-
Notifications
You must be signed in to change notification settings - Fork 281
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Security plugin transport layer(multi-node cluster) does not work due to missing required reflective access (JDK17) #1653
Comments
Adding @vrozov who is the author of the original PR. Do you have any suggestions on resolving this issue? |
@setiah Good question! I had the same suspicion, but at least in security plugin, almost of all changes since 1.2.4 are CI/CD and build system changes. Nothing looks related to this. And when I reset security plugin all the way back to the very first commit after 1.2 versions, this issue still exists. So basically starting from bumping the OpenSearch version from 1.2.x to 1.3.0, the issue got introduced. |
Found the cause. So the issue started happening after the bundled JDK was updated from Prior to this JDK update, OpenSearch logs used to have warning messages to reflect improper reflective access, but, it still worked. See logs below
Seems like the new release version of JDK no longer support this illegal reflective access operation, hence fails while initializing
|
The JDK update looks like a breaking change for a minor version update. It is breaking reflective access in plugins. Now breaking reflective access may be the right thing to do, but for a minor version update this can cause problems to the community plugins. I think we should push the JDK update change to 2.0 and exclude it from 1.3 (backport PR opensearch-project/OpenSearch#1922) Another option is to allow reflective access by adding below jvmArgs. However, I am ruling out this option as it might be the wrong thing to do for non-testing purposes (also as JDK wants it deprecated and removed).
Having said that, the "illegal reflective access" would again show up as a problem for 2.0 release and needs to be dealt. But for 2.0, we would want to fix things on the Security plugin side (and community plugins which have similar issue can do the same). PR #1278 was meant to be a quick patchwork for retaining backward compatibility with ODFE (see issue #1259). There are longer term solutions discussed on the original issue to fix things "the right way", which we can explore. Also, for 2.0, we do not need the #1278 as the mixed cluster scenario with ODFE and 2.0 version nodes would not arise (PS: Since to upgrade from ODFE, ODFE 1.13 -> OpenSearch 1.x -> OpenSearch2.0). @reta @dblock do you guys think it is reasonable to remove JDK update changes from 1.3 release? On a side note, another concerning thing for me is why this breaking behavior was not detected early on when this change was merged (~18th Jan), and discovered now while planning for 1.3 release. The automated integration test infrastructure pipeline should be able to detect such issues. Anything I am missing? @bbarani @CEHENKLE |
@setiah @dblock the JDK-17 is only used to run tests (and consequently, used in builds), it should not break things (sadly, besides the build itself) and could be changed anytime by using |
@reta This is all part of opensearch-project/opensearch-plugins#64 in which we're trying to switch builds to 11 and upgrade runtime to 17. This issue prevents upgrading the runtime to 17. I'm moving this issue to security and let's figure out whether we should fix this or ship 1.3 with JDK 11 instead. |
@dblock gotcha, we could make |
@dblock @reta Fixing this on security plugin would not resolve the root cause introduced by JDK 17 in runtime. Other plugins that require reflective accesses would still have this issue, for example PA plugin. And reverting the related PR would break backward compatibility of security plugin like I mentioned. |
@cliu123 but we have to fix this access violation in any case, right? (in all the places) |
My vote would be to push JDK17 to 2.0 and open issues in all affected plugins like security, PA etc to fix the access violation by 2.0 |
Thanks @reta for the quick response. Since it defaults to jdk17 runtime now (bundled jdk), it runs OpenSearch and plugins on it by default. Setting |
@setiah many do not use bundled JDK, moving to 11 [1] "solves" our problem but not user's problem, JDK-17 is the version many are moving to in production ... |
@ylwu-amzn The PR has been merged. Has the issue been resolved? |
We are using 1.2.4 doing PenTest. Please keep that issue open until you confirm the issue resolved on 1.3. We have to publish and merge PR before the issue fixed as we are reaching code complete cut-off date for 1.3 soon. |
That issue that you created has been closed since the root cause(JDK 17 in runtime) has been identified, and this issue was created to track the resolution of the root cause. Please close this issue whenever you confirm that your issue is resolved. |
@cliu123 , busy with finishing coding now, so will keep that issue open for a while. If you are sure that issue is gone, you can close that issue directly. If we find any issue, will reopen or create a new one. Thanks. |
We've given up on JDK 17 for OpenSearch v.1.3.0 and downgraded OpenSearch 1.x branch to JDK 11. Re-labelling this issue as 2.0. |
@ylwu-amzn confirmed that the issue has been resovled. Closing the issue. |
Closing the issue with #1691 |
Describe the bug
Security plugin 1.3.0.0 does not work on OpenSearch 1.3.0 multi-node clusters without required reflective access.
This issue was originated from: #1619
To Reproduce
Steps to reproduce the behavior:
_cat/nodes
or_cat/indices
) to the OpenSearch cluster.Stacktrace in logs:
Digging into the reason of the error:
1.
Expected behavior
Requests gets expected response like the following:
Plugins
Please list all plugins currently enabled.
Security plugin
Host/Environment (please complete the following information):
Additional context
PR#1278 in security plugin requires these reflective access since the changes use reflection. But reverting the PR is not an option since the PR itself supports OpenSearch backward compatibility for ODFE. Without this PR(#1278), security plugin would not work in mixed cluster(ODFE nodes + OpenSearch nodes), which would fail rolling upgrade from ODFE to OpenSearch.
In order to fix the issue, JVM Options where OpenSearch cluster runs need to be appended with something like this to grant the reflective access. Security plugin had exactly same error message in Integration Tests, which was resolved by such changes.
The text was updated successfully, but these errors were encountered: