Merge branch 'main' into just-terms

karenyrx · web-flow · commit e51afe14abf7 · 2025-04-10T19:06:39.000-04:00
Signed-off-by: Karen X &lt;karenxyr@gmail.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -43,6 +43,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Unwrap singleton DocValues in date histogram aggregation. ([#17643](https://github.com/opensearch-project/OpenSearch/pull/17643))
 - Introduce 512 byte limit to search and ingest pipeline IDs ([#17786](https://github.com/opensearch-project/OpenSearch/pull/17786))
 - Avoid skewed segment replication lag metric ([#17831](https://github.com/opensearch-project/OpenSearch/pull/17831))
+- Increase the default segment counter step size when replica promoting ([#17568](https://github.com/opensearch-project/OpenSearch/pull/17568))
 
 ### Dependencies
 - Bump `com.nimbusds:nimbus-jose-jwt` from 9.41.1 to 10.0.2 ([#17607](https://github.com/opensearch-project/OpenSearch/pull/17607), [#17669](https://github.com/opensearch-project/OpenSearch/pull/17669))
@@ -63,6 +64,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Bump `reactor_netty` from 1.1.26 to 1.2.3 ([#17322](https://github.com/opensearch-project/OpenSearch/pull/17322), [#17377](https://github.com/opensearch-project/OpenSearch/pull/17377))
 - Bump `com.google.api.grpc:proto-google-iam-v1` from 1.33.0 to 1.49.1 ([#17811](https://github.com/opensearch-project/OpenSearch/pull/17811))
 - Bump `com.azure:azure-core` from 1.54.1 to 1.55.3 ([#17810](https://github.com/opensearch-project/OpenSearch/pull/17810))
+- Bump `org.apache.poi` version from 5.2.5 to 5.4.1 in /plugins/ingest-attachment ([#17887](https://github.com/opensearch-project/OpenSearch/pull/17887))
 - Bump `org.opensearch:protobufs` from 0.2.0 to 0.3.0 ([#17888](https://github.com/opensearch-project/OpenSearch/pull/17888))
 
 ### Changed
diff --git a/gradle/ide.gradle b/gradle/ide.gradle
@@ -49,6 +49,10 @@ if (System.getProperty('idea.active') == 'true') {
     }
   }
 
+  buildScan {
+    server = 'https://127.0.0.1'
+  }
+
   idea {
     project {
       vcs = 'Git'
@@ -81,8 +85,14 @@ if (System.getProperty('idea.active') == 'true') {
         }
         runConfigurations {
           defaults(JUnit) {
-            vmParameters = '-ea -Djava.locale.providers=SPI,CLDR'
-            vmParameters += ' -javaagent:' + project(':libs:agent-sm:agent').jar.archiveFile.get()
+            project(':libs:agent-sm:agent').afterEvaluate { agentProject ->
+              vmParameters = '-ea -Djava.locale.providers=SPI,CLDR'
+              def jarName = "${agentProject.base.archivesName.get()}-${project.version}.jar"
+              vmParameters += ' -javaagent:' + agentProject.layout.buildDirectory
+                .dir('distributions')
+                .map { it.file(jarName) }
+                .get()
+            }
           }
         }
         copyright {
diff --git a/libs/agent-sm/agent/src/main/java/org/opensearch/javaagent/FileInterceptor.java b/libs/agent-sm/agent/src/main/java/org/opensearch/javaagent/FileInterceptor.java
@@ -12,6 +12,7 @@
 
 import java.io.FilePermission;
 import java.lang.reflect.Method;
+import java.net.NetPermission;
 import java.nio.file.OpenOption;
 import java.nio.file.Path;
 import java.nio.file.Paths;
@@ -71,59 +72,70 @@ public static void intercept(@Advice.AllArguments Object[] args, @Advice.Origin
         boolean isMutating = name.equals("move") || name.equals("write") || name.startsWith("create");
         final boolean isDelete = isMutating == false ? name.startsWith("delete") : false;
 
-        String targetFilePath = null;
-        if (isMutating == false && isDelete == false) {
-            if (name.equals("newByteChannel") == true || name.equals("open") == true) {
-                if (args.length > 1 && args[1] instanceof OpenOption[] opts) {
-                    for (final OpenOption opt : opts) {
-                        if (opt != StandardOpenOption.READ) {
-                            isMutating = true;
-                            break;
-                        }
-                    }
-
-                }
-            } else if (name.equals("copy") == true) {
-                if (args.length > 1 && args[1] instanceof String pathStr) {
-                    targetFilePath = Paths.get(pathStr).toAbsolutePath().toString();
-                } else if (args.length > 1 && args[1] instanceof Path path) {
-                    targetFilePath = path.toAbsolutePath().toString();
+        // This is Windows implementation of UNIX Domain Sockets (close)
+        if (isDelete == true
+            && walker.getCallerClass().getName().equalsIgnoreCase("sun.nio.ch.PipeImpl$Initializer$LoopbackConnector") == true) {
+            final NetPermission permission = new NetPermission("accessUnixDomainSocket");
+            for (ProtectionDomain domain : callers) {
+                if (!policy.implies(domain, permission)) {
+                    throw new SecurityException("Denied access to: " + filePath + ", domain " + domain);
                 }
             }
-        }
+        } else {
+            String targetFilePath = null;
+            if (isMutating == false && isDelete == false) {
+                if (name.equals("newByteChannel") == true || name.equals("open") == true) {
+                    if (args.length > 1 && args[1] instanceof OpenOption[] opts) {
+                        for (final OpenOption opt : opts) {
+                            if (opt != StandardOpenOption.READ) {
+                                isMutating = true;
+                                break;
+                            }
+                        }
 
-        // Check each permission separately
-        for (final ProtectionDomain domain : callers) {
-            // Handle FileChannel.open() separately to check read/write permissions properly
-            if (method.getName().equals("open")) {
-                if (isMutating == true && !policy.implies(domain, new FilePermission(filePath, "read,write"))) {
-                    throw new SecurityException("Denied OPEN (read/write) access to file: " + filePath + ", domain: " + domain);
-                } else if (!policy.implies(domain, new FilePermission(filePath, "read"))) {
-                    throw new SecurityException("Denied OPEN (read) access to file: " + filePath + ", domain: " + domain);
+                    }
+                } else if (name.equals("copy") == true) {
+                    if (args.length > 1 && args[1] instanceof String pathStr) {
+                        targetFilePath = Paths.get(pathStr).toAbsolutePath().toString();
+                    } else if (args.length > 1 && args[1] instanceof Path path) {
+                        targetFilePath = path.toAbsolutePath().toString();
+                    }
                 }
             }
 
-            // Handle Files.copy() separately to check read/write permissions properly
-            if (method.getName().equals("copy")) {
-                if (!policy.implies(domain, new FilePermission(filePath, "read"))) {
-                    throw new SecurityException("Denied COPY (read) access to file: " + filePath + ", domain: " + domain);
+            // Check each permission separately
+            for (final ProtectionDomain domain : callers) {
+                // Handle FileChannel.open() separately to check read/write permissions properly
+                if (method.getName().equals("open")) {
+                    if (isMutating == true && !policy.implies(domain, new FilePermission(filePath, "read,write"))) {
+                        throw new SecurityException("Denied OPEN (read/write) access to file: " + filePath + ", domain: " + domain);
+                    } else if (!policy.implies(domain, new FilePermission(filePath, "read"))) {
+                        throw new SecurityException("Denied OPEN (read) access to file: " + filePath + ", domain: " + domain);
+                    }
                 }
 
-                if (targetFilePath != null) {
-                    if (!policy.implies(domain, new FilePermission(targetFilePath, "write"))) {
-                        throw new SecurityException("Denied COPY (write) access to file: " + targetFilePath + ", domain: " + domain);
+                // Handle Files.copy() separately to check read/write permissions properly
+                if (method.getName().equals("copy")) {
+                    if (!policy.implies(domain, new FilePermission(filePath, "read"))) {
+                        throw new SecurityException("Denied COPY (read) access to file: " + filePath + ", domain: " + domain);
+                    }
+
+                    if (targetFilePath != null) {
+                        if (!policy.implies(domain, new FilePermission(targetFilePath, "write"))) {
+                            throw new SecurityException("Denied COPY (write) access to file: " + targetFilePath + ", domain: " + domain);
+                        }
                     }
                 }
-            }
 
-            // File mutating operations
-            if (isMutating && !policy.implies(domain, new FilePermission(filePath, "write"))) {
-                throw new SecurityException("Denied WRITE access to file: " + filePath + ", domain: " + domain);
-            }
+                // File mutating operations
+                if (isMutating && !policy.implies(domain, new FilePermission(filePath, "write"))) {
+                    throw new SecurityException("Denied WRITE access to file: " + filePath + ", domain: " + domain);
+                }
 
-            // File deletion operations
-            if (isDelete && !policy.implies(domain, new FilePermission(filePath, "delete"))) {
-                throw new SecurityException("Denied DELETE access to file: " + filePath + ", domain: " + domain);
+                // File deletion operations
+                if (isDelete && !policy.implies(domain, new FilePermission(filePath, "delete"))) {
+                    throw new SecurityException("Denied DELETE access to file: " + filePath + ", domain: " + domain);
+                }
             }
         }
     }
diff --git a/modules/transport-netty4/src/main/plugin-metadata/plugin-security.policy b/modules/transport-netty4/src/main/plugin-metadata/plugin-security.policy
@@ -36,6 +36,7 @@ grant {
 
    // netty makes and accepts socket connections
    permission java.net.SocketPermission "*", "accept,connect";
+   permission java.net.NetPermission "accessUnixDomainSocket";
 
    // Netty sets custom classloader for some of its internal threads
    permission java.lang.RuntimePermission "*", "setContextClassLoader";
diff --git a/plugins/ingest-attachment/build.gradle b/plugins/ingest-attachment/build.gradle
@@ -40,7 +40,7 @@ opensearchplugin {
 versions << [
   'tika'  : '2.9.2',
   'pdfbox': '2.0.31',
-  'poi'   : '5.2.5',
+  'poi'   : '5.4.1',
   'mime4j': '0.8.11'
 ]
 
diff --git a/plugins/ingest-attachment/licenses/poi-5.2.5.jar.sha1 b/plugins/ingest-attachment/licenses/poi-5.2.5.jar.sha1
diff --git a/plugins/ingest-attachment/licenses/poi-5.4.1.jar.sha1 b/plugins/ingest-attachment/licenses/poi-5.4.1.jar.sha1
@@ -0,0 +1 @@
+e4c74c59e13f62d8edd215756d14ce55566c6efe
diff --git a/plugins/ingest-attachment/licenses/poi-ooxml-5.2.5.jar.sha1 b/plugins/ingest-attachment/licenses/poi-ooxml-5.2.5.jar.sha1
diff --git a/plugins/ingest-attachment/licenses/poi-ooxml-5.4.1.jar.sha1 b/plugins/ingest-attachment/licenses/poi-ooxml-5.4.1.jar.sha1
@@ -0,0 +1 @@
+508ed3e7fcc775738415870d0bc6d27196317fe3
diff --git a/plugins/ingest-attachment/licenses/poi-ooxml-lite-5.2.5.jar.sha1 b/plugins/ingest-attachment/licenses/poi-ooxml-lite-5.2.5.jar.sha1
diff --git a/plugins/ingest-attachment/licenses/poi-ooxml-lite-5.4.1.jar.sha1 b/plugins/ingest-attachment/licenses/poi-ooxml-lite-5.4.1.jar.sha1
@@ -0,0 +1 @@
+0ed2246f88254ba40fc2e7999c8f8e4e9031208a
diff --git a/plugins/ingest-attachment/licenses/poi-scratchpad-5.2.5.jar.sha1 b/plugins/ingest-attachment/licenses/poi-scratchpad-5.2.5.jar.sha1
diff --git a/plugins/ingest-attachment/licenses/poi-scratchpad-5.4.1.jar.sha1 b/plugins/ingest-attachment/licenses/poi-scratchpad-5.4.1.jar.sha1
@@ -0,0 +1 @@
+ba43fb23ab262865b349d58d6ef1218755eef228
diff --git a/plugins/transport-reactor-netty4/src/main/plugin-metadata/plugin-security.policy b/plugins/transport-reactor-netty4/src/main/plugin-metadata/plugin-security.policy
@@ -12,6 +12,7 @@ grant {
 
    // netty makes and accepts socket connections
    permission java.net.SocketPermission "*", "accept,connect";
+   permission java.net.NetPermission "accessUnixDomainSocket";
 
    // Netty sets custom classloader for some of its internal threads
    permission java.lang.RuntimePermission "*", "setContextClassLoader";
diff --git a/server/src/main/java/org/opensearch/index/engine/NRTReplicationEngine.java b/server/src/main/java/org/opensearch/index/engine/NRTReplicationEngine.java
@@ -67,7 +67,7 @@ public class NRTReplicationEngine extends Engine {
 
     private volatile long lastReceivedPrimaryGen = SequenceNumbers.NO_OPS_PERFORMED;
 
