Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Deprecate and remove plugins.security.privileges_evaluation.use_legacy_impl feature flag #5013

Open
cwperks opened this issue Jan 8, 2025 · 1 comment
Labels
enhancement New feature or request triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable.

Comments

@cwperks
Copy link
Member

cwperks commented Jan 8, 2025

Opening up this issue to track the full release for Optimized Privilege Evaluation that contains 2 major improvements:

  1. Constant-Time Privilege Evaluation for actions that does not involve iterating over roles and permissions
  2. FLS/DLS/FieldMasking Improvements: Removal of the usage of ThreadContext headers for the implementation of DLS/FLS/FieldMasking which causes performance issues due to ser/de of sometimes large data structures for certain cluster configurations

This PR also makes many data structures immutable for additional performance and safety gains.

Because of the large nature of this change, a decision has been made to introduce a feature flag (plugins.security.privileges_evaluation.use_legacy_impl) when backporting to 2.x to give more control to operators to choose to use this new style of authorization or whether to continue using the style of authorization performed in all previous releases based on iterating through roles. (See Backport 2.x PR). This backport only includes the improvements introduced by 1), but not by 2) because of the complexity in maintaining this feature flag for the improvements introduced by 2)

This issue should remain open until plugins.security.privileges_evaluation.use_legacy_impl is fully removed and all benefits provided by #4380 are fully included in an official release.

As of the opening of this issue, the current plan is to include #4998 in the upcoming 2.19 release. Since there are 2 code paths for authorization, maintainers of this repo may need to doubly implement authorization logic for new features under both code paths in order for the feature to work regardless of the value of the plugins.security.privileges_evaluation.use_legacy_impl setting.

Ideally, this feature flag is kept for a couple of minor versions. Given that there is a proposal for the 2.19 release to be the last 2.x release, it may be necessary to forward port #4998 to the 3.x branch after 3.x has been cut to include it in the initial 3.x release(s) before it can be fully removed.

@cwperks cwperks added enhancement New feature or request untriaged Require the attention of the repository maintainers and may need to be prioritized labels Jan 8, 2025
@cwperks
Copy link
Member Author

cwperks commented Jan 8, 2025

@kumargu @nibix Capturing the discussion in this tracking issue. This issue will track the removal of the feature flag.

@cwperks cwperks added triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable. and removed untriaged Require the attention of the repository maintainers and may need to be prioritized labels Jan 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable.
Projects
None yet
Development

No branches or pull requests

1 participant