From aa48614f55d62bfb08d3223fd9e4272c9d574e49 Mon Sep 17 00:00:00 2001
From: Craig Perkins <cwperx@amazon.com>
Date: Fri, 18 Oct 2024 12:50:34 -0400
Subject: [PATCH 1/6] Add isDualModeEnabled to SecureTransportSettingsProvider
interface
Signed-off-by: Craig Perkins <cwperx@amazon.com>
---
.../transport/netty4/ssl/SecureNetty4Transport.java | 4 ++--
.../plugins/SecureTransportSettingsProvider.java | 10 ++++++++++
2 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/modules/transport-netty4/src/main/java/org/opensearch/transport/netty4/ssl/SecureNetty4Transport.java b/modules/transport-netty4/src/main/java/org/opensearch/transport/netty4/ssl/SecureNetty4Transport.java
index 977121346dcc3..8e2aa750dcd04 100644
--- a/modules/transport-netty4/src/main/java/org/opensearch/transport/netty4/ssl/SecureNetty4Transport.java
+++ b/modules/transport-netty4/src/main/java/org/opensearch/transport/netty4/ssl/SecureNetty4Transport.java
@@ -142,7 +142,7 @@ public SSLServerChannelInitializer(String name) {
protected void initChannel(Channel ch) throws Exception {
super.initChannel(ch);
- final boolean dualModeEnabled = NetworkModule.TRANSPORT_SSL_DUAL_MODE_ENABLED.get(settings);
+ final boolean dualModeEnabled = secureTransportSettingsProvider.isDualModeEnabled(settings);
if (dualModeEnabled) {
logger.info("SSL Dual mode enabled, using port unification handler");
final ChannelHandler portUnificationHandler = new DualModeSslHandler(
@@ -258,7 +258,7 @@ protected class SSLClientChannelInitializer extends Netty4Transport.ClientChanne
public SSLClientChannelInitializer(DiscoveryNode node) {
this.node = node;
- final boolean dualModeEnabled = NetworkModule.TRANSPORT_SSL_DUAL_MODE_ENABLED.get(settings);
+ final boolean dualModeEnabled = secureTransportSettingsProvider.isDualModeEnabled(settings);
hostnameVerificationEnabled = NetworkModule.TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION.get(settings);
hostnameVerificationResolveHostName = NetworkModule.TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME.get(settings);
diff --git a/server/src/main/java/org/opensearch/plugins/SecureTransportSettingsProvider.java b/server/src/main/java/org/opensearch/plugins/SecureTransportSettingsProvider.java
index 5b7402a01f82d..e0ccf86eea638 100644
--- a/server/src/main/java/org/opensearch/plugins/SecureTransportSettingsProvider.java
+++ b/server/src/main/java/org/opensearch/plugins/SecureTransportSettingsProvider.java
@@ -9,6 +9,7 @@
package org.opensearch.plugins;
import org.opensearch.common.annotation.ExperimentalApi;
+import org.opensearch.common.network.NetworkModule;
import org.opensearch.common.settings.Settings;
import org.opensearch.transport.Transport;
import org.opensearch.transport.TransportAdapterProvider;
@@ -36,6 +37,15 @@ default Collection<TransportAdapterProvider<Transport>> getTransportAdapterProvi
return Collections.emptyList();
}
+ /**
+ * Returns true if dual mode is enabled. Dual mode domains support both encrypted and non-encrypted traffic
+ * @param settings settings
+ * @return a boolean indicating if dual mode is enabled
+ */
+ default boolean isDualModeEnabled(Settings settings) {
+
+ }
+
/**
* If supported, builds the {@link TransportExceptionHandler} instance for {@link Transport} instance
* @param settings settings
From d390bd9c62c3cb04ab86c6a5280ffa423812e32d Mon Sep 17 00:00:00 2001
From: Craig Perkins <cwperx@amazon.com>
Date: Fri, 18 Oct 2024 12:53:57 -0400
Subject: [PATCH 2/6] Add default impl
Signed-off-by: Craig Perkins <cwperx@amazon.com>
---
.../org/opensearch/plugins/SecureTransportSettingsProvider.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/server/src/main/java/org/opensearch/plugins/SecureTransportSettingsProvider.java b/server/src/main/java/org/opensearch/plugins/SecureTransportSettingsProvider.java
index e0ccf86eea638..df3258a1c7648 100644
--- a/server/src/main/java/org/opensearch/plugins/SecureTransportSettingsProvider.java
+++ b/server/src/main/java/org/opensearch/plugins/SecureTransportSettingsProvider.java
@@ -43,7 +43,7 @@ default Collection<TransportAdapterProvider<Transport>> getTransportAdapterProvi
* @return a boolean indicating if dual mode is enabled
*/
default boolean isDualModeEnabled(Settings settings) {
-
+ return NetworkModule.TRANSPORT_SSL_DUAL_MODE_ENABLED.get(settings);
}
/**
From a0844e9499efc78c49e1b4869caf9edccf5cc59d Mon Sep 17 00:00:00 2001
From: Craig Perkins <cwperx@amazon.com>
Date: Fri, 18 Oct 2024 15:10:12 -0400
Subject: [PATCH 3/6] Respond to comments, update usages and update docstring
Signed-off-by: Craig Perkins <cwperx@amazon.com>
---
.../netty4/ssl/SecureNetty4Transport.java | 18 ++++++++++---
.../SecureTransportSettingsProvider.java | 26 ++++++++++++++++---
2 files changed, 37 insertions(+), 7 deletions(-)
diff --git a/modules/transport-netty4/src/main/java/org/opensearch/transport/netty4/ssl/SecureNetty4Transport.java b/modules/transport-netty4/src/main/java/org/opensearch/transport/netty4/ssl/SecureNetty4Transport.java
index 8e2aa750dcd04..b9e1704a2e343 100644
--- a/modules/transport-netty4/src/main/java/org/opensearch/transport/netty4/ssl/SecureNetty4Transport.java
+++ b/modules/transport-netty4/src/main/java/org/opensearch/transport/netty4/ssl/SecureNetty4Transport.java
@@ -57,6 +57,7 @@
import java.net.SocketAddress;
import java.security.AccessController;
import java.security.PrivilegedAction;
+import java.util.Optional;
import io.netty.channel.Channel;
import io.netty.channel.ChannelHandler;
@@ -142,9 +143,14 @@ public SSLServerChannelInitializer(String name) {
protected void initChannel(Channel ch) throws Exception {
super.initChannel(ch);
- final boolean dualModeEnabled = secureTransportSettingsProvider.isDualModeEnabled(settings);
+ boolean dualModeEnabled = false;
+ Optional<SecureTransportSettingsProvider.SecureTransportParameters> parameters = secureTransportSettingsProvider.parameters(
+ settings
+ );
+ if (parameters.isPresent()) {
+ dualModeEnabled = parameters.get().dualModeEnabled();
+ }
if (dualModeEnabled) {
- logger.info("SSL Dual mode enabled, using port unification handler");
final ChannelHandler portUnificationHandler = new DualModeSslHandler(
settings,
secureTransportSettingsProvider,
@@ -258,7 +264,13 @@ protected class SSLClientChannelInitializer extends Netty4Transport.ClientChanne
public SSLClientChannelInitializer(DiscoveryNode node) {
this.node = node;
- final boolean dualModeEnabled = secureTransportSettingsProvider.isDualModeEnabled(settings);
+ boolean dualModeEnabled = false;
+ Optional<SecureTransportSettingsProvider.SecureTransportParameters> parameters = secureTransportSettingsProvider.parameters(
+ settings
+ );
+ if (parameters.isPresent()) {
+ dualModeEnabled = parameters.get().dualModeEnabled();
+ }
hostnameVerificationEnabled = NetworkModule.TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION.get(settings);
hostnameVerificationResolveHostName = NetworkModule.TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME.get(settings);
diff --git a/server/src/main/java/org/opensearch/plugins/SecureTransportSettingsProvider.java b/server/src/main/java/org/opensearch/plugins/SecureTransportSettingsProvider.java
index df3258a1c7648..50fc6e98a1114 100644
--- a/server/src/main/java/org/opensearch/plugins/SecureTransportSettingsProvider.java
+++ b/server/src/main/java/org/opensearch/plugins/SecureTransportSettingsProvider.java
@@ -38,12 +38,30 @@ default Collection<TransportAdapterProvider<Transport>> getTransportAdapterProvi
}
/**
- * Returns true if dual mode is enabled. Dual mode domains support both encrypted and non-encrypted traffic
+ * Returns parameters that can be dynamically provided by a plugin providing a {@link SecureTransportSettingsProvider}
+ * implementation
* @param settings settings
- * @return a boolean indicating if dual mode is enabled
+ * @return an instance of {@link SecureTransportParameters}
*/
- default boolean isDualModeEnabled(Settings settings) {
- return NetworkModule.TRANSPORT_SSL_DUAL_MODE_ENABLED.get(settings);
+ default Optional<SecureTransportParameters> parameters(Settings settings) {
+ return Optional.of(new DefaultSecureTransportParameters(settings));
+ }
+
+ interface SecureTransportParameters {
+ boolean dualModeEnabled();
+ }
+
+ class DefaultSecureTransportParameters implements SecureTransportParameters {
+ private final Settings settings;
+
+ DefaultSecureTransportParameters(Settings settings) {
+ this.settings = settings;
+ }
+
+ @Override
+ public boolean dualModeEnabled() {
+ return NetworkModule.TRANSPORT_SSL_DUAL_MODE_ENABLED.get(settings);
+ }
}
/**
From 1792a31df8190e0a87a15bc4b8d156ff4def4caf Mon Sep 17 00:00:00 2001
From: Craig Perkins <cwperx@amazon.com>
Date: Fri, 18 Oct 2024 15:14:19 -0400
Subject: [PATCH 4/6] Address feedback
Signed-off-by: Craig Perkins <cwperx@amazon.com>
---
.../netty4/ssl/SecureNetty4Transport.java | 21 ++++++-------------
1 file changed, 6 insertions(+), 15 deletions(-)
diff --git a/modules/transport-netty4/src/main/java/org/opensearch/transport/netty4/ssl/SecureNetty4Transport.java b/modules/transport-netty4/src/main/java/org/opensearch/transport/netty4/ssl/SecureNetty4Transport.java
index b9e1704a2e343..e51ed5663502f 100644
--- a/modules/transport-netty4/src/main/java/org/opensearch/transport/netty4/ssl/SecureNetty4Transport.java
+++ b/modules/transport-netty4/src/main/java/org/opensearch/transport/netty4/ssl/SecureNetty4Transport.java
@@ -57,7 +57,6 @@
import java.net.SocketAddress;
import java.security.AccessController;
import java.security.PrivilegedAction;
-import java.util.Optional;
import io.netty.channel.Channel;
import io.netty.channel.ChannelHandler;
@@ -143,13 +142,9 @@ public SSLServerChannelInitializer(String name) {
protected void initChannel(Channel ch) throws Exception {
super.initChannel(ch);
- boolean dualModeEnabled = false;
- Optional<SecureTransportSettingsProvider.SecureTransportParameters> parameters = secureTransportSettingsProvider.parameters(
- settings
- );
- if (parameters.isPresent()) {
- dualModeEnabled = parameters.get().dualModeEnabled();
- }
+ final boolean dualModeEnabled = secureTransportSettingsProvider.parameters(settings)
+ .map(SecureTransportSettingsProvider.SecureTransportParameters::dualModeEnabled)
+ .orElse(false);
if (dualModeEnabled) {
final ChannelHandler portUnificationHandler = new DualModeSslHandler(
settings,
@@ -264,13 +259,9 @@ protected class SSLClientChannelInitializer extends Netty4Transport.ClientChanne
public SSLClientChannelInitializer(DiscoveryNode node) {
this.node = node;
- boolean dualModeEnabled = false;
- Optional<SecureTransportSettingsProvider.SecureTransportParameters> parameters = secureTransportSettingsProvider.parameters(
- settings
- );
- if (parameters.isPresent()) {
- dualModeEnabled = parameters.get().dualModeEnabled();
- }
+ final boolean dualModeEnabled = secureTransportSettingsProvider.parameters(settings)
+ .map(SecureTransportSettingsProvider.SecureTransportParameters::dualModeEnabled)
+ .orElse(false);
hostnameVerificationEnabled = NetworkModule.TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION.get(settings);
hostnameVerificationResolveHostName = NetworkModule.TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME.get(settings);
From 937578ce37a61a3c7e381040b4c9c24db3c7526d Mon Sep 17 00:00:00 2001
From: Craig Perkins <cwperx@amazon.com>
Date: Fri, 18 Oct 2024 15:16:46 -0400
Subject: [PATCH 5/6] Add ExperimentalApi and add to CHANGELOG
Signed-off-by: Craig Perkins <cwperx@amazon.com>
---
CHANGELOG.md | 1 +
.../org/opensearch/plugins/SecureTransportSettingsProvider.java | 1 +
2 files changed, 2 insertions(+)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8d67ed755fa31..52333b6a382c7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -26,6 +26,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
- Add _list/shards API as paginated alternate to _cat/shards ([#14641](https://github.com/opensearch-project/OpenSearch/pull/14641))
- Latency and Memory allocation improvements to Multi Term Aggregation queries ([#14993](https://github.com/opensearch-project/OpenSearch/pull/14993))
- Flat object field use IndexOrDocValuesQuery to optimize query ([#14383](https://github.com/opensearch-project/OpenSearch/issues/14383))