-    private static final int SI_COUNTER_INCREMENT = 10;
+    private static final int SI_COUNTER_INCREMENT = 100000;
 
     public NRTReplicationEngine(EngineConfig engineConfig) {
         super(engineConfig);
diff --git a/server/src/main/java/org/opensearch/index/mapper/MappedFieldType.java b/server/src/main/java/org/opensearch/index/mapper/MappedFieldType.java
@@ -101,7 +101,7 @@ public MappedFieldType(
         TextSearchInfo textSearchInfo,
         Map<String, String> meta
     ) {
-        setBoost(1.0f);
+        this.boost = 1.0f;
         this.name = Objects.requireNonNull(name);
         this.isIndexed = isIndexed;
         this.isStored = isStored;
diff --git a/server/src/main/java/org/opensearch/index/mapper/ParametrizedFieldMapper.java b/server/src/main/java/org/opensearch/index/mapper/ParametrizedFieldMapper.java
@@ -95,7 +95,7 @@ protected ParametrizedFieldMapper(String simpleName, MappedFieldType mappedField
     public abstract ParametrizedFieldMapper.Builder getMergeBuilder();
 
     @Override
-    public final ParametrizedFieldMapper merge(Mapper mergeWith) {
+    public ParametrizedFieldMapper merge(Mapper mergeWith) {
 
         if (mergeWith instanceof FieldMapper == false) {
             throw new IllegalArgumentException(
@@ -348,7 +348,7 @@ private void merge(FieldMapper toMerge, Conflicts conflicts) {
             }
         }
 
-        protected void toXContent(XContentBuilder builder, boolean includeDefaults) throws IOException {
+        public void toXContent(XContentBuilder builder, boolean includeDefaults) throws IOException {
             if (serializerCheck.check(includeDefaults, isConfigured(), get())) {
                 serializer.serialize(builder, name, getValue());
             }
@@ -649,7 +649,7 @@ protected String buildFullName(BuilderContext context) {
         /**
          * Writes the current builder parameter values as XContent
          */
-        protected final void toXContent(XContentBuilder builder, boolean includeDefaults) throws IOException {
+        public final void toXContent(XContentBuilder builder, boolean includeDefaults) throws IOException {
             for (Parameter<?> parameter : getParameters()) {
                 parameter.toXContent(builder, includeDefaults);
             }
diff --git a/server/src/main/resources/org/opensearch/bootstrap/security.policy b/server/src/main/resources/org/opensearch/bootstrap/security.policy
@@ -91,30 +91,37 @@ grant codeBase "${codebase.zstd-jni}" {
 // repository-azure plugin and server side streaming
 grant codeBase "${codebase.reactor-core}" {
   permission java.net.SocketPermission "*", "connect,resolve";
+  permission java.net.NetPermission "accessUnixDomainSocket";
 };
 
 grant codeBase "${codebase.opensearch-cli}" {
   permission java.net.SocketPermission "*", "connect,resolve";
+  permission java.net.NetPermission "accessUnixDomainSocket";
 };
 
 grant codeBase "${codebase.opensearch-core}" {
   permission java.net.SocketPermission "*", "connect,resolve";
+  permission java.net.NetPermission "accessUnixDomainSocket";
 };
 
 grant codeBase "${codebase.jackson-core}" {
   permission java.net.SocketPermission "*", "connect,resolve";
+  permission java.net.NetPermission "accessUnixDomainSocket";
 };
 
 grant codeBase "${codebase.opensearch-common}" {
   permission java.net.SocketPermission "*", "connect,resolve";
+  permission java.net.NetPermission "accessUnixDomainSocket";
 };
 
 grant codeBase "${codebase.opensearch-x-content}" {
   permission java.net.SocketPermission "*", "connect,resolve";
+  permission java.net.NetPermission "accessUnixDomainSocket";
 };
 
 grant codeBase "${codebase.opensearch}" {
   permission java.net.SocketPermission "*", "connect,resolve";
+  permission java.net.NetPermission "accessUnixDomainSocket";
 };
 
 //// Everything else:
diff --git a/server/src/main/resources/org/opensearch/bootstrap/test-framework.policy b/server/src/main/resources/org/opensearch/bootstrap/test-framework.policy
@@ -81,6 +81,7 @@ grant codeBase "${codebase.lucene-test-framework}" {
   permission java.nio.file.LