Fix assertDefaultThreadContext enumerating allowed headers #86262

pgomulka · 2022-04-28T12:45:18Z

Default thread context should has headers from a finite set or be empty.
The allowed headers are the ones that we want to "follow the request" so
that we can log them.
Previously the assertDefaultThreadContext was trying to enumerate combinations
of allowed headers.
Any combination with these headers is allowed, so we should simplify this method.

Have you signed the contributor license agreement?
Have you followed the contributor guidelines?
If submitting code, have you built your formula locally prior to submission with gradle check?
If submitting code, is your pull request against master? Unless there is a good reason otherwise, we prefer pull requests against master and will backport as needed.
If submitting code, have you checked that your submission is for an OS and architecture that we support?
If you are submitting this code for a class then read our policy for that.

Default thread context should has headers from a finite set or be empty. The allowed headers are the ones that we want to "follow the request" so that we can log them. Previously the assertDefaultThreadContext was trying to enumerate combinations of allowed headers. Any combination with these headers is allowed, so we should simplify this method.

elasticmachine · 2022-04-28T12:45:22Z

Pinging @elastic/es-core-infra (Team:Core/Infra)

elasticsearchmachine · 2022-04-28T12:45:43Z

Hi @pgomulka, I've created a changelog YAML for you.

pgomulka · 2022-04-28T12:46:14Z

the bug highlighted itself after #68649 was merged.
reproduction steps:
start ES server with gradlew run (java assertions enabled)
start kibana

observe a failure:

