BACKPORT Deprecate timeout.tcp_read AD/LDAP realm setting (#47305) #51550
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The timeout.tcp_read AD/LDAP realm setting, despite the low-level allusion, controls the time interval the realms wait for a response for a query (search or bind). If the connection to the server is synchronous (un-pooled) the response timeout is analogous to the tcp read timeout. But the tcp read timeout is irrelevant in the common case of a pooled connection (when a Bind DN is specified). The timeout.tcp_read qualifier is hereby deprecated in favor of timeout.response. In addition, the default value for both timeout.tcp_read and timeout.response is that of timeout.ldap_search, instead of the 5s (but the default for timeout.ldap_search is still 5s). The timeout.ldap_search defines the server-controlled timeout of a search request. There is no practical use case to have a smaller tcp_read timeout compared to ldap_search (in this case the request would time-out on the client but continue to be processed on the server). The proposed change aims to simplify configuration so that the more common configuration change, adjusting timeout.ldap_search up, has the expected result (no timeout during searches) without any additional modifications. Closes elastic#46028
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport of #47305
The timeout.tcp_read AD/LDAP realm setting, despite the low-level
allusion, controls the time interval the realms wait for a response for
a query (search or bind). If the connection to the server is synchronous
(un-pooled) the response timeout is analogous to the tcp read timeout.
But the tcp read timeout is irrelevant in the common case of a pooled
connection (when a Bind DN is specified).
The timeout.tcp_read qualifier is hereby deprecated in favor of
timeout.response.
In addition, the default value for both timeout.tcp_read and
timeout.response is that of timeout.ldap_search, instead of the 5s (but
the default for timeout.ldap_search is still 5s). The
timeout.ldap_search defines the server-controlled timeout of a search
request. There is no practical use case to have a smaller tcp_read
timeout compared to ldap_search (in this case the request would time-out
on the client but continue to be processed on the server). The proposed
change aims to simplify configuration so that the more common
configuration change, adjusting timeout.ldap_search up, has the expected
result (no timeout during searches) without any additional
modifications.
Closes #46028