Shikhar Jain

@willyborankin Great work! A couple of questions- what would the behavior be when- 1. A cluster with security disabled is performing a rolling restart to enable security with transport layer...

> @shikharj05 Does @willyborankin's comment address your questions? Since we have 2 approvals we will be merging soon if there are no more questions. Thanks for the response @willyborankin. @DarshitChanpura...

@DarshitChanpura/ @cwperks - should we open another item to track support for custom ``source_ip_header``?

> @jimishs To be more clear - Invalid requests is pretty common. For example, a request in wrong syntax(could even be caused by a typo or anything) is an invalid...

Yes, this is still not fixed. The [method](https://github.com/opensearch-project/security/blob/main/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java#L388) catches ``IOException``, however, the downstream function [can throw](https://github.com/opensearch-project/OpenSearch/blob/a1ef2ebdcf2580499b98c52709965209ad9a0f0c/server/src/main/java/org/opensearch/rest/RestRequest.java#L536-L553) other exceptions as well. Request will not be logged in such cases. @cwperks can...

closing the issue as https://github.com/opensearch-project/security/pull/4232 is merged

I am okay with approach 2. Both modes can be supported together - using default public keys + jwks URL. This should help during migrations as well (without downtime). You...

> that sounds a bit weird to have both in the same auth domain. shouldn't you then instead set up two auth domains, one for JWKS and one for the...

> it does. we have clusters running with multiple JWTs set up (there's no other way to support multiple signers as the JWT config only supports a single public key)....

3.0.0 (GA) Released!