-
Notifications
You must be signed in to change notification settings - Fork 284
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Revert Optimized Privilege Evaluation (#4380) on main #5002
Conversation
…ntegrationTest package (opensearch-project#4943)" This reverts commit 7ae045c. Signed-off-by: Craig Perkins <cwperx@amazon.com>
This reverts commit 3c635c9. Signed-off-by: Craig Perkins <cwperx@amazon.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you @nibix for promptly raising the new PR and thanks Craig for raising this revert!
I can only join now the conversation, as I was mostly offline for new years celebrations over the previous three days. I am a bit surprised by this. To be honest, the new plan cited by @cwperks is not entirely clear to me. This has several reasons (see also #4898 (comment)):
|
@nibix, I think we should meet again (sooner) to close on this. I will leave my 2 cents on the mental model for taking this path. I'll let Craig reply on how it helps his group to move faster. IMO, If a PR is merged in Initially we had an impression that when we merge #4998 into
Even if there was not a strong reason of "potentially impact to development processes", I would prefer merging it to 2.19 followed by a clean merge to Thanks for pointing out the alpha and beta release strategy starting 3.0. I agree with you that we can shield new changes using the strategy. DLS/ FLS changes would be a good starting point? For privileged evaluation part, I think 3.0 would be too late and we still should target it for 2.19. |
When it comes time for the 3.0 release, my understanding is that a new branch will be cut from main called There are 2 in-flight projects that hit the authorization path that will need to be doubly implemented to support both the legacy authz code path and the new authz code path with ActionPrivileges:
|
Thanks for the replies! Yes, let's have a meeting soon. I am flexible both on Monday and Tuesday. Feel free to suggest a time :)
The code change will dramatically reduce code quality.
The trouble is that we are not talking about "just a feature", but about the core, which has tight coupling to many other parts. Please do not get me wrong: I do understand your goals and if we do not find any other way, we can do all this; but as I am also here a maintainer, I need to point out that this solution has issues from a maintenance point of view.
Not necessarily. There's a proposal to change this: opensearch-project/.github#251 |
Closing this in favor of the plan outlined in #5013 |
Description
This PR reverts 2 PRs on main:
Discussion on this can be found on the Backport 2.x PR here: #4898
Given the sweeping nature of this change, there is a new plan for rollout to gate the new ActionPrivileges functionality behind a feature flag and temporarily support legacy privilege evaluation (iteration through roles + indices) vs. optimized (constant-time) privilege evaluation. @nibix has opened up a PR to introduce ActionPrivileges only and gate it behind a feature flag: #4998. Note: This PR is currently targeted to 2.x, but plan is to rebase and get it into main to minimize differences between main and 2.x branches for maintenance.
The PR being reverted includes more performance improvements around DLS/FLS/Field Masking that remove the need for carrying FLS/DLS/Field Masking rules in ThreadContext headers. These changes are not included in #4998 and will need to be done independently in a future PR.
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.