When receiving a transport request, the security plugin relies on getting the version of the node that transmitted the request by calling on channel.getVersion(). When the original TransportChannel is wrapped by PerformanceAnalyzerTransportChannel, there is an issue where the version returned by channel.getVersion() is not accurate and instead gives the version of the node that received the transport request. In a homogenous cluster, that is not an issue, but it is an issue during rolling upgrades when a cluster is mixed.
dblock
commented
3 months ago
When receiving a transport request, the security plugin relies on getting the version of the node that transmitted the request by calling on
channel.getVersion(). When the original TransportChannel is wrapped by PerformanceAnalyzerTransportChannel, there is an issue where the version returned bychannel.getVersion()is not accurate and instead gives the version of the node that received the transport request. In a homogenous cluster, that is not an issue, but it is an issue during rolling upgrades when a cluster is mixed.See more details in the security repo here: https://github.com/opensearch-project/security/issues/3771
The problem is that PA instantiates a PerformanceAnalyzerTransportChannel w/o any args and then sets the original channel in a separate
setcall. Since PerformanceAnalyzerTransportRequestHandler does not overrideTransportChannel.getVersion()and delegate the call to the wrapped original channel, it will instead use the default implementation of TransportChannel.getVersion and return Version.CURRENT of the receiving node.