Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make Authentication/Authorization Stacks Shallower/Simpler #75662

Merged
merged 4 commits into from
Jul 29, 2021
Merged

Make Authentication/Authorization Stacks Shallower/Simpler #75662

merged 4 commits into from
Jul 29, 2021

Conversation

original-brownbear
Copy link
Member

Same as #75252 pretty much just continuing to make this logic a little
simpler for easier profiling and (very) maybe performance through
saving some allocations/indirection.

@original-brownbear
Make Authentication/Authorization Stacks Shallower/Simpler
d7f1113 
Same as elastic#75252 pretty much just continuing to make this logic a little
simpler for easier profiling and (very) maybe performance through
saving some allocations/indirection.
@elasticmachine elasticmachine added the Team:Security Meta label for security team label Jul 24, 2021
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

@ywangd ywangd self-requested a review July 29, 2021 01:54
ywangd
ywangd approved these changes Jul 29, 2021
View reviewed changes
Copy link
Member

@ywangd ywangd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM with just one question:

This PR simplifies call stacks but introduces some more try/catch blocks, e.g. authorizeIndexActionName now throws the error object instead of just instantiating it. Unwinding the callstack when catch fires could be expensive. Is it a concern? Or it is ok because the happy path (successful authentication and authorization) is not affected?

...gin/security/src/main/java/org/elasticsearch/xpack/security/authc/AuthenticationService.java
Comment on lines -619 to -620
// we assign the listener call to an action to avoid calling the listener within a try block and auditing the wrong thing when
// an exception bubbles up even after successful authentication
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't quite get this existing comment. But I suspect the original concern may not exist any more.

...gin/security/src/main/java/org/elasticsearch/xpack/security/authc/AuthenticationService.java
Comment on lines -733 to -735
// we assign the listener call to an action to avoid calling the listener within a try block and auditing the wrong thing
// when an exception bubbles up even after successful authentication
action.run();
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah ok the same comment makes more sense here (because it has a try/catch block). As I suspected, it is no longer applicable even before this PR.

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/RBACEngine.java Outdated Show resolved Hide resolved
@original-brownbear
Copy link
Member Author

Thanks Yang!

Is it a concern? Or it is ok because the happy path (successful authentication and authorization) is not affected?

I think it's probably not relevant. For one, as you point out this is just the unhappy path. But also the catch is always really close to the throw stack wise, so the unwinding isn't that costly I think. Relative to the big-ticket items in auth like building up the list of authorized indices for a role it's very likely trivial anyway IMO.

@original-brownbear original-brownbear merged commit 27e27e0 into elastic:master Jul 29, 2021
@original-brownbear original-brownbear deleted the shallower-stacks-authentication branch July 29, 2021 10:50
original-brownbear added a commit to original-brownbear/elasticsearch that referenced this pull request Jul 29, 2021
@original-brownbear
Make Authentication/Authorization Stacks Shallower/Simpler (elastic#7…
cbd191f 
…5662)

Same as elastic#75252 pretty much just continuing to make this logic a little
simpler for easier profiling and (very) maybe performance through
saving some allocations/indirection.
@original-brownbear original-brownbear mentioned this pull request Jul 29, 2021
Merged
original-brownbear added a commit that referenced this pull request Jul 29, 2021
@original-brownbear
Make Authentication/Authorization Stacks Shallower/Simpler (#75662) (#…
6d8c033 
…75833)

Same as #75252 pretty much just continuing to make this logic a little
simpler for easier profiling and (very) maybe performance through
saving some allocations/indirection.
ywangd pushed a commit to ywangd/elasticsearch that referenced this pull request Jul 30, 2021
@original-brownbear @ywangd
Make Authentication/Authorization Stacks Shallower/Simpler (elastic#7…
10d361e 
…5662)

Same as elastic#75252 pretty much just continuing to make this logic a little
simpler for easier profiling and (very) maybe performance through
saving some allocations/indirection.
@original-brownbear original-brownbear restored the shallower-stacks-authentication branch April 18, 2023 20:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ywangd ywangd ywangd approved these changes

Assignees
No one assigned
Labels
>refactoring :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC Team:Security Meta label for security team v7.15.0 v8.0.0-alpha1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@original-brownbear @elasticmachine @ywangd @mark-vieira