translate_ldap_attribute: fix String race during LDAP init#51690
translate_ldap_attribute: fix String race during LDAP init#51690orestisfl wants to merge 1 commit into
Conversation
The translate_ldap_attribute processor lazily initializes its LDAP client and stores the selected LDAP address and base DN back on the processor config while holding clientMu. String read those same fields without synchronization, and String is reachable concurrently through logger fields and processor-group error messages. Store the processor description in an atomic value and make String read that instead of reading the mutable config fields directly. Refresh the description after successful LDAP discovery so logs can still show the discovered address and base DN without making String take clientMu while initialization logging is running. Add race-detector regression coverage with a fake LDAP listener that forces client initialization and concurrent String evaluation.
🤖 GitHub commentsJust comment with:
|
|
Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform) |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (3)
📝 WalkthroughWalkthroughThe Changes
Sequence Diagram(s)sequenceDiagram
participant Init as newFromConfig
participant Processor as processor
participant EnsureClient as ensureClient
participant Caller as String()
Init->>Processor: storeDescription(config)
Caller->>Processor: description.Load()
EnsureClient->>Processor: storeDescription(discovered config)
Caller->>Processor: description.Load()
Suggested labels: 🚥 Pre-merge checks | ✅ 2✅ Passed checks (2 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
This PR fixes a data race in the translate_ldap_attribute processor caused by concurrent reads of mutable config fields from String() while the LDAP client is lazily initialized.
Changes:
- Store the processor’s
String()description in anatomic.Valueand makeString()read only that value (no mutex acquisition, no reads of mutable config fields). - Refresh the stored description after successful LDAP discovery so logs still reflect the discovered LDAP address/base DN.
- Add a race-detector regression test that forces concurrent
ensureClient()andString()evaluation.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
libbeat/processors/translate_ldap_attribute/translate_ldap_attribute.go |
Removes unsynchronized reads from String() by switching to an atomically stored description string. |
libbeat/processors/translate_ldap_attribute/translate_ldap_attribute_test.go |
Adds a focused -race regression test exercising concurrent client init and String() calls. |
changelog/fragments/1783070300-fix-translate-ldap-attribute-string-race.yaml |
Adds a changelog entry for the race fix. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Proposed commit message
Checklist
[ ] I have made corresponding changes to the documentation[ ] I have made corresponding change to the default configuration filesstresstest.shscript to run them under stress conditions and race detector to verify their stability../changelog/fragmentsusing the changelog tool.Disruptive User Impact
None.
How to test this PR locally
Run the stress test:
./script/stresstest.sh --race ./libbeat/processors/translate_ldap_attribute '^TestConcurrentClientInitAndString$' -p 16Logs
Without the fix, the focused race test reports the original race: