Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Further optimize check privileges response validation #90631

Merged
merged 5 commits into from
Feb 16, 2021
Merged

Further optimize check privileges response validation #90631

merged 5 commits into from
Feb 16, 2021

Conversation

legrego
Copy link
Member

@legrego legrego commented Feb 8, 2021
edited
Loading

Summary

Followup to #90074

Performs a similar optimization to #90074, but this time for actions instead of resources.

@dgieselaar would you be able to profile this to see if it shows a reasonable improvement based on your testing? Or I'd be happy to do so if you help me get your tooling setup 🙂

@legrego
Copy link
Member Author

legrego commented Feb 8, 2021

@elasticmachine merge upstream

@legrego
Copy link
Member Author

legrego commented Feb 10, 2021

@elasticmachine merge upstream

@legrego legrego added chore release_note:skip Skip the PR/issue when compiling release notes Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! v7.11.1 v7.12.0 v8.0.0 labels Feb 10, 2021
@legrego legrego marked this pull request as ready for review February 10, 2021 17:16
@legrego legrego requested a review from a team as a code owner February 10, 2021 17:16
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

@legrego legrego added the auto-backport Deprecated - use backport:version if exact versions are needed label Feb 10, 2021
legrego
legrego commented Feb 10, 2021
View reviewed changes
Copy link
Member Author

@legrego legrego left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Author's notes

x-pack/plugins/security/server/authorization/validate_es_response.ts
const actualActions = Object.keys(value).sort();
if (
actions.length !== actualActions.length ||
![...actions].sort().every((x, i) => x === actualActions[i])
Copy link
Member Author

@legrego legrego Feb 10, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

note: actions is provided by consumers, so we shouldn't be mutating their copy of the data.

According to this benchmark, using the spread operator is the fastest way to copy an array.

x-pack/plugins/security/server/authorization/validate_es_response.ts
{},
{
unknowns: 'allow',
validate: (value) => {
const actualResources = Object.keys(value).sort();
if (
resources.length !== actualResources.length ||
!resources.sort().every((x, i) => x === actualResources[i])
![...resources].sort().every((x, i) => x === actualResources[i])
Copy link
Member Author

@legrego legrego Feb 10, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

note: resources is provided by consumers, so we shouldn't be mutating their copy of the data.

According to this benchmark, using the spread operator is the fastest way to copy an array.

@jportner
Copy link
Contributor

@elasticmachine merge upstream

@jportner jportner self-requested a review February 16, 2021 13:51
jportner
jportner approved these changes Feb 16, 2021
View reviewed changes
Copy link
Contributor

@jportner jportner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, one nit below

x-pack/plugins/security/server/authorization/validate_es_response.ts
Comment on lines 27 to +37
function buildValidationSchema(application: string, actions: string[], resources: string[]) {
const actionValidationSchema = buildActionsValidationSchema(actions);
const actionValidationSchema = schema.boolean();
const actionsValidationSchema = schema.object(
{},
{
unknowns: 'allow',
validate: (value) => {
const actualActions = Object.keys(value).sort();
if (
actions.length !== actualActions.length ||
![...actions].sort().every((x, i) => x === actualActions[i])
Copy link
Contributor

@jportner jportner Feb 16, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: FWIW, these changes will cause this validation schema to behave differently (fail) if the consumer passes in any duplicate actions. We only have one consumer, which is already ensuring that actions are unique:

kibana/x-pack/plugins/security/server/authorization/check_privileges.ts

Line 49 in 7fc5613

const allApplicationPrivileges = uniq([actions.version, actions.login, ...kibanaPrivileges]);

May be worth noting this in a TSdoc on the validateEsPrivilegeResponse function, though.

Edit: added in 3026eb8.

@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

✅ unchanged

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@jportner jportner added v7.11.2 and removed v7.11.1 labels Feb 16, 2021
@jportner jportner merged commit d5aea93 into elastic:master Feb 16, 2021
kibanamachine pushed a commit to kibanamachine/kibana that referenced this pull request Feb 16, 2021
@legrego @kibanamachine
Further optimize check privileges response validation (elastic#90631)
93b0249
This was referenced Feb 16, 2021
Merged
Merged
kibanamachine pushed a commit to kibanamachine/kibana that referenced this pull request Feb 16, 2021
@legrego @kibanamachine
Further optimize check privileges response validation (elastic#90631)
9c6dd32
@kibanamachine
Copy link
Contributor

💚 Backport successful

7.11 / #91529
7.x / #91530

Successful backport PRs will be merged automatically after passing CI.

kibanamachine added a commit that referenced this pull request Feb 16, 2021
@kibanamachine @legrego
Further optimize check privileges response validation (#90631) (#91529)
fc4faf9 
Co-authored-by: Larry Gregory <larry.gregory@elastic.co>
kibanamachine added a commit that referenced this pull request Feb 16, 2021
@kibanamachine @legrego
Further optimize check privileges response validation (#90631) (#91530)
d41df11 
Co-authored-by: Larry Gregory <larry.gregory@elastic.co>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jportner jportner jportner approved these changes

Assignees
No one assigned
Labels
auto-backport Deprecated - use backport:version if exact versions are needed backported chore release_note:skip Skip the PR/issue when compiling release notes Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! v7.11.2 v7.12.0 v8.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@legrego @elasticmachine @jportner @kibanamachine