Move HTTP content aggregation from Netty into RestController

[mhl-b]

Netty HTTP content aggregator appears to be not flexible for our needs. In some cases, like bulk API we need to bypass aggregation, and Netty's aggregator does not have any memory safety, like backpressure or circuit breaker. That means we always aggregate requests fully and occasionally run OOM.

This change moves aggregation from the Netty module into Server module, RestController. That means in netty code we no longer deal with fully aggregated requests and everything is a stream of chunks. RestController aggregates chunks when RestHandler indicates that stream is not supported via new flag. Opens up opportunity to apply backpressure/circuit-breaker per chunk basis for all REST handlers. Also simplifies implementation of new streaming handlers.

Once RestHandler is resolved in RestController we check if it supports stream content. If stream is supported then request proceeds to the Handler. If stream is not supported a new RestContentAggregator aggregates chunks, then replaces content of the RestRequest with aggregated content.

PR touches many files but essentially changes are:

• Removal of Netty4HttpAggregator and Bulk API predicates from Netty pipeline.
• Addition of RestContentAggregator and support for HTTP content replacement.
• Adjusting integ tests in netty and security modules to consume stream (AggregatingDispatcher) and not leak buffers.

closes #120746

[mhl-b]

Changing mutability for the HTTP request body, I need to swap stream with full content after aggregation. References to original HTTP request spread roots too deep.

[nicktindall]

Nice tidy up, I will leave to the other reviewers to approve because they have more context, but LGTM

[nicktindall]

Should we log an error here just in case it somehow happens in prod?

[nicktindall]

Is it worth making new ReleasableBytesReference[0] a constant to avoid the allocation? Or will the compiler be clever enough to do that I wonder.

[mhl-b]

I think it is smart enough to skip extra allocation. It still allocates array of the list size. Would be nice to have CompositeBytesReference.of(List<Chunks>).

[nicktindall]

Nit: do we use the circuitBreakerService in here? it doesn't look like it

[mhl-b]

My intention was to include CB in this PR. So I've done basic plumbing. But scope of CB appears fairly large. I will leave it as it is. CB will work as before, we fully aggregate content and then try breaker.

[mhl-b]

Before, oversized requests that fail auth will be rejected at netty aggregator with size exception. Right now it will go through to the RestController, controller will send a response based on auth exception and close(discard) stream.

I think it's ok to have Auth exception with higher precedence than content size. But I think there is a possibility for an evil request with extremely large content that will be discarded, but we want to close channel sooner, rather than discarding content. If we want to keep previous behaviour I need to adjust Netty4HttpContentSizeHandler.

[mhl-b]

@DaveCTurner CI has been happy last 3 runs, with minor test fixes. It's ready for review. I will address audit logging in following PR if this one passes.

[elasticsearchmachine]

Pinging @elastic/es-distributed-coordination (Team:Distributed Coordination)

[elasticsearchmachine]

Hi @mhl-b, I've created a changelog YAML for you.

[DaveCTurner]

I like it. I haven't quite finished reviewing the changes in detail but have left some comments from my first pass through.

[DaveCTurner]

Can we leak-track these things?

Suggested change

	return new ReleasableBytesReference(randomBytesReference(length), new AbstractRefCounted() {
	@Override
	protected void closeInternal() {
	}
	});
	return new ReleasableBytesReference(randomBytesReference(length), LeakTracker.wrap(AbstractRefCounted.of(() -> {})));

[mhl-b]

:)

        return new ReleasableBytesReference(randomBytesReference(length), LeakTracker.wrap(new AbstractRefCounted() {
            @Override
            protected void closeInternal() {}
        }));

[DaveCTurner]

Can we assert this?

Suggested change

	public void dispatchAggregatedRequest(RestRequest restRequest, RestChannel restChannel, ThreadContext threadContext) {}
	public void dispatchAggregatedRequest(RestRequest restRequest, RestChannel restChannel, ThreadContext threadContext) {
	assert restRequest.isStreamedContent() == false;
	}

[DaveCTurner]

I'm suspicious about this, are you sure we need it? I'd rather we only exposed the length of an aggregated body. My worry is that code which is processing a streaming body shouldn't be dependent on the content length since it's not always available, but with this lenience we might end up not covering the unavailable-length case properly in tests.

[mhl-b]

Agree. This is only used for the circuit breaker estimation. I can remove whole content-length changes, I don't think it's essential for this PR.

[mhl-b]

Removed content-length changes c7bb930

[mhl-b]

Added hasContent to the HTTP request, we need to know if content is present before aggregation happens, so I'm keeping logic for headers check. 34e8881

[DaveCTurner]

I don't understand this comment. If dispatchRequest is expected not to throw anything, should we assert false : e here?

[mhl-b]

Not well written by me. It's a bit tricky. dispatchRequest catches errors and tries to send error response. But sending error response might fail too, at least we have a test that does that by injecting failure into sendResponse path, not sure that production code can throw there. Failing to send response can only go to the error log.
Cannot re-throw Exception without wrapping into RuntimeException but that mess up error handling. "Cannot" means the whole chain need to have throw Exception signature which is pretty large.

[mhl-b]

Looking at this again, wrapping into RuntimeException might be a right thing to do. Let it bubble up to the pipelining http error handler. This will properly close channel.

[mhl-b]

Rethrow exception 43bf06a

[DaveCTurner]

naming nit:

Suggested change

	private AggregationChunkHandler(RestRequest restRequest, Consumer<RestRequest> result) {
	private AggregationChunkHandler(RestRequest restRequest, Consumer<RestRequest> resultConsumer) {

[DaveCTurner]

If closed mid-aggregation, do we need some way to notify the handler? Conversely, if we got to the end of the aggregation, could we release the chunks earlier? AIUI we close the request when starting to send the response, which seems much later than necessary.

[mhl-b]

If closed mid-aggregation, do we need some way to notify the handler?

I don't think so. Handlers that handle whole content shouldn't bother about incomplete requests. Thats the whole point of aggregation, keep it simple downstream, right?

Conversely, if we got to the end of the aggregation, could we release the chunks earlier?

We release chunks at prepareRequest, if you remember we changed that few months ago 7aa07f1. This close handler is for premature termination.

[DaveCTurner]

assert false here too? This'd be a bug right? Although there's only 4 implementing classes (plus a few subclasses) so I'd prefer not to have a default implementation.

[DaveCTurner]

Is this true? What requests might not have a Content-Length or Transfer-Encoding header exactly? I thought that'd not be allowed in HTTP/1.1, and in HTTP/1.0 a request without a Content-Length header would have a body that is terminated by the connection close.

[mhl-b]

What requests might not have a Content-Length or Transfer-Encoding header exactly?

For example GET request without body is allowed to not have either.

https://www.rfc-editor.org/rfc/rfc9110.html#section-8.6-5

A user agent SHOULD NOT send a Content-Length header field when the request message does not contain content and the method semantics do not anticipate such data.

This if-condition might not be very precise, but it's practical. When Transfer-Encoding is present it is very likely chunked. And in this case Content-Length should be omitted. But if none of them present it should be zero length content.

[mhl-b]

Replaced with hasContent 34e8881

[DaveCTurner]

Can we assert that we only ever replace a streaming body with a fully-aggregated body?

[mhl-b]

body.asFull(); includes assertion

[DaveCTurner]

Sure, but can we also check that this.content is not already a fully-aggregated body?

[elasticsearchmachine]

Hi @mhl-b, I've updated the changelog YAML for you.

[DaveCTurner]

One further comment on supporting contentLength() on a streaming request, and a few nits, otherwise this looks good to go.

[DaveCTurner]

readability nit: this has to happen before the ctx::read above; of course it does today because we're already on the event loop so the dispatched ctx::read happens after this method returns but still it's confusing to write them in this order.

[DaveCTurner]

nit: probably a mistake to expose the released flag to the public

Suggested change

	public Netty4HttpRequest(
	private Netty4HttpRequest(

[DaveCTurner]

nit: may as well carry on chaining the addLast calls

Suggested change

	});
	ch.pipeline().addLast(new Netty4HttpContentSizeHandler(decoder, handlingSettings.maxContentLength()));
	})
	.addLast(new Netty4HttpContentSizeHandler(decoder, handlingSettings.maxContentLength()));

[DaveCTurner]

I still think this is trappy, I'd much prefer it remained an error to call contentLength on a streaming request.

[DaveCTurner]

We need to assert that the consumer is invoked, otherwise this will pass if aggregate doesn't. Also can we assertSame?

[DaveCTurner]

LGTM