-
Notifications
You must be signed in to change notification settings - Fork 285
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Removed explicit dependency on log4j #1563
Conversation
Signed-off-by: Dave Lago <[email protected]>
Signed-off-by: Dave Lago <[email protected]>
Nuke. it. from. space. |
My hero. |
Got |
@@ -29,8 +29,8 @@ | |||
import java.util.concurrent.locks.ReentrantLock; | |||
|
|||
import org.apache.commons.lang3.exception.ExceptionUtils; | |||
import org.slf4j.Logger; | |||
import org.slf4j.LoggerFactory; | |||
import org.apache.logging.log4j.LogManager; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why are you using Log4j explicitly here? You could still use SLF4J and swap out the underlying logger, even using the slf4j-simple if desired for tests.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The SLF4J was added explicitly in this plugin and is not provided from OpenSearch. Only Log4J is. The purpose of this PR is to clear any explicit logger dependencies in our POM and use whatever is provided in core. That's why I switched to Log4J
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just chiming in from the peanut gallery, but my two cents is that is generally better to declare explicit dependencies on things that you use as opposed to implicitly using transitive dependencies. In this case, I would think the ideal solution is like what @dlvenable mentioned, which is to declare an explicit dependency on a thin API (something like slf4j or log4j-api) and use classes defined in that API while letting core bring in the actual concrete implementation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So first, I do see that this is a test. It does seem that if you really want to use log4j here, you should probably include log4j as an explicit test dependency in the Maven pom file. But, I don't think any of us want that. :)
I suggest that you add slf4j-api as an explicit dependency for this project in the Maven pom. Then use only that in code. You can get an slf4j implementation from OpenSearch core which will work for your tests when they run.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @dlvenable and @andrross for the help here! It turns out these are not just test dependencies, they are used all over (100+ files). I've taken a stab at replacing our uses with SLF4J... it builds locally, now letting it run the whole CI suite.
Unrelated, this CI job has been failing running out of memory... first time I see this (or at least a few times in a row), and not really sure this PR is the culprit...
Signed-off-by: Dave Lago <[email protected]>
} | ||
return true; | ||
} | ||
|
||
private boolean isLogLevelEnabled(Logger logger, Level level) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I just did this in a pinch to get this going... log4j has .isEnabled()
and .log()
, where SLF4J segregates by level. Perhaps there is a more idiomatic way of doing this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't know of a better way, but I also think this is a good solution for now. Maybe there is a more extensible solution which could come later.
You could simplify the case by returning rather than using isEnabled
if you wanted to make the code a little tighter.
@@ -194,7 +194,7 @@ protected AbstractConfigurationValidator postProcessApplyPatchResult(RestChannel | |||
builder.endObject(); | |||
retVal = getValidator(request, BytesReference.bytes(builder), resourceName); | |||
} catch (IOException e) { | |||
log.error(e); | |||
log.error(e.toString()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I find the best way to handle logging exceptions to be:
log.error("relevant message", ex);
This approach will write out the stack trace.
@@ -305,7 +305,7 @@ public int order() { | |||
final PrivilegesEvaluatorResponse pres = eval.evaluate(user, action, request, task, injectedRoles); | |||
|
|||
if (log.isDebugEnabled()) { | |||
log.debug(pres); | |||
log.debug(pres.toString()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is creating a log message, which you probably don't want. It could be interpolated.
The preferred equivalent way to do this is:
log.debug("{}", pres);
But, I recommend making the log line even more readable:
log.debug("privileges response: {}", pres);
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here is a reference: https://www.slf4j.org/faq.html#string_contents
So it turns out that the failing CI's OOM was a red herring, and we have been getting these errors since the first commit :(
|
I've installed the plugin as produced by this PR into a new server, and it works just fine, no complains about missing |
Regarding the error, it does seem that
Both solutions would have a dependency with Here is how it could look for the slf4j-simple approach:
|
Signed-off-by: Dave Lago <[email protected]>
Thanks @dlvenable, submitted an update adding it back as a test dependency. So just check me here to make sure I'm reasoning about this the right way: Before this PR, log4j was a The difference is that, by updating every use to SLF4J instead, we don't rely on a specific version of log4j-core being provided, so if a new vulnerability is discovered and OpenSearch needs to move to |
OK, that did the trick. CI passing now. |
The current
So the project was adding a transitive dependency on the log4j SLF4J binding that other projects would take in. Aside from the security concerns with log4j, this is also not good practice. SLF4J lets libraries log statements without caring which logger the application will end up using. Your PR now makes this a I packaged this plugin using the build instructions: Then I unzipped this file:
Your branch:
You can see that the log4j-slf4j-impl is no longer present. But, it appears that log4j-core was never present. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great contributions from everyone! 🥳
In OpenSearch 1.3.0 we removed an explicit dependency on log4j opensearch-project#1563 this caused the log4j-slf4j-impl-X.XX.X.jar file no longer to be included in the plugin. When the plugin started up the default no-op logger was used instead. This prevented the security plugin from logging anything, yikes. When looking at the other opensearch plugins, none of them use slf4. Rather than continue using a seperate logging process, moving to the standard log4j Logger/LogManager. Tested this change on 2.0.0-alpha distribution and logging works as expected. Signed-off-by: Peter Nied <[email protected]>
In OpenSearch 1.3.0 we removed an explicit dependency on log4j #1563 this caused the log4j-slf4j-impl-X.XX.X.jar file no longer to be included in the plugin. When the plugin started up the default no-op logger was used instead. This prevented the security plugin from logging anything, yikes. When looking at the other opensearch plugins, none of them use slf4. Rather than continue using a seperate logging process, moving to the standard log4j Logger/LogManager. Tested this change on 2.0.0-alpha distribution and logging works as expected. Signed-off-by: Peter Nied <[email protected]>
In OpenSearch 1.3.0 we removed an explicit dependency on log4j opensearch-project#1563 this caused the log4j-slf4j-impl-X.XX.X.jar file no longer to be included in the plugin. When the plugin started up the default no-op logger was used instead. This prevented the security plugin from logging anything, yikes. When looking at the other opensearch plugins, none of them use slf4. Rather than continue using a seperate logging process, moving to the standard log4j Logger/LogManager. Tested this change on 2.0.0-alpha distribution and logging works as expected. Signed-off-by: Peter Nied <[email protected]> (cherry picked from commit 54a920b)
In OpenSearch 1.3.0 we removed an explicit dependency on log4j opensearch-project#1563 this caused the log4j-slf4j-impl-X.XX.X.jar file no longer to be included in the plugin. When the plugin started up the default no-op logger was used instead. This prevented the security plugin from logging anything, yikes. When looking at the other opensearch plugins, none of them use slf4. Rather than continue using a seperate logging process, moving to the standard log4j Logger/LogManager. Tested this change on 2.0.0-alpha distribution and logging works as expected. Signed-off-by: Peter Nied <[email protected]> (cherry picked from commit 54a920b)
* Switch to log4j logger (#1751) In OpenSearch 1.3.0 we removed an explicit dependency on log4j #1563 this caused the log4j-slf4j-impl-X.XX.X.jar file no longer to be included in the plugin. When the plugin started up the default no-op logger was used instead. This prevented the security plugin from logging anything, yikes. When looking at the other opensearch plugins, none of them use slf4. Rather than continue using a seperate logging process, moving to the standard log4j Logger/LogManager. Tested this change on 2.0.0-alpha distribution and logging works as expected. Signed-off-by: Peter Nied <[email protected]> (cherry picked from commit 54a920b) * Fix 2 files that missed the update Signed-off-by: Peter Nied <[email protected]> * Adds logger to missed files Signed-off-by: Darshit Chanpura <[email protected]> Co-authored-by: Peter Nied <[email protected]>
Revert some changes introduced by #1563 to correct work with log4j. Signed-off-by: Andrey Pustovetov <[email protected]>
Revert some changes introduced by #1563 to correct work with log4j. Signed-off-by: Andrey Pustovetov <[email protected]> (cherry picked from commit 68f5624)
Revert some changes introduced by #1563 to correct work with log4j. Signed-off-by: Andrey Pustovetov <[email protected]> (cherry picked from commit 68f5624)
Revert some changes introduced by #1563 to correct work with log4j. Signed-off-by: Andrey Pustovetov <[email protected]> (cherry picked from commit 68f5624) Co-authored-by: Andrey Pustovetov <[email protected]>
…t#1996) Revert some changes introduced by opensearch-project#1563 to correct work with log4j. Signed-off-by: Andrey Pustovetov <[email protected]> Signed-off-by: Stephen Crawford <[email protected]>
* Removed explicit dependency on log4j Signed-off-by: Dave Lago <[email protected]>
In OpenSearch 1.3.0 we removed an explicit dependency on log4j opensearch-project#1563 this caused the log4j-slf4j-impl-X.XX.X.jar file no longer to be included in the plugin. When the plugin started up the default no-op logger was used instead. This prevented the security plugin from logging anything, yikes. When looking at the other opensearch plugins, none of them use slf4. Rather than continue using a seperate logging process, moving to the standard log4j Logger/LogManager. Tested this change on 2.0.0-alpha distribution and logging works as expected. Signed-off-by: Peter Nied <[email protected]>
…t#1996) (opensearch-project#2024) Revert some changes introduced by opensearch-project#1563 to correct work with log4j. Signed-off-by: Andrey Pustovetov <[email protected]> (cherry picked from commit 68f5624) Co-authored-by: Andrey Pustovetov <[email protected]>
Signed-off-by: Dave Lago [email protected]
Description
Remove the explicit dependency on log4j. It was accidental rather than intentional, and it makes our life easier if we just remove it.
Category (Enhancement, New feature, Bug fix, Test fix, Refactoring, Maintenance, Documentation)
Maintenance
Why these changes are required?
Improve overall project release speed as no changes are needed in the security plugin if there are new vulnerabilities found in log4j.
What is the old behavior before changes and new behavior after changes?
There should be no behavioral changes. The only updates were in 2 test classes.
Issues Resolved
#1519
Testing
mvn -B package -Padvanced
, manually ran the test with code changes.Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.