Infrastructure for resharding search filters #134252
Conversation
elasticsearchmachine
added
serverless-linked
| * Sets the factory for creating new {@link DirectoryReader} wrapper instances. | ||
| * Adds a new instance of factory creating new {@link DirectoryReader} wrapper instances. | ||
| * The factory ({@link Function}) is called once the IndexService is fully constructed. | ||
| * NOTE: this method can only be called once per index. Multiple wrappers are not supported. |
There was a problem hiding this comment.
Do you know whether there was any reason beyond "not implemented yet" why there might have been a restriction on more than a single wrapper? I ask because the implementation is so small it doesn't seem like it would necessarily have been an impediment on its own.
There was a problem hiding this comment.
It was added as a protection to disallow other plugins than security to mess with this low level api.
| private final SetOnce<DirectoryWrapper> indexDirectoryWrapper = new SetOnce<>(); | ||
| private final SetOnce<Function<IndexService, CheckedFunction<DirectoryReader, DirectoryReader, IOException>>> indexReaderWrapper = | ||
| new SetOnce<>(); | ||
| private final List<Function<IndexService, CheckedFunction<DirectoryReader, DirectoryReader, IOException>>> indexReaderWrappers = |
There was a problem hiding this comment.
@jimczi i see you've done work in this area previously. Do you see any problem with this?
There was a problem hiding this comment.
My main worry is the ordering. Are we sure that it's ok if the ordering is not guaranteed? Like would we take different decisions in the extension if the live docs are different depending on which directory is last?
If not, we should ensure that the directory implementation applies the recommendation in the javadoc (like delegating cache helper, ...). Maybe that should be enforced too if that's not the case already (in tests or asserts).
There was a problem hiding this comment.
I think it's okay. Both readers take live docs from the wrapped reader and apply a bitset on top of them e.g.
https://github.com/elastic/elasticsearch/blob/main/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/DocumentSubsetReader.java#L207.
My new implementation essentially boils down to:
static class FilterBits implements Bits {
private final Bits original;
private final Bits filteredOut;
FilterBits(Bits original, BitSet filteredOut) {
this.original = original;
this.filteredOut = filteredOut;
}
@Override
public boolean get(int index) {
return original.get(index) && (filteredOut.get(index) == false);
}
@Override
public int length() {
return original.length();
}
}
If security wrapper comes first then all "unsecure" docs are not live and stay that way since original.get(index) is false. If a new wrapper comes first then security works normally except some of the docs that need to be excluded are already excluded by the new wrapper.
There are checks for the contract of the wrappers already in here
There was a problem hiding this comment.
The only dangerous code path i can see is if wrapper uses something like FilterLeafReader.unwrap() which we don't do and IMO it is kinda obvious that this is a dangerous path.
There was a problem hiding this comment.
Yep we only to ensure that the ElasticsearchDirectoryReader can be extracted to get the shard infos.
From the description of the feature, it looks fine. Let's make sure that we don't add more to it, this is still a very expert thing to do and hopefully not an extension point for any plugin.
There was a problem hiding this comment.
We have prior art in making sure that certain extension points are only used by Elastic supplied plugins (modules) and not by arbitrary 3rd party plugins
For example
elasticsearch/server/src/main/java/org/elasticsearch/action/ActionModule.java
Lines 548 to 566 in 4042137
@rjernst probably has a view on the preferred way to enforce that
elasticsearchmachine
added
the
needs:triage
lkts
added
the
:Distributed Indexing/Distributed
|
Pinging @elastic/es-distributed-indexing (Team:Distributed Indexing) |
elasticsearchmachine
added
Team:Distributed Indexing
| * Adds a new instance of factory creating new {@link DirectoryReader} wrapper instances. | ||
| * The factory ({@link Function}) is called once the IndexService is fully constructed. | ||
| * NOTE: this method can only be called once per index. Multiple wrappers are not supported. | ||
| * The order of execution of wrappers is not guaranteed. |
There was a problem hiding this comment.
I think we do execute them in order and should define it instead. It might be important to performance which wrapper goes first.
There was a problem hiding this comment.
do you mean something like if the first wrapper filters out many documents, the second wrapper has less work to do? How do we decide what the correct order should be?
There was a problem hiding this comment.
We can keep the order of application of wrappers based on the order in which they were added (we already do). The problem with the order here is that this is called by plugins and the order in which plugins are set up is not defined.
There was a problem hiding this comment.
So real clients of this API can't really rely on the order in reality.
| MergeMetrics.NOOP | ||
| ); | ||
| security.onIndexModule(indexModule); | ||
| // indexReaderWrapper is a SetOnce so if Security#onIndexModule had already set an ReaderWrapper we would get an exception here |
There was a problem hiding this comment.
This comment seems outdated by this change. I did not "debug" why the comment was made, might be worth looking into. Sounds like this "setReaderWrapper" really verifies that no reader wrapper was set yet?
6 participants
This PR relaxes the restriction on there only ever being one
DirectoryReaderwrapper per index and adds a possibility to apply multiple layers of wrappers. Currently only two are expected but the code does not enforce this.This is needed for the ongoing autosharding project work.