-
Notifications
You must be signed in to change notification settings - Fork 24.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Patch Shell class in hdfs to not execute #119189
Conversation
Shell utility in hdfs tries to execute a local script statically to determine whether setsid is available. With the security manager this doesn't work, but hdfs catches the SecurityException and assumes false. With entitlements this doesn't work since hdfs does not know about our NotEntitledException. This commit reworks the patching of hdfs-client-api to use asm. It then adds patching of hdfs' Shell class to replace the method that tries to execute.
Pinging @elastic/es-core-infra (Team:Core/Infra) |
Pinging @elastic/es-delivery (Team:Delivery) |
|
||
def outputDir = layout.buildDirectory.dir("patched-classes") | ||
|
||
def patchTask = tasks.register("patchClasses", JavaExec) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This can be simplified to def patchTask = tasks.register("pachClasses, JavaExec) { // config }
def patchTask = tasks.register("patchClasses", JavaExec) | ||
patchTask.configure { | ||
dependsOn configurations.thejar, sourceSets.patcher.getCompileJavaTaskName() | ||
outputs.dir(outputDir) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We define outputs but no inputs here. A dependsOn
doesn't imply an input, but an input does imply a dependency.
Sounds like configurations.thejar
and sourcesets.patcher.output
should be inputs to this task.
outputs.dir(outputDir) | ||
classpath = sourceSets.patcher.runtimeClasspath | ||
mainClass = 'org.elasticsearch.hdfs.patch.HdfsClassPatcher' | ||
doFirst { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should be able to call args()
with a Provider
to avoid having to do this in a task action.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As discussed, I've kept this as doFirst for now.
dependsOn(configurations.thejar) | ||
duplicatesStrategy = DuplicatesStrategy.EXCLUDE | ||
|
||
from(outputDir) // patch directory first so any files patched are excluded as duplicates |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not completely certain this ordering is deterministic. We should instead explicitly exclude the stuff we are going to patch from the unpacked jar given we know which files these are.
duplicatesStrategy = DuplicatesStrategy.EXCLUDE | ||
|
||
from(outputDir) // patch directory first so any files patched are excluded as duplicates | ||
from(project.zipTree(configurations.thejar.singleFile)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This needs to be in a closure otherwise this is going to trigger resolution of this configuration eagerly.
Thanks @mark-vieira, I believe I've addressed everything. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One more minor cleanup and otherwise LGTM.
dependsOn(patchTask) | ||
dependsOn(configurations.thejar) | ||
|
||
from(outputDir) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this can actually just become from(patchTask)
which will automatically use the task's outputs and you can remove the dependsOn
above.
💚 Backport successful
|
Shell utility in hdfs tries to execute a local script statically to determine whether setsid is available. With the security manager this doesn't work, but hdfs catches the SecurityException and assumes false. With entitlements this doesn't work since hdfs does not know about our NotEntitledException. This commit reworks the patching of hdfs-client-api to use asm. It then adds patching of hdfs' Shell class to replace the method that tries to execute.
Shell utility in hdfs tries to execute a local script statically to determine whether setsid is available. With the security manager this doesn't work, but hdfs catches the SecurityException and assumes false. With entitlements this doesn't work since hdfs does not know about our NotEntitledException. This commit reworks the patching of hdfs-client-api to use asm. It then adds patching of hdfs' Shell class to replace the method that tries to execute.
Shell utility in hdfs tries to execute a local script statically to determine whether setsid is available. With the security manager this doesn't work, but hdfs catches the SecurityException and assumes false. With entitlements hdfs doesn't know about our NotEntitledException, so the exception propagates.
This commit reworks the patching of hdfs-client-api to use asm. It adds patching of hdfs' Shell class to replace the method that tries to execute a process.