in src/main/java/org/opensearch/security/transport/SecurityInterceptor.java [124:209]
public <T extends TransportResponse> void sendRequestDecorate(AsyncSender sender, Connection connection, String action,
TransportRequest request, TransportRequestOptions options, TransportResponseHandler<T> handler) {
final Map<String, String> origHeaders0 = getThreadContext().getHeaders();
final User user0 = getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER);
final String injectedUserString = getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER);
final String injectedRolesString = getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_ROLES);
final String injectedRolesValidationString = getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_ROLES_VALIDATION);
final String origin0 = getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_ORIGIN);
final Object remoteAddress0 = getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_REMOTE_ADDRESS);
final String origCCSTransientDls = getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_DLS_QUERY_CCS);
final String origCCSTransientFls = getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_FLS_FIELDS_CCS);
final String origCCSTransientMf = getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_MASKED_FIELD_CCS);
final boolean isDebugEnabled = log.isDebugEnabled();
try (ThreadContext.StoredContext stashedContext = getThreadContext().stashContext()) {
final TransportResponseHandler<T> restoringHandler = new RestoringTransportResponseHandler<T>(handler, stashedContext);
getThreadContext().putHeader("_opendistro_security_remotecn", cs.getClusterName().value());
final Map<String, String> headerMap = new HashMap<>(Maps.filterKeys(origHeaders0, k->k!=null && (
k.equals(ConfigConstants.OPENDISTRO_SECURITY_CONF_REQUEST_HEADER)
|| k.equals(ConfigConstants.OPENDISTRO_SECURITY_ORIGIN_HEADER)
|| k.equals(ConfigConstants.OPENDISTRO_SECURITY_REMOTE_ADDRESS_HEADER)
|| k.equals(ConfigConstants.OPENDISTRO_SECURITY_USER_HEADER)
|| k.equals(ConfigConstants.OPENDISTRO_SECURITY_DLS_QUERY_HEADER)
|| k.equals(ConfigConstants.OPENDISTRO_SECURITY_FLS_FIELDS_HEADER)
|| k.equals(ConfigConstants.OPENDISTRO_SECURITY_MASKED_FIELD_HEADER)
|| (k.equals("_opendistro_security_source_field_context") && ! (request instanceof SearchRequest) && !(request instanceof GetRequest))
|| k.startsWith("_opendistro_security_trace")
|| k.startsWith(ConfigConstants.OPENDISTRO_SECURITY_INITIAL_ACTION_CLASS_HEADER)
)));
if (OpenSearchSecurityPlugin.GuiceHolder.getRemoteClusterService().isCrossClusterSearchEnabled()
&& clusterInfoHolder.isInitialized()
&& (action.equals(ClusterSearchShardsAction.NAME)
|| action.equals(SearchAction.NAME)
)
&& !clusterInfoHolder.hasNode(connection.getNode())) {
if (isDebugEnabled) {
log.debug("remove dls/fls/mf because we sent a ccs request to a remote cluster");
}
headerMap.remove(ConfigConstants.OPENDISTRO_SECURITY_DLS_QUERY_HEADER);
headerMap.remove(ConfigConstants.OPENDISTRO_SECURITY_MASKED_FIELD_HEADER);
headerMap.remove(ConfigConstants.OPENDISTRO_SECURITY_FLS_FIELDS_HEADER);
}
if (OpenSearchSecurityPlugin.GuiceHolder.getRemoteClusterService().isCrossClusterSearchEnabled()
&& clusterInfoHolder.isInitialized()
&& !action.startsWith("internal:")
&& !action.equals(ClusterSearchShardsAction.NAME)
&& !clusterInfoHolder.hasNode(connection.getNode())) {
if (isDebugEnabled) {
log.debug("add dls/fls/mf from transient");
}
if (origCCSTransientDls != null && !origCCSTransientDls.isEmpty()) {
headerMap.put(ConfigConstants.OPENDISTRO_SECURITY_DLS_QUERY_HEADER, origCCSTransientDls);
}
if (origCCSTransientMf != null && !origCCSTransientMf.isEmpty()) {
headerMap.put(ConfigConstants.OPENDISTRO_SECURITY_MASKED_FIELD_HEADER, origCCSTransientMf);
}
if (origCCSTransientFls != null && !origCCSTransientFls.isEmpty()) {
headerMap.put(ConfigConstants.OPENDISTRO_SECURITY_FLS_FIELDS_HEADER, origCCSTransientFls);
}
}
if(StringUtils.isNotEmpty(injectedRolesValidationString)
&& OpenSearchSecurityPlugin.GuiceHolder.getRemoteClusterService().isCrossClusterSearchEnabled()
&& !clusterInfoHolder.hasNode(connection.getNode())
&& getThreadContext().getHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_ROLES_VALIDATION_HEADER) == null) {
// Sending roles validation for only cross cluster requests
getThreadContext().putHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_ROLES_VALIDATION_HEADER, injectedRolesValidationString);
}
getThreadContext().putHeader(headerMap);
ensureCorrectHeaders(remoteAddress0, user0, origin0, injectedUserString, injectedRolesString);
if (isActionTraceEnabled()) {
getThreadContext().putHeader("_opendistro_security_trace"+System.currentTimeMillis()+"#"+UUID.randomUUID().toString(), Thread.currentThread().getName()+" IC -> "+action+" "+getThreadContext().getHeaders().entrySet().stream().filter(p->!p.getKey().startsWith("_opendistro_security_trace")).collect(Collectors.toMap(p -> p.getKey(), p -> p.getValue())));
}
sender.sendRequest(connection, action, request, options, restoringHandler);
}
}