shield: only restore the original if we forcefully replaced it
Original commit: elastic/x-pack-elasticsearch@347a4dba3f
This commit is contained in:
parent
19545596cf
commit
1b4bac8203
|
@ -13,6 +13,7 @@ import org.elasticsearch.action.search.SearchResponse;
|
|||
import org.elasticsearch.action.search.SearchScrollRequest;
|
||||
import org.elasticsearch.action.support.ActionFilter;
|
||||
import org.elasticsearch.action.support.ActionFilterChain;
|
||||
import org.elasticsearch.common.Nullable;
|
||||
import org.elasticsearch.common.component.AbstractComponent;
|
||||
import org.elasticsearch.common.inject.Inject;
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
|
@ -87,7 +88,6 @@ public class ShieldActionFilter extends AbstractComponent implements ActionFilte
|
|||
throw LicenseUtils.newComplianceException(ShieldPlugin.NAME);
|
||||
}
|
||||
|
||||
final ThreadContext.StoredContext original = threadContext.newStoredContext();
|
||||
try {
|
||||
if (licenseState.securityEnabled()) {
|
||||
// FIXME yet another hack. Needed to work around something like
|
||||
|
@ -121,6 +121,7 @@ public class ShieldActionFilter extends AbstractComponent implements ActionFilte
|
|||
at java.lang.Thread.run(Thread.java:745)
|
||||
*/
|
||||
if (INTERNAL_PREDICATE.test(action)) {
|
||||
final ThreadContext.StoredContext original = threadContext.newStoredContext();
|
||||
try (ThreadContext.StoredContext ctx = threadContext.stashContext()) {
|
||||
String shieldAction = actionMapper.action(action, request);
|
||||
User user = authcService.authenticate(shieldAction, request, User.SYSTEM);
|
||||
|
@ -159,12 +160,11 @@ public class ShieldActionFilter extends AbstractComponent implements ActionFilte
|
|||
interceptor.intercept(request, user);
|
||||
}
|
||||
}
|
||||
chain.proceed(task, action, request, new SigningListener(this, listener, original));
|
||||
chain.proceed(task, action, request, new SigningListener(this, listener, null));
|
||||
} else {
|
||||
chain.proceed(task, action, request, listener);
|
||||
}
|
||||
} catch (Throwable t) {
|
||||
original.restore();
|
||||
listener.onFailure(t);
|
||||
}
|
||||
}
|
||||
|
@ -232,7 +232,7 @@ public class ShieldActionFilter extends AbstractComponent implements ActionFilte
|
|||
private final ActionListener innerListener;
|
||||
private final ThreadContext.StoredContext threadContext;
|
||||
|
||||
private SigningListener(ShieldActionFilter filter, ActionListener innerListener, ThreadContext.StoredContext threadContext) {
|
||||
private SigningListener(ShieldActionFilter filter, ActionListener innerListener, @Nullable ThreadContext.StoredContext threadContext) {
|
||||
this.filter = filter;
|
||||
this.innerListener = innerListener;
|
||||
this.threadContext = threadContext;
|
||||
|
@ -240,7 +240,9 @@ public class ShieldActionFilter extends AbstractComponent implements ActionFilte
|
|||
|
||||
@Override @SuppressWarnings("unchecked")
|
||||
public void onResponse(Response response) {
|
||||
threadContext.restore();
|
||||
if (threadContext != null) {
|
||||
threadContext.restore();
|
||||
}
|
||||
try {
|
||||
response = this.filter.sign(response);
|
||||
innerListener.onResponse(response);
|
||||
|
@ -251,7 +253,9 @@ public class ShieldActionFilter extends AbstractComponent implements ActionFilte
|
|||
|
||||
@Override
|
||||
public void onFailure(Throwable e) {
|
||||
threadContext.restore();
|
||||
if (threadContext != null) {
|
||||
threadContext.restore();
|
||||
}
|
||||
innerListener.onFailure(e);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -78,11 +78,11 @@ public class ShieldServerTransportService extends TransportService {
|
|||
|
||||
@Override
|
||||
public <T extends TransportResponse> void sendRequest(DiscoveryNode node, String action, TransportRequest request, TransportRequestOptions options, TransportResponseHandler<T> handler) {
|
||||
final ThreadContext.StoredContext original = threadPool.getThreadContext().newStoredContext();
|
||||
// FIXME this is really just a hack. What happens is that we send a request and we always copy headers over
|
||||
// Sometimes a system action gets executed like a internal create index request or update mappings request
|
||||
// which means that the user is copied over to system actions and these really fail for internal things...
|
||||
if ((clientFilter instanceof ClientTransportFilter.Node) && INTERNAL_PREDICATE.test(action)) {
|
||||
final ThreadContext.StoredContext original = threadPool.getThreadContext().newStoredContext();
|
||||
try (ThreadContext.StoredContext ctx = threadPool.getThreadContext().stashContext()) {
|
||||
try {
|
||||
clientFilter.outbound(action, request);
|
||||
|
@ -94,7 +94,7 @@ public class ShieldServerTransportService extends TransportService {
|
|||
} else {
|
||||
try {
|
||||
clientFilter.outbound(action, request);
|
||||
super.sendRequest(node, action, request, options, new ContextRestoreResponseHandler<>(original, handler));
|
||||
super.sendRequest(node, action, request, options, handler);
|
||||
} catch (Throwable t) {
|
||||
handler.handleException(new TransportException("failed sending request", t));
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue