Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Patch Shell class in hdfs to not execute #119189

Merged
merged 11 commits into from
Dec 23, 2024

Conversation

rjernst
Copy link
Member

@rjernst rjernst commented Dec 21, 2024

Shell utility in hdfs tries to execute a local script statically to determine whether setsid is available. With the security manager this doesn't work, but hdfs catches the SecurityException and assumes false. With entitlements hdfs doesn't know about our NotEntitledException, so the exception propagates.

This commit reworks the patching of hdfs-client-api to use asm. It adds patching of hdfs' Shell class to replace the method that tries to execute a process.

Shell utility in hdfs tries to execute a local script statically to
determine whether setsid is available. With the security manager this
doesn't work, but hdfs catches the SecurityException and assumes false.
With entitlements this doesn't work since hdfs does not know about our
NotEntitledException.

This commit reworks the patching of hdfs-client-api to use asm. It then
adds patching of hdfs' Shell class to replace the method that tries to
execute.
@rjernst rjernst added :Delivery/Build Build or test infrastructure :Core/Infra/Core Core issues without another label >refactoring test-entitlements Trigger CI checks using security manager replacement labels Dec 21, 2024
@elasticsearchmachine elasticsearchmachine added v9.0.0 Team:Core/Infra Meta label for core/infra team Team:Delivery Meta label for Delivery team labels Dec 21, 2024
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-core-infra (Team:Core/Infra)

@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-delivery (Team:Delivery)

@rjernst rjernst requested a review from mark-vieira December 23, 2024 15:45

def outputDir = layout.buildDirectory.dir("patched-classes")

def patchTask = tasks.register("patchClasses", JavaExec)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This can be simplified to def patchTask = tasks.register("pachClasses, JavaExec) { // config }

def patchTask = tasks.register("patchClasses", JavaExec)
patchTask.configure {
dependsOn configurations.thejar, sourceSets.patcher.getCompileJavaTaskName()
outputs.dir(outputDir)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We define outputs but no inputs here. A dependsOn doesn't imply an input, but an input does imply a dependency.

Sounds like configurations.thejar and sourcesets.patcher.output should be inputs to this task.

outputs.dir(outputDir)
classpath = sourceSets.patcher.runtimeClasspath
mainClass = 'org.elasticsearch.hdfs.patch.HdfsClassPatcher'
doFirst {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should be able to call args() with a Provider to avoid having to do this in a task action.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As discussed, I've kept this as doFirst for now.

dependsOn(configurations.thejar)
duplicatesStrategy = DuplicatesStrategy.EXCLUDE

from(outputDir) // patch directory first so any files patched are excluded as duplicates
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not completely certain this ordering is deterministic. We should instead explicitly exclude the stuff we are going to patch from the unpacked jar given we know which files these are.

duplicatesStrategy = DuplicatesStrategy.EXCLUDE

from(outputDir) // patch directory first so any files patched are excluded as duplicates
from(project.zipTree(configurations.thejar.singleFile))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This needs to be in a closure otherwise this is going to trigger resolution of this configuration eagerly.

@rjernst rjernst requested a review from a team as a code owner December 23, 2024 19:10
@rjernst
Copy link
Member Author

rjernst commented Dec 23, 2024

Thanks @mark-vieira, I believe I've addressed everything.

Copy link
Contributor

@mark-vieira mark-vieira left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One more minor cleanup and otherwise LGTM.

dependsOn(patchTask)
dependsOn(configurations.thejar)

from(outputDir)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this can actually just become from(patchTask) which will automatically use the task's outputs and you can remove the dependsOn above.

@rjernst rjernst added auto-backport Automatically create backport pull requests when merged v8.18.0 labels Dec 23, 2024
@rjernst rjernst enabled auto-merge (squash) December 23, 2024 19:51
@rjernst rjernst merged commit 3dc85be into elastic:main Dec 23, 2024
21 checks passed
@elasticsearchmachine
Copy link
Collaborator

💚 Backport successful

Status Branch Result
8.x

rjernst added a commit to rjernst/elasticsearch that referenced this pull request Dec 23, 2024
Shell utility in hdfs tries to execute a local script statically to
determine whether setsid is available. With the security manager this
doesn't work, but hdfs catches the SecurityException and assumes false.
With entitlements this doesn't work since hdfs does not know about our
NotEntitledException.

This commit reworks the patching of hdfs-client-api to use asm. It then
adds patching of hdfs' Shell class to replace the method that tries to
execute.
elasticsearchmachine pushed a commit that referenced this pull request Dec 23, 2024
Shell utility in hdfs tries to execute a local script statically to
determine whether setsid is available. With the security manager this
doesn't work, but hdfs catches the SecurityException and assumes false.
With entitlements this doesn't work since hdfs does not know about our
NotEntitledException.

This commit reworks the patching of hdfs-client-api to use asm. It then
adds patching of hdfs' Shell class to replace the method that tries to
execute.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
auto-backport Automatically create backport pull requests when merged :Core/Infra/Core Core issues without another label :Delivery/Build Build or test infrastructure >refactoring Team:Core/Infra Meta label for core/infra team Team:Delivery Meta label for Delivery team test-entitlements Trigger CI checks using security manager replacement v8.18.0 v9.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants