resource usage on invalid / rejected requests |
|
Updating this issue; @cwperks and I have been trying to figure out how to best approach this problem, earlier this was kind of called top-down vs bottoms-up, we we have landed on a design pattern that is the meeting place between both of these points. By allowing a header verification step to the pipeline along with allowing the decompressor to be wrapped, plugins that are engaged in the network configuration can fine tune their behavior. The business logic of to process criteria for inclusion/exclusion solely are declared within the security plugin. If there is any behavior that needs to pass information between these system states it is encapsulated wholly in the plugin codebase. The following pull requests are part of the total delivery to address this feature: |
Previously unauthorized requests were fully processed and rejected once they reached the RestHandler. This allocations more memory and resources for these requests that might not be useful if they are already detected as unauthorized. Using the headerVerifer and decompressor customization from [1], perform an early authorization check when only the headers are available, save an 'early response' for transmission and do not perform the decompression on the request to speed up closing out the connection. - Resolves opensearch-project/OpenSearch#10260 Signed-off-by: Peter Nied <petern@amazon.com> Signed-off-by: Craig Perkins <cwperx@amazon.com> Signed-off-by: Craig Perkins <craig5008@gmail.com> Co-authored-by: Peter Nied <petern@amazon.com>
… requests (opensearch-project#3418) Previously unauthorized requests were fully processed and rejected once they reached the RestHandler. This allocations more memory and resources for these requests that might not be useful if they are already detected as unauthorized. Using the headerVerifer and decompressor customization from [1], perform an early authorization check when only the headers are available, save an 'early response' for transmission and do not perform the decompression on the request to speed up closing out the connection. - Resolves opensearch-project/OpenSearch#10260 Signed-off-by: Peter Nied <petern@amazon.com> Signed-off-by: Craig Perkins <cwperx@amazon.com> Signed-off-by: Craig Perkins <craig5008@gmail.com> Co-authored-by: Peter Nied <petern@amazon.com>
… requests (#3418) (#3495) ### Description Backport of 6b0b682 from #3418 Previously unauthorized requests were fully processed and rejected once they reached the RestHandler. This allocations more memory and resources for these requests that might not be useful if they are already detected as unauthorized. Using the headerVerifer and decompressor customization from [1], perform an early authorization check when only the headers are available, save an 'early response' for transmission and do not perform the decompression on the request to speed up closing out the connection. - Resolves opensearch-project/OpenSearch#10260 Signed-off-by: Peter Nied <petern@amazon.com> Signed-off-by: Craig Perkins <cwperx@amazon.com> Signed-off-by: Craig Perkins <craig5008@gmail.com> Co-authored-by: Craig Perkins <cwperx@amazon.com>
… requests (#3418) (#3495) ### Description Backport of 6b0b682 from #3418 Previously unauthorized requests were fully processed and rejected once they reached the RestHandler. This allocations more memory and resources for these requests that might not be useful if they are already detected as unauthorized. Using the headerVerifer and decompressor customization from [1], perform an early authorization check when only the headers are available, save an 'early response' for transmission and do not perform the decompression on the request to speed up closing out the connection. - Resolves opensearch-project/OpenSearch#10260 Signed-off-by: Peter Nied <petern@amazon.com> Signed-off-by: Craig Perkins <cwperx@amazon.com> Signed-off-by: Craig Perkins <craig5008@gmail.com> Co-authored-by: Craig Perkins <cwperx@amazon.com> (cherry picked from commit f7c47af)
…requests (opensearch-project#3418) (opensearch-project#3495) Backport of 6b0b682 from opensearch-project#3418 Previously unauthorized requests were fully processed and rejected once they reached the RestHandler. This allocations more memory and resources for these requests that might not be useful if they are already detected as unauthorized. Using the headerVerifer and decompressor customization from [1], perform an early authorization check when only the headers are available, save an 'early response' for transmission and do not perform the decompression on the request to speed up closing out the connection. - Resolves opensearch-project/OpenSearch#10260 Signed-off-by: Peter Nied <petern@amazon.com> Signed-off-by: Craig Perkins <cwperx@amazon.com> Signed-off-by: Craig Perkins <craig5008@gmail.com> Co-authored-by: Craig Perkins <cwperx@amazon.com> Signed-off-by: Peter Nied <petern@amazon.com>
Is your feature request related to a problem? Please describe.
In some cases, a request is considered invalid from its headers and its unnecessary to inspect the body of the request. For compressed requests, decompressed bodies can sometimes be quite large so its a benefit to skip decompression if the body is only being discarded.
Describe the solution you'd like
There should be some mechanism that is accessible by plugins to provide guidance to continue processing a request before more resources are used.
Describe alternatives you've considered
The text was updated successfully, but these errors were encountered: