| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This makes it easy to benchmark whether document rendering is a
bottleneck when visiting. For instance, large floating point tensor
fields are notoriously expensive to render as JSON.
This is more accurate than just redirecting the visit output to
`/dev/null` as that still requires documents to be rendered before
being evicted into the void.
|
|
|
|
|
|
|
|
|
|
| |
Allows for efficient parallelization across multiple visitor
instances, mirroring the existing support in Document V1.
Also clean up some legacy option value parsing code. Note:
changing the parsed type for `maxtotalhits` from `int` to `long`
is intentional; the internal limit is already a `long` and a
cluster may have a lot more than `INT32_MAX` documents.
|
|
|
|
|
| |
Avoids writing and syncing to disk for every bucket updated.
Instead, write every 10 seconds and at process shutdown.
|
|
|
|
|
| |
JSONL output is enabled via new `--jsonl` argument. Mutually
exclusive with `--jsonoutput` and (deprecated) `--xmloutput`.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Implements a protocol for delegated access to a shared secret key
of a token whose private key we do not possess. This builds directly
on top of the existing token resealing mechanisms.
The primary benefit of the resealing protocol is that none of the
data exchanged can reveal anything about the underlying secret.
Security note: neither resealing requests nor responses are explicitly
authenticated (this is a property inherited from the sealed shared
key tokens themselves). It is assumed that an attacker can observe
all requests and responses in transit, but cannot modify them.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
timeout to builder.
|
| |
|
| |
|
|
|
|
|
|
| |
Allows container-apache-http-client-bundle to be used on classpath for classic fatjars.
Since the bundle is now built with Felix's bundle plugin, there is no need
to depend on jdisc_core or manually export through `@PublicApi` annotations.
|
| |
|
|
|
|
|
|
| |
Define installed JARs in vespa-3party-jars. Add bundle-plugin goal
wrapping maven-shade-plugin's DefaultShader that excludes installed JARs
and lists them in manifest's Class-Path instead.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is to get around the limitation where AES GCM can only produce
a maximum of 64 GiB of ciphertext for a particular <key, IV> pair before
its security properties break down. ChaCha20-Poly1305 does not have any
practical limitations here.
ChaCha20-Poly1305 uses a 256-bit key whereas the shared key is 128 bits.
A HKDF is used to internally expand the key material to 256 bits.
To let token based decryption be fully backwards compatible, introduce
a token version 2. V1 tokens will be decrypted with AES-GCM 128, while
V2 tokens use ChaCha20-Poly1305.
As a bonus, cryptographic operations will generally be _faster_ after
this cipher change, as we use BouncyCastle ciphers and these do not use
any native AES instructions. ChaCha20-Poly1305 is usually considerably
faster when running without specialized hardware support. An ad-hoc
experiment with a large ciphertext showed a near 70% performance increase
over AES-GCM 128.
|
|
|
|
|
| |
Simplifies working with compressed plaintext, as it removes the need
for piping via `unzstd` or using a temporary file.
|
|
|
|
| |
Time to let the old one go.
|
| |
|
|
|
|
| |
Makes it easier to include an explicit key version as part of the ID.
|
|\
| |
| | |
GC unused security-tools
|
| | |
|
| |
| |
| |
| |
| | |
`tensor-short-form` -> `shorttensors` to be in line with existing
option formatting.
|
| | |
|
|/
|
|
|
|
| |
Specified with `--tensor-short-form`. No single-char option alias,
as short form output will be the default on Vespa 9 and we're running
out of usable option characters for this tool anyway.
|
| |
|
|
|
|
| |
common jar file.
|
| |
|
| |
|
| |
|
|
|
|
| |
are explicitly excluded by container-dev
|
|
|
|
| |
excludes...
|
|
|
|
| |
com.yahoo.search.query.profile.DumpTool:wq.
|
| |
|
| |
|
|
|
|
|
|
| |
Useful when the script is run in a context where `VESPA_HOME` is not
set. Should work both if the script is invoked directly or through a
symbolic link.
|
|
|
|
|
|
| |
Avoids having to use a file indirection for inputting a private key.
Only available when the JVM is running under an interactive console
and none of the input/output files use standard streams.
|
|
|
|
|
|
|
|
| |
Lets a user specify a private key directory either with a command
line argument or via an environment variable. If a directory is
provided, the private key to use will be attempted auto-resolved
based on the key ID stored in the token. This only applies if the
key ID is comprised of exclusively path-safe characters.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This resolves two issues:
* `javax.crypto.OutputCipherStream` swallows MAC tag mismatch exceptions
when the stream is closed, which means that corruptions (intentional
or not) are not caught. This is documented behavior, but still very
surprising and a rather questionable default. BC's interchangeable
`CipherOutputStream` throws as expected. To avoid regressions, add an
explicit test that both ciphertext and MAC tag corruptions are propagated.
* The default-provided `AES/GCM/NoPadding` `Cipher` instance will not emit
decrypted plaintext per `update()` chunk, but buffer everything until
`doFinal()` is invoked when the stream is closed. This means that decrypting
very large ciphertexts can blow up memory usage since internal output
buffers are reallocated and increased per iteration...! Instead use an
explicit BC `GCMBlockCipher` which has the expected behavior (and actually
lets cipher streams, well, _stream_). Add an `AeadCipher` abstraction to
avoid leaking BC APIs outside the security module.
|