Skip to content

Refactor remote cluster interceptor and tests #135747

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 15 commits into from
Oct 6, 2025
Merged

Refactor remote cluster interceptor and tests #135747

merged 15 commits into from
Oct 6, 2025
+1,347 −1,020

Conversation

slobodanadamovic
Copy link
Contributor

@slobodanadamovic slobodanadamovic commented Sep 30, 2025
edited
Loading

Initially, the RemoteClusterTransportInterceptor#getProfileTransportFilters required remote-cluster security extensions to provide transport filters for all transport profiles. The method was too generic and not specific to only _remote_cluster transport profile. This meant that RCS extensions were free to decide which filter they wanted to "override" with its custom transport filter implementation. This turned out to be unnecessary, because RCS extensions only ever need to provide a custom implementation for the remote cluster profile. This refactoring removes the need to provide the "default" ServerTransportFilter in order for security to work.

Followups to:

  • Converted ServerTransportFilter to interface with a default implementation.
  • Refactored RemoteClusterTransportInterceptor to allow optionally providing only a custom remote cluster transport filter. It's no longer required from RCS extensions to provide the default ServerTransportFilter implementation.
  • Split transport interceptor and filter tests:
    • ServerTransportFilterTests became abstract and got split into two tests: CrossClusterAccessServerTransportFilterTests and DefaultServerTransportFilterTests
    • Cross-cluster access tests got extracted from SecurityServerTransportInterceptorTests into its own CrossClusterAccessTransportInterceptorTestsclass

@slobodanadamovic
Refactor transport filters and remote cluster interceptor
e2d1125 
 - Converted `ServerTransportFilter` to interface with the default
 implementation.
 - Refactoried `RemoteClusterTransportInterceptor` to allow optionally
 providing only a custom remote cluster transport profile filter.
- Split transport interceptor and filter tests
@slobodanadamovic slobodanadamovic added >refactoring :Security/Security Security issues without another label Team:Security Meta label for security team labels Sep 30, 2025
@elasticsearchmachine elasticsearchmachine added the serverless-linked Added by automation, don't add manually label Sep 30, 2025
@slobodanadamovic slobodanadamovic changed the title Refactor transport filters and remote cluster interceptor Refactor remote cluster interceptor Oct 1, 2025
@slobodanadamovic slobodanadamovic marked this pull request as ready for review October 1, 2025 06:47
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

@slobodanadamovic slobodanadamovic changed the title Refactor remote cluster interceptor Refactor remote cluster interceptor and tests Oct 1, 2025
jfreden
jfreden reviewed Oct 1, 2025
View reviewed changes
...java/org/elasticsearch/xpack/security/transport/CrossClusterAccessServerTransportFilter.java Outdated
import static org.elasticsearch.xpack.security.authc.CrossClusterAccessHeaders.CROSS_CLUSTER_ACCESS_CREDENTIALS_HEADER_KEY;

final class CrossClusterAccessServerTransportFilter extends ServerTransportFilter {
final class CrossClusterAccessServerTransportFilter extends DefaultServerTransportFilter implements ServerTransportFilter {
Copy link
Contributor

@jfreden jfreden Oct 1, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

implements ServerTransportFilter is implicit since CrossClusterAccessServerTransportFilter is a DefaultServerTransportFilter that in turn implements ServerTransportFilter.

Might be out of scope for this PR, but the inheritance here is a little confusing. CrossClusterAccessServerTransportFilter is only overriding the authenticate method which leads me to believe that the code in CrossClusterAccessServerTransportFilter actually belongs in CrossClusterAccessAuthenticationService and this class could be dropped for that reason.

Copy link
Contributor Author

@slobodanadamovic slobodanadamovic Oct 1, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a very good point. Thanks for bringing this up. I think the end goal could be to have a single ServerTransportFilter implementation that accept a custom authentication service (CrossClusterAccessAuthenticationService or AuthenticationService). I like this idea, but that might be more involved at this point as it would require more refactoring. As a first step towards that, I could start by reverting the interface introduction, and later following up with generalizing the authentication part. WDYT?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see, I didn't realize they were different interfaces, yes that makes it more difficult. One more thing that could be done in this PR is to move the logic into the CrossClusterAccessAuthenticationService and just do the authenticate call. I'll leave it up to you, might also make sense to not increase the scope.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, them being different interfaces with a different number of parameters makes it not that straightforward, but doable. In the interest of unblocking downstream work, I'd prefer to get back to this in a followup.

jfreden
jfreden reviewed Oct 1, 2025
View reviewed changes
...java/org/elasticsearch/xpack/security/transport/CrossClusterAccessServerTransportFilter.java Outdated
import static org.elasticsearch.xpack.security.authc.CrossClusterAccessHeaders.CROSS_CLUSTER_ACCESS_CREDENTIALS_HEADER_KEY;

final class CrossClusterAccessServerTransportFilter extends ServerTransportFilter {
final class CrossClusterAccessServerTransportFilter extends DefaultServerTransportFilter implements ServerTransportFilter {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see, I didn't realize they were different interfaces, yes that makes it more difficult. One more thing that could be done in this PR is to move the logic into the CrossClusterAccessAuthenticationService and just do the authenticate call. I'll leave it up to you, might also make sense to not increase the scope.

slobodanadamovic
slobodanadamovic commented Oct 1, 2025
View reviewed changes
.../java/org/elasticsearch/xpack/security/rcs/extension/TestRemoteClusterSecurityExtension.java
@Override
public Map<String, ServerTransportFilter> getProfileTransportFilters(
Map<String, SslProfile> profileConfigurations,
public Optional<ServerTransportFilter> getRemoteProfileTransportFilter(
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Returning Optional<ServerTransportFilter> is more of a preference here. We could as well return ServerTransportFilter and annotate the method as @Nullable

jfreden
jfreden approved these changes Oct 1, 2025
View reviewed changes
Copy link
Contributor

@jfreden jfreden left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice job on this! You probably want to wait for a review from someone familiar with CPS too, but LGTM!

ywangd
ywangd reviewed Oct 2, 2025
View reviewed changes
Copy link
Member

@ywangd ywangd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Production code changes LGTM. Didn't read test code and I'd like to defer to @jfreden's review for that. Thanks!

slobodanadamovic and others added 5 commits October 6, 2025 14:09
@slobodanadamovic
Merge branch 'main' into security-transport-refactoring
755b480
@slobodanadamovic
remove old tests elastic#135942
0f519bb
@slobodanadamovic
Merge branch 'main' of github.com:elastic/elasticsearch into security…
e0e01cb 
…-transport-refactoring

# Conflicts:
#	x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/SecurityServerTransportInterceptorTests.java
@slobodanadamovic
spotless
cda64b2
@slobodanadamovic
Merge branch 'main' into security-transport-refactoring
f1b255d
@slobodanadamovic slobodanadamovic added the auto-merge-without-approval Automatically merge pull request when CI checks pass (NB doesn't wait for reviews!) label Oct 6, 2025
@elasticsearchmachine elasticsearchmachine merged commit 2b91dd5 into elastic:main Oct 6, 2025
40 checks passed
@slobodanadamovic slobodanadamovic deleted the security-transport-refactoring branch October 6, 2025 19:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ywangd ywangd ywangd left review comments

@jfreden jfreden jfreden approved these changes

@n1v0lg n1v0lg Awaiting requested review from n1v0lg

Assignees
No one assigned
Labels
auto-merge-without-approval Automatically merge pull request when CI checks pass (NB doesn't wait for reviews!) >refactoring :Security/Security Security issues without another label serverless-linked Added by automation, don't add manually Team:Security Meta label for security team v9.3.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@slobodanadamovic @elasticsearchmachine @ywangd @jfreden