Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

The org.opensearch.bootstrap.Security should support codebase for JAR files with classifiers #12586

Merged
merged 1 commit into from
Mar 12, 2024

Conversation

reta
Copy link
Collaborator

@reta reta commented Mar 11, 2024

Description

The issue came out while integration OpenSearch test scaffolding with security plugin. The org.opensearch.bootstrap.Security analyzes the classpath and injects the codebase.* system property for each JAR entry found (so it could be referenced in security policy files), for example:

...

grant codeBase "${codebase.zstd-jni}" {
  permission java.lang.RuntimePermission "loadLibrary.*";
};

grant codeBase "${codebase.jna}" {
  // for registering native methods
  permission java.lang.RuntimePermission "accessDeclaredMembers";
};

...

The codebase.* suffix is constructed from the JAR file name by stripping the version (and .jar extension). However, it causes the issues when there same artifacts with classifiers referenced, for example:

  • netty-tcnative-boringssl-static-2.0.61.Final-linux-x86_64.jar and netty-tcnative-boringssl-static-2.0.61.Final.jar
  • kafka-server-common-3.6.1-test.jar and kafka-server-common-3.6.1.jar

Although different, these artifacts are folded into same codebase suffix, causing the bootstrap process to fail.

The pull request adds support for artifacts (JARs) with classifiers so they could be distinguished (and also referenced in security policy): codebase.*@. For example:

grant codeBase "${codebase.netty-tcnative-boringssl-static@linux-x86_64}" {
  ...
};

grant codeBase "${codebase.kafka-server-common@test}" {
  ...
};

Related Issues

Closes #12581

Check List

  • New functionality includes testing.
    • All tests pass
  • New functionality has been documented.
    • New functionality has javadoc added
  • Failing checks are inspected and point to the corresponding known issue(s) (See: Troubleshooting Failing Builds)
  • Commits are signed per the DCO using --signoff
  • Commit changes are listed out in CHANGELOG.md file (See: Changelog)
  • Public documentation issue/PR created

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

Copy link
Contributor

github-actions bot commented Mar 11, 2024

Compatibility status:

Checks if related components are compatible with change bc7b424

Incompatible components

Skipped components

Compatible components

Compatible components: [https://github.com/opensearch-project/custom-codecs.git, https://github.com/opensearch-project/flow-framework.git, https://github.com/opensearch-project/neural-search.git, https://github.com/opensearch-project/cross-cluster-replication.git, https://github.com/opensearch-project/opensearch-oci-object-storage.git, https://github.com/opensearch-project/security-analytics.git, https://github.com/opensearch-project/job-scheduler.git, https://github.com/opensearch-project/observability.git, https://github.com/opensearch-project/geospatial.git, https://github.com/opensearch-project/notifications.git, https://github.com/opensearch-project/k-nn.git, https://github.com/opensearch-project/asynchronous-search.git, https://github.com/opensearch-project/reporting.git, https://github.com/opensearch-project/ml-commons.git, https://github.com/opensearch-project/sql.git, https://github.com/opensearch-project/common-utils.git, https://github.com/opensearch-project/performance-analyzer-rca.git, https://github.com/opensearch-project/index-management.git, https://github.com/opensearch-project/anomaly-detection.git, https://github.com/opensearch-project/security.git, https://github.com/opensearch-project/alerting.git, https://github.com/opensearch-project/performance-analyzer.git]

Copy link
Contributor

✅ Gradle check result for 3c0613b: SUCCESS

Copy link

codecov bot commented Mar 11, 2024

Codecov Report

Attention: Patch coverage is 80.00000% with 6 lines in your changes are missing coverage. Please review.

Project coverage is 71.41%. Comparing base (b15cb0c) to head (bc7b424).
Report is 6 commits behind head on main.

Files Patch % Lines
...c/main/java/org/opensearch/bootstrap/Security.java 80.00% 4 Missing and 2 partials ⚠️
Additional details and impacted files
@@             Coverage Diff              @@
##               main   #12586      +/-   ##
============================================
- Coverage     71.42%   71.41%   -0.01%     
+ Complexity    59978    59969       -9     
============================================
  Files          4985     4985              
  Lines        282275   282295      +20     
  Branches      40946    40949       +3     
============================================
- Hits         201603   201598       -5     
+ Misses        63999    63990       -9     
- Partials      16673    16707      +34     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

Copy link
Contributor

❌ Gradle check result for 9befa6e: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

@github-actions github-actions bot added v2.13.0 Issues and PRs related to version 2.13.0 v3.0.0 Issues and PRs related to version 3.0.0 labels Mar 11, 2024
Copy link
Contributor

❌ Gradle check result for c15169d: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

Copy link
Contributor

❕ Gradle check result for bc7b424: UNSTABLE

  • TEST FAILURES:
      1 org.opensearch.cluster.allocation.ClusterRerouteIT.testDelayWithALargeAmountOfShards

Please review all flaky tests that succeeded after retry and create an issue if one does not already exist to track the flaky failure.

@reta
Copy link
Collaborator Author

reta commented Mar 11, 2024

@andrross @dblock @peternied folks mind taking a look please? thank you!

@reta reta merged commit 07e79e3 into opensearch-project:main Mar 12, 2024
30 of 34 checks passed
@reta reta added the backport 2.x Backport to 2.x branch label Mar 12, 2024
@opensearch-trigger-bot
Copy link
Contributor

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 128

To backport manually, run these commands in your terminal:

# Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/OpenSearch/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/OpenSearch/backport-2.x
# Create a new branch
git switch --create backport/backport-12586-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 07e79e3bec7732cc347bf36d934631e6f87a8216
# Push it to GitHub
git push --set-upstream origin backport/backport-12586-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/OpenSearch/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport/backport-12586-to-2.x.

reta added a commit to reta/OpenSearch that referenced this pull request Mar 12, 2024
… files with classifiers (opensearch-project#12586)

Signed-off-by: Andriy Redko <[email protected]>
(cherry picked from commit 07e79e3)
reta added a commit that referenced this pull request Mar 12, 2024
… files with classifiers (#12586) (#12613)

Signed-off-by: Andriy Redko <[email protected]>
(cherry picked from commit 07e79e3)
rayshrey pushed a commit to rayshrey/OpenSearch that referenced this pull request Mar 18, 2024
shiv0408 pushed a commit to Gaurav614/OpenSearch that referenced this pull request Apr 25, 2024
… files with classifiers (opensearch-project#12586)

Signed-off-by: Andriy Redko <[email protected]>
Signed-off-by: Shivansh Arora <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport 2.x Backport to 2.x branch backport-failed enhancement Enhancement or improvement to existing feature or request Other v2.13.0 Issues and PRs related to version 2.13.0 v3.0.0 Issues and PRs related to version 3.0.0
Projects
Status: No status
Development

Successfully merging this pull request may close these issues.

[Feature Request] org.opensearch.bootstrap.Security should support codebase for JAR files with classifiers
2 participants