        at org.elasticsearch.ExceptionsHelper.lambda$maybeDieOnAnotherThread$4(ExceptionsHelper.java:257)
        at java.base/java.util.Optional.ifPresent(Optional.java:178)
        at org.elasticsearch.ExceptionsHelper.maybeDieOnAnotherThread(ExceptionsHelper.java:247)
        at org.elasticsearch.transport.netty4.Netty4TcpChannel.lambda$addPromise$1(Netty4TcpChannel.java:83)
        at io.netty.util.concurrent.DefaultPromise.notifyListener0(DefaultPromise.java:578)
        at io.netty.util.concurrent.DefaultPromise.notifyListenersNow(DefaultPromise.java:552)
        at io.netty.util.concurrent.DefaultPromise.notifyListeners(DefaultPromise.java:491)
        at io.netty.util.concurrent.DefaultPromise.setValue0(DefaultPromise.java:616)
        at io.netty.util.concurrent.DefaultPromise.setFailure0(DefaultPromise.java:609)
        at io.netty.util.concurrent.DefaultPromise.tryFailure(DefaultPromise.java:117)
        at io.netty.util.concurrent.PromiseCombiner.tryPromise(PromiseCombiner.java:170)
        at io.netty.util.concurrent.PromiseCombiner.finish(PromiseCombiner.java:159)
        at io.netty.handler.codec.MessageToMessageEncoder.writePromiseCombiner(MessageToMessageEncoder.java:139)
        at io.netty.handler.codec.MessageToMessageEncoder.write(MessageToMessageEncoder.java:117)
        at io.netty.channel.AbstractChannelHandlerContext.invokeWrite0(AbstractChannelHandlerContext.java:717)
        at io.netty.channel.AbstractChannelHandlerContext.invokeWrite(AbstractChannelHandlerContext.java:709)
        at io.netty.channel.AbstractChannelHandlerContext.write(AbstractChannelHandlerContext.java:792)
        at io.netty.channel.AbstractChannelHandlerContext.write(AbstractChannelHandlerContext.java:702)
        at io.netty.handler.codec.MessageToMessageEncoder.write(MessageToMessageEncoder.java:110)
        at io.netty.handler.codec.MessageToMessageCodec.write(MessageToMessageCodec.java:116)
        at io.netty.channel.AbstractChannelHandlerContext.invokeWrite0(AbstractChannelHandlerContext.java:717)
        at io.netty.channel.AbstractChannelHandlerContext.invokeWrite(AbstractChannelHandlerContext.java:709)
        at io.netty.channel.AbstractChannelHandlerContext.write(AbstractChannelHandlerContext.java:792)
        at io.netty.channel.AbstractChannelHandlerContext.write(AbstractChannelHandlerContext.java:702)
        at io.netty.handler.codec.MessageToMessageEncoder.write(MessageToMessageEncoder.java:110)
        at io.netty.channel.AbstractChannelHandlerContext.invokeWrite0(AbstractChannelHandlerContext.java:717)
        at io.netty.channel.AbstractChannelHandlerContext.invokeWrite(AbstractChannelHandlerContext.java:709)
        at io.netty.channel.AbstractChannelHandlerContext.write(AbstractChannelHandlerContext.java:792)
        at io.netty.channel.AbstractChannelHandlerContext.write(AbstractChannelHandlerContext.java:702)
        at org.elasticsearch.http.netty4.Netty4HttpPipeliningHandler.write(Netty4HttpPipeliningHandler.java:59)
        at io.netty.channel.AbstractChannelHandlerContext.invokeWrite0(AbstractChannelHandlerContext.java:717)
        at io.netty.channel.AbstractChannelHandlerContext.invokeWriteAndFlush(AbstractChannelHandlerContext.java:764)
        at io.netty.channel.AbstractChannelHandlerContext.write(AbstractChannelHandlerContext.java:790)
        at io.netty.channel.AbstractChannelHandlerContext.writeAndFlush(AbstractChannelHandlerContext.java:758)
        at io.netty.channel.DefaultChannelPipeline.writeAndFlush(DefaultChannelPipeline.java:1020)
        at io.netty.channel.AbstractChannel.writeAndFlush(AbstractChannel.java:311)
        at org.elasticsearch.http.netty4.Netty4HttpChannel.sendResponse(Netty4HttpChannel.java:34)
        at org.elasticsearch.http.DefaultRestChannel.sendResponse(DefaultRestChannel.java:135)
        at org.elasticsearch.rest.RestController$ResourceHandlingHttpChannel.sendResponse(RestController.java:664)
        at org.elasticsearch.rest.action.RestResponseListener.processResponse(RestResponseListener.java:26)
        at org.elasticsearch.rest.action.RestActionListener.onResponse(RestActionListener.java:38)
        at org.elasticsearch.client.internal.node.NodeClient$ActionResponseTaskListener.onResponse(NodeClient.java:175)
        at org.elasticsearch.tasks.TaskManager$1.onResponse(TaskManager.java:171)
        at org.elasticsearch.tasks.TaskManager$1.onResponse(TaskManager.java:165)
        at org.elasticsearch.action.support.ContextPreservingActionListener.onResponse(ContextPreservingActionListener.java:31)
        at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.lambda$applyInternal$2(SecurityActionFilter.java:163)
        at org.elasticsearch.action.ActionListener$DelegatingFailureActionListener.onResponse(ActionListener.java:245)
        at org.elasticsearch.action.ActionListener$DelegatingActionListener.onResponse(ActionListener.java:212)
        at org.elasticsearch.action.ActionListener.completeWith(ActionListener.java:473)
        at org.elasticsearch.action.admin.cluster.state.TransportClusterStateAction.masterOperation(TransportClusterStateAction.java:96)
        at org.elasticsearch.action.admin.cluster.state.TransportClusterStateAction.masterOperation(TransportClusterStateAction.java:41)
        at org.elasticsearch.action.support.master.TransportMasterNodeAction.executeMasterOperation(TransportMasterNodeAction.java:121)
        at org.elasticsearch.action.support.master.TransportMasterNodeAction$AsyncSingleAction.lambda$doStart$3(TransportMasterNodeAction.java:215)
        at org.elasticsearch.action.ActionRunnable$2.doRun(ActionRunnable.java:62)
        at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:26)
        at org.elasticsearch.common.util.concurrent.EsExecutors$DirectExecutorService.execute(EsExecutors.java:223)
        at org.elasticsearch.action.support.master.TransportMasterNodeAction$AsyncSingleAction.doStart(TransportMasterNodeAction.java:215)
        at org.elasticsearch.action.support.master.TransportMasterNodeAction.doExecute(TransportMasterNodeAction.java:152)
        at org.elasticsearch.action.support.master.TransportMasterNodeAction.doExecute(TransportMasterNodeAction.java:52)
        at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:79)
        at org.elasticsearch.action.support.ActionFilter$Simple.apply(ActionFilter.java:53)
        at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:77)
        at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.lambda$applyInternal$3(SecurityActionFilter.java:161)
        at org.elasticsearch.action.ActionListener$DelegatingFailureActionListener.onResponse(ActionListener.java:245)
        at org.elasticsearch.xpack.security.authz.AuthorizationService.lambda$authorizeAction$4(AuthorizationService.java:395)
        at org.elasticsearch.xpack.security.authz.AuthorizationService$AuthorizationResultListener.onResponse(AuthorizationService.java:938)
        at org.elasticsearch.xpack.security.authz.AuthorizationService$AuthorizationResultListener.onResponse(AuthorizationService.java:902)
        at org.elasticsearch.action.support.ContextPreservingActionListener.onResponse(ContextPreservingActionListener.java:31)
        at org.elasticsearch.xpack.security.authz.AuthorizationService.lambda$authorizeAction$5(AuthorizationService.java:409)
        at org.elasticsearch.action.ActionListener$2.onResponse(ActionListener.java:162)
        at org.elasticsearch.xpack.security.authz.RBACEngine.authorizeClusterAction(RBACEngine.java:165)
        at org.elasticsearch.xpack.security.authz.AuthorizationService.authorizeAction(AuthorizationService.java:399)
        at org.elasticsearch.xpack.security.authz.AuthorizationService.maybeAuthorizeRunAs(AuthorizationService.java:375)
        at org.elasticsearch.xpack.security.authz.AuthorizationService.lambda$authorize$1(AuthorizationService.java:260)
        at org.elasticsearch.action.ActionListener$2.onResponse(ActionListener.java:162)
        at org.elasticsearch.action.support.ContextPreservingActionListener.onResponse(ContextPreservingActionListener.java:31)
        at org.elasticsearch.xpack.security.authz.RBACEngine.lambda$resolveAuthorizationInfo$0(RBACEngine.java:138)
        at org.elasticsearch.action.ActionListener$2.onResponse(ActionListener.java:162)
        at org.elasticsearch.xpack.security.authz.store.CompositeRolesStore.lambda$getRoles$1(CompositeRolesStore.java:185)
        at org.elasticsearch.action.ActionListener$2.onResponse(ActionListener.java:162)
        at org.elasticsearch.xpack.core.security.authz.store.RoleReferenceIntersection.lambda$buildRole$0(RoleReferenceIntersection.java:47)
        at org.elasticsearch.action.ActionListener$2.onResponse(ActionListener.java:162)
        at org.elasticsearch.action.support.GroupedActionListener.onResponse(GroupedActionListener.java:55)
        at org.elasticsearch.xpack.security.authz.store.CompositeRolesStore.buildRoleFromRoleReference(CompositeRolesStore.java:284)
        at org.elasticsearch.xpack.core.security.authz.store.RoleReferenceIntersection.lambda$buildRole$1(RoleReferenceIntersection.java:50)
        at java.base/java.lang.Iterable.forEach(Iterable.java:75)
        at org.elasticsearch.xpack.core.security.authz.store.RoleReferenceIntersection.buildRole(RoleReferenceIntersection.java:50)
        at org.elasticsearch.xpack.security.authz.store.CompositeRolesStore.getRole(CompositeRolesStore.java:200)
        at org.elasticsearch.xpack.security.authz.store.CompositeRolesStore.getRoles(CompositeRolesStore.java:175)
        at org.elasticsearch.xpack.security.authz.RBACEngine.resolveAuthorizationInfo(RBACEngine.java:135)
        at org.elasticsearch.xpack.security.authz.AuthorizationService.authorize(AuthorizationService.java:262)
        at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.lambda$applyInternal$4(SecurityActionFilter.java:157)
        at org.elasticsearch.action.ActionListener$2.onResponse(ActionListener.java:162)
        at org.elasticsearch.action.ActionListener$MappedActionListener.onResponse(ActionListener.java:127)
        at org.elasticsearch.xpack.security.authc.AuthenticatorChain.authenticateAsync(AuthenticatorChain.java:93)
        at org.elasticsearch.xpack.security.authc.AuthenticationService.authenticate(AuthenticationService.java:171)
        at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.applyInternal(SecurityActionFilter.java:153)
        at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.apply(SecurityActionFilter.java:112)
        at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:77)
        at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:54)
        at org.elasticsearch.tasks.TaskManager.registerAndExecute(TaskManager.java:165)
        at org.elasticsearch.client.internal.node.NodeClient.executeLocally(NodeClient.java:113)
        at org.elasticsearch.client.internal.node.NodeClient.doExecute(NodeClient.java:91)
        at org.elasticsearch.client.internal.support.AbstractClient.execute(AbstractClient.java:380)
        at org.elasticsearch.client.internal.support.AbstractClient$ClusterAdmin.execute(AbstractClient.java:676)
        at org.elasticsearch.client.internal.support.AbstractClient$ClusterAdmin.state(AbstractClient.java:706)
        at org.elasticsearch.rest.action.admin.cluster.RestClusterGetSettingsAction.lambda$prepareRequest$0(RestClusterGetSettingsAction.java:63)
        at org.elasticsearch.rest.BaseRestHandler.handleRequest(BaseRestHandler.java:103)
        at org.elasticsearch.xpack.security.rest.SecurityRestFilter.lambda$handleRequest$0(SecurityRestFilter.java:112)
        at org.elasticsearch.action.ActionListener$2.onResponse(ActionListener.java:162)
        at org.elasticsearch.xpack.security.authc.support.SecondaryAuthenticator.lambda$authenticateAndAttachToContext$2(SecondaryAuthenticator.java:84)
        at org.elasticsearch.action.ActionListener$2.onResponse(ActionListener.java:162)
        at org.elasticsearch.xpack.security.authc.support.SecondaryAuthenticator.authenticate(SecondaryAuthenticator.java:94)
        at org.elasticsearch.xpack.security.authc.support.SecondaryAuthenticator.authenticateAndAttachToContext(SecondaryAuthenticator.java:78)
        at org....
Collapse