+- Add method to return dynamic SecureTransportParameters from SecureTransportSettingsProvider interface ([#16387](https://github.com/opensearch-project/OpenSearch/pull/16387)
### Dependencies
- Bump `com.azure:azure-identity` from 1.13.0 to 1.13.2 ([#15578](https://github.com/opensearch-project/OpenSearch/pull/15578))
diff --git a/server/src/main/java/org/opensearch/plugins/SecureTransportSettingsProvider.java b/server/src/main/java/org/opensearch/plugins/SecureTransportSettingsProvider.java
index 50fc6e98a1114..1b5cd45620d32 100644
--- a/server/src/main/java/org/opensearch/plugins/SecureTransportSettingsProvider.java
+++ b/server/src/main/java/org/opensearch/plugins/SecureTransportSettingsProvider.java
@@ -47,6 +47,7 @@ default Optional<SecureTransportParameters> parameters(Settings settings) {
return Optional.of(new DefaultSecureTransportParameters(settings));
}
+ @ExperimentalApi
interface SecureTransportParameters {
boolean dualModeEnabled();
}
From 174344be751a6887a07d883be03f818eed50221f Mon Sep 17 00:00:00 2001
From: Craig Perkins <cwperx@amazon.com>
Date: Fri, 18 Oct 2024 15:38:36 -0400
Subject: [PATCH 6/6] Move DefaultSecureTransportParameters to separate file
and add javadoc
Signed-off-by: Craig Perkins <cwperx@amazon.com>
---
.../DefaultSecureTransportParameters.java | 28 +++++++++++++++++++
.../SecureTransportSettingsProvider.java | 17 ++---------
2 files changed, 31 insertions(+), 14 deletions(-)
create mode 100644 server/src/main/java/org/opensearch/plugins/DefaultSecureTransportParameters.java
diff --git a/server/src/main/java/org/opensearch/plugins/DefaultSecureTransportParameters.java b/server/src/main/java/org/opensearch/plugins/DefaultSecureTransportParameters.java
new file mode 100644
index 0000000000000..e3771f224a7db
--- /dev/null
+++ b/server/src/main/java/org/opensearch/plugins/DefaultSecureTransportParameters.java
@@ -0,0 +1,28 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.plugins;
+
+import org.opensearch.common.network.NetworkModule;
+import org.opensearch.common.settings.Settings;
+
+/**
+ * Default implementation of {@link SecureTransportSettingsProvider.SecureTransportParameters}.
+ */
+class DefaultSecureTransportParameters implements SecureTransportSettingsProvider.SecureTransportParameters {
+ private final Settings settings;
+
+ DefaultSecureTransportParameters(Settings settings) {
+ this.settings = settings;
+ }
+
+ @Override
+ public boolean dualModeEnabled() {
+ return NetworkModule.TRANSPORT_SSL_DUAL_MODE_ENABLED.get(settings);
+ }
+}
diff --git a/server/src/main/java/org/opensearch/plugins/SecureTransportSettingsProvider.java b/server/src/main/java/org/opensearch/plugins/SecureTransportSettingsProvider.java
index 1b5cd45620d32..5f9e1a952b6e8 100644
--- a/server/src/main/java/org/opensearch/plugins/SecureTransportSettingsProvider.java
+++ b/server/src/main/java/org/opensearch/plugins/SecureTransportSettingsProvider.java
@@ -9,7 +9,6 @@
package org.opensearch.plugins;
import org.opensearch.common.annotation.ExperimentalApi;
-import org.opensearch.common.network.NetworkModule;
import org.opensearch.common.settings.Settings;
import org.opensearch.transport.Transport;
import org.opensearch.transport.TransportAdapterProvider;
@@ -47,24 +46,14 @@ default Optional<SecureTransportParameters> parameters(Settings settings) {
return Optional.of(new DefaultSecureTransportParameters(settings));
}
+ /**
+ * Dynamic parameters that can be provided by the {@link SecureTransportSettingsProvider}
+ */
@ExperimentalApi
interface SecureTransportParameters {
boolean dualModeEnabled();
}
- class DefaultSecureTransportParameters implements SecureTransportParameters {
- private final Settings settings;
-
- DefaultSecureTransportParameters(Settings settings) {
- this.settings = settings;
- }
-
- @Override
- public boolean dualModeEnabled() {
- return NetworkModule.TRANSPORT_SSL_DUAL_MODE_ENABLED.get(settings);
- }
- }
-
/**
* If supported, builds the {@link TransportExceptionHandler} instance for {@link Transport} instance
* @param settings settings