Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extend request lifecycle in RestReloadSecureSettingsAction #103953

Closed
wants to merge 1 commit into from
Closed

Extend request lifecycle in RestReloadSecureSettingsAction #103953

wants to merge 1 commit into from

Conversation

DaveCTurner
Copy link
Contributor

The security module doesn't refcount requests properly, see #103952, so
async auth flows may discard the keystore password before the request is
processed. This commit adjusts the action to retain the request until
the response is available, which unfortunately negates the improvement
in #103757.

@DaveCTurner
Extend request lifecycle in RestReloadSecureSettingsAction
5229751 
The security module doesn't refcount requests properly, see elastic#103952, so
async auth flows may discard the keystore password before the request is
processed. This commit adjusts the action to retain the request until
the response is available, which unfortunately negates the improvement
in elastic#103757.
@DaveCTurner DaveCTurner added >non-issue :Security/Security Security issues without another label v8.13.0 labels Jan 5, 2024
@elasticsearchmachine elasticsearchmachine added the Team:Security Meta label for security team label Jan 5, 2024
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

@DaveCTurner
Copy link
Contributor Author

>non-issue because this hasn't been released, otherwise this'd be a bug

@DaveCTurner DaveCTurner mentioned this pull request Jan 5, 2024
Closed
@DaveCTurner
Copy link
Contributor Author

I don't have a great idea for how to test this. It'd be good to be sure to cover this in ReloadSecureSettingsWithPasswordProtectedKeystoreRestIT but the auth flow used there appears to be fully synchronous and I don't really know enough about the security module to know how to trick it into doing something async in such a test. Suggestions very welcome.

jakelandis
jakelandis approved these changes Jan 5, 2024
View reviewed changes
Copy link
Contributor

@jakelandis jakelandis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

However, have a question raised over at #103952 (comment)

@DaveCTurner
Copy link
Contributor Author

Superseded by #104000

@DaveCTurner DaveCTurner closed this Jan 9, 2024
@DaveCTurner DaveCTurner deleted the 2024/01/05/RestReloadSecureSettingsAction-workaround-103952 branch January 9, 2024 08:20
@DaveCTurner DaveCTurner restored the 2024/01/05/RestReloadSecureSettingsAction-workaround-103952 branch June 17, 2024 06:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jakelandis jakelandis jakelandis approved these changes

Assignees
No one assigned
Labels
blocker >non-issue :Security/Security Security issues without another label Team:Security Meta label for security team v8.13.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@DaveCTurner @elasticsearchmachine @jakelandis