…t_tc

…arch into fix_assert_default_tc

benwtrent

much cleaner check. LGTM

rjernst

LGTM

…6262) Default thread context should has headers from a finite set or be empty. The allowed headers are the ones that we want to "follow the request" so that we can log them. Previously the assertDefaultThreadContext was trying to enumerate combinations of allowed headers. Any combination with these headers is allowed, so we should simplify this method.

elasticsearchmachine · 2022-04-28T14:21:32Z

💔 Backport failed

Status	Branch	Result
✅	8.2
❌	7.17	Commit could not be cherrypicked due to conflicts

You can use sqren/backport to manually backport by running backport --upstream elastic/elasticsearch --pr 86262

…6262) Default thread context should has headers from a finite set or be empty. The allowed headers are the ones that we want to "follow the request" so that we can log them. Previously the assertDefaultThreadContext was trying to enumerate combinations of allowed headers. Any combination with these headers is allowed, so we should simplify this method.

…86270) Backports the following commits to 8.2: Fix assertDefaultThreadContext enumerating allowed headers (Fix assertDefaultThreadContext enumerating allowed headers #86262)

…86262) (#86271) Default thread context should has headers from a finite set or be empty. The allowed headers are the ones that we want to "follow the request" so that we can log them. Previously the assertDefaultThreadContext was trying to enumerate combinations of allowed headers. Any combination with these headers is allowed, so we should simplify this method.

pgomulka added >bug :Core/Infra/Core Core issues without another label auto-backport Automatically create backport pull requests when merged v8.3.0 v8.2.1 v7.17.4 labels Apr 28, 2022

pgomulka self-assigned this Apr 28, 2022

elasticmachine added the Team:Core/Infra Meta label for core/infra team label Apr 28, 2022

Update docs/changelog/86262.yaml

b32a562

pgomulka requested review from williamrandolph and benwtrent April 28, 2022 12:46

pgomulka added 2 commits April 28, 2022 14:51

Merge remote-tracking branch 'upstream/master' into fix_assert_defaul…

298734a

…t_tc

Merge branch 'fix_assert_default_tc' of github.com:pgomulka/elasticse…

7d54f73

…arch into fix_assert_default_tc

benwtrent approved these changes Apr 28, 2022

View reviewed changes

rjernst approved these changes Apr 28, 2022

View reviewed changes

pgomulka merged commit b6d6531 into elastic:master Apr 28, 2022

pgomulka mentioned this pull request Apr 28, 2022

[8.2] Fix assertDefaultThreadContext enumerating allowed headers (#86262) #86270

Merged

ChrisHegarty unassigned pgomulka Oct 29, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Fix assertDefaultThreadContext enumerating allowed headers #86262

Fix assertDefaultThreadContext enumerating allowed headers #86262

Uh oh!

pgomulka commented Apr 28, 2022

Uh oh!

elasticmachine commented Apr 28, 2022

Uh oh!

elasticsearchmachine commented Apr 28, 2022

Uh oh!

pgomulka commented Apr 28, 2022

Uh oh!

benwtrent left a comment

Uh oh!

rjernst left a comment

Uh oh!

elasticsearchmachine commented Apr 28, 2022

Uh oh!

Uh oh!

Fix assertDefaultThreadContext enumerating allowed headers #86262

Fix assertDefaultThreadContext enumerating allowed headers #86262

Uh oh!

Conversation

pgomulka commented Apr 28, 2022

Uh oh!

elasticmachine commented Apr 28, 2022

Uh oh!

elasticsearchmachine commented Apr 28, 2022

Uh oh!

pgomulka commented Apr 28, 2022

Uh oh!

benwtrent left a comment

Choose a reason for hiding this comment

Uh oh!

rjernst left a comment

Choose a reason for hiding this comment

Uh oh!

elasticsearchmachine commented Apr 28, 2022

💔 Backport failed

Uh oh!

Uh oh!