Ensure all restHeaders from ActionPlugin.getRestHeaders are carried to threadContext for tracing

CHANGELOG.md

@@ -5,6 +5,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 ## [Unreleased 3.x]
 
+### Changed
+- Ensure all restHeaders from ActionPlugin.getRestHeaders are carried to threadContext for tracing ([#5396](https://github.com/opensearch-project/security/pull/5396))
 ### Features
 
 * Introduced new experimental versioned security configuration management feature ([#5357] (https://github.com/opensearch-project/security/pull/5357))

src/integrationTest/java/org/opensearch/security/rest/WhoAmITests.java

@@ -179,7 +179,7 @@ public void testAuditLogSimilarityWithTransportLayer() {
             assertThat(client.get("_cat/indices").getStatusCode(), equalTo(HttpStatus.SC_OK));
 
             // transport layer audit messages
-            auditLogsRule.assertExactly(1, grantedPrivilege(AUDIT_LOG_VERIFIER, "GetSettingsRequest"));
+            auditLogsRule.assertAtLeast(1, grantedPrivilege(AUDIT_LOG_VERIFIER, "GetSettingsRequest"));
 
             List<AuditMessage> grantedPrivilegesMessages = auditLogsRule.getCurrentTestAuditMessages()
                 .stream()

src/integrationTest/java/org/opensearch/test/framework/audit/AuditLogsRule.java

@@ -15,6 +15,7 @@
 import java.util.function.Predicate;
 import java.util.stream.Collectors;
 
+import org.apache.commons.collections4.ListUtils;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.awaitility.Awaitility;
@@ -66,9 +67,7 @@ public void assertExactlyOne(Predicate<AuditMessage> predicate) {
     }
 
     public void assertExactlyScanAll(long expectedNumberOfAuditMessages, Predicate<AuditMessage> predicate) {
-        List<AuditMessage> auditMessages = new ArrayList<>(currentTestAuditMessages);
-        auditMessages.addAll(currentTransportTestAuditMessages);
-        assertExactly(exactNumberOfAuditsFulfillPredicate(expectedNumberOfAuditMessages, predicate), auditMessages);
+        assertExactly(exactNumberOfAuditsFulfillPredicate(expectedNumberOfAuditMessages, predicate));
 
     }
 
@@ -79,23 +78,23 @@ public void assertAuditLogsCount(int from, int to) {
     }
 
     public void assertExactly(long expectedNumberOfAuditMessages, Predicate<AuditMessage> predicate) {
-        assertExactly(exactNumberOfAuditsFulfillPredicate(expectedNumberOfAuditMessages, predicate), currentTestAuditMessages);
+        assertExactly(exactNumberOfAuditsFulfillPredicate(expectedNumberOfAuditMessages, predicate));
     }
 
-    private void assertExactly(Matcher<List<AuditMessage>> matcher, List<AuditMessage> currentTestAuditMessages) {
+    private void assertExactly(Matcher<List<AuditMessage>> matcher) {
         // pollDelay - initial delay before first evaluation
         Awaitility.await("Await for audit logs")
             .atMost(3, TimeUnit.SECONDS)
             .pollDelay(0, TimeUnit.MICROSECONDS)
-            .until(() -> new ArrayList<>(currentTestAuditMessages), matcher);
+            .until(() -> ListUtils.union(currentTestAuditMessages, currentTransportTestAuditMessages), matcher);
     }
 
     public void assertAtLeast(long minCount, Predicate<AuditMessage> predicate) {
-        assertExactly(atLeastCertainNumberOfAuditsFulfillPredicate(minCount, predicate), currentTestAuditMessages);
+        assertExactly(atLeastCertainNumberOfAuditsFulfillPredicate(minCount, predicate));
     }
 
     public void assertAtLeastTransportMessages(long minCount, Predicate<AuditMessage> predicate) {
-        assertExactly(atLeastCertainNumberOfAuditsFulfillPredicate(minCount, predicate), currentTransportTestAuditMessages);
+        assertExactly(atLeastCertainNumberOfAuditsFulfillPredicate(minCount, predicate));
     }
 
     private static String auditMessagesToString(List<AuditMessage> audits) {

src/main/java/org/opensearch/security/filter/SecurityRestFilter.java

@@ -29,6 +29,7 @@
 import java.nio.file.Path;
 import java.util.Collections;
 import java.util.List;
+import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
 import java.util.regex.Pattern;
@@ -63,7 +64,6 @@
 import org.opensearch.security.support.ConfigConstants;
 import org.opensearch.security.support.HTTPHelper;
 import org.opensearch.security.user.User;
-import org.opensearch.tasks.Task;
 import org.opensearch.threadpool.ThreadPool;
 import org.opensearch.transport.client.node.NodeClient;
 
@@ -72,6 +72,7 @@
 import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX;
 import static org.opensearch.security.OpenSearchSecurityPlugin.PLUGINS_PREFIX;
 import static org.opensearch.security.support.ConfigConstants.OPENDISTRO_SECURITY_INITIATING_USER;
+import static org.opensearch.security.support.ConfigConstants.OPENSEARCH_SECURITY_REQUEST_HEADERS;
 
 public class SecurityRestFilter {
 
@@ -138,10 +139,13 @@ public void handleRequest(RestRequest request, RestChannel channel, NodeClient c
 
             NettyAttribute.popFrom(request, Netty4HttpRequestHeaderVerifier.CONTEXT_TO_RESTORE).ifPresent(storedContext -> {
                 // X_OPAQUE_ID will be overritten on restore - save to apply after restoring the saved context
-                final String xOpaqueId = threadContext.getHeader(Task.X_OPAQUE_ID);
+                final Map<String, String> tmpHeaders = threadContext.getHeaders();
                 storedContext.restore();
-                if (xOpaqueId != null) {
-                    threadContext.putHeader(Task.X_OPAQUE_ID, xOpaqueId);
+                for (Map.Entry<String, String> header : tmpHeaders.entrySet()) {
+                    threadContext.putHeader(header.getKey(), header.getValue());
+                }
+                if (!tmpHeaders.isEmpty()) {
+                    threadContext.putHeader(OPENSEARCH_SECURITY_REQUEST_HEADERS, String.join(",", tmpHeaders.keySet()));
                 }
             });
 

src/main/java/org/opensearch/security/support/ConfigConstants.java

@@ -43,6 +43,7 @@
 public class ConfigConstants {
 
     public static final String OPENDISTRO_SECURITY_CONFIG_PREFIX = "_opendistro_security_";
+    public static final String OPENSEARCH_SECURITY_CONFIG_PREFIX = "_opensearch_security_";
     public static final String SECURITY_SETTINGS_PREFIX = "plugins.security.";
 
     public static final String OPENSEARCH_SECURITY_DISABLED = SECURITY_SETTINGS_PREFIX + "disabled";
@@ -79,6 +80,7 @@ public class ConfigConstants {
     public static final String OPENDISTRO_SECURITY_MASKED_FIELD_CCS = OPENDISTRO_SECURITY_CONFIG_PREFIX + "masked_fields_ccs";
 
     public static final String OPENDISTRO_SECURITY_CONF_REQUEST_HEADER = OPENDISTRO_SECURITY_CONFIG_PREFIX + "conf_request";
+    public static final String OPENSEARCH_SECURITY_REQUEST_HEADERS = OPENSEARCH_SECURITY_CONFIG_PREFIX + "request_headers";
 
     public static final String OPENDISTRO_SECURITY_REMOTE_ADDRESS = OPENDISTRO_SECURITY_CONFIG_PREFIX + "remote_address";
     public static final String OPENDISTRO_SECURITY_REMOTE_ADDRESS_HEADER = OPENDISTRO_SECURITY_CONFIG_PREFIX + "remote_address_header";

src/main/java/org/opensearch/security/transport/SecurityInterceptor.java

@@ -27,9 +27,12 @@
 package org.opensearch.security.transport;
 
 import java.io.IOException;
+import java.util.Collections;
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 import java.util.UUID;
 import java.util.function.Supplier;
 import java.util.stream.Collectors;
@@ -64,6 +67,7 @@
 import org.opensearch.security.support.ConfigConstants;
 import org.opensearch.security.user.User;
 import org.opensearch.security.user.UserFactory;
+import org.opensearch.tasks.Task;
 import org.opensearch.threadpool.ThreadPool;
 import org.opensearch.transport.Transport.Connection;
 import org.opensearch.transport.TransportException;
@@ -158,6 +162,14 @@ public <T extends TransportResponse> void sendRequestDecorate(
         final boolean isDebugEnabled = log.isDebugEnabled();
 
         final boolean isSameNodeRequest = localNode != null && localNode.equals(connection.getNode());
+        final Set<String> requestHeadersToCopy = new HashSet<>();
+        if (getThreadContext().getHeader(ConfigConstants.OPENSEARCH_SECURITY_REQUEST_HEADERS) != null) {
+            Collections.addAll(
+                requestHeadersToCopy,
+                getThreadContext().getHeader(ConfigConstants.OPENSEARCH_SECURITY_REQUEST_HEADERS).split(",")
+            );
+            requestHeadersToCopy.remove(Task.X_OPAQUE_ID); // Special case where this header is preserved during stashContext.
+        }
 
         try (ThreadContext.StoredContext stashedContext = getThreadContext().stashContext()) {
             final TransportResponseHandler<T> restoringHandler = new RestoringTransportResponseHandler<T>(handler, stashedContext);
@@ -178,11 +190,13 @@ public <T extends TransportResponse> void sendRequestDecorate(
                             || k.equals(ConfigConstants.OPENDISTRO_SECURITY_FILTER_LEVEL_DLS_DONE)
                             || k.equals(ConfigConstants.OPENDISTRO_SECURITY_DLS_MODE_HEADER)
                             || k.equals(ConfigConstants.OPENDISTRO_SECURITY_DLS_FILTER_LEVEL_QUERY_HEADER)
+                            || k.equals(ConfigConstants.OPENSEARCH_SECURITY_REQUEST_HEADERS)
                             || (k.equals("_opendistro_security_source_field_context")
                                 && !(request instanceof SearchRequest)
                                 && !(request instanceof GetRequest))
                             || k.startsWith("_opendistro_security_trace")
-                            || k.startsWith(ConfigConstants.OPENDISTRO_SECURITY_INITIAL_ACTION_CLASS_HEADER))
+                            || k.startsWith(ConfigConstants.OPENDISTRO_SECURITY_INITIAL_ACTION_CLASS_HEADER)
+                            || requestHeadersToCopy.contains(k))
                 )
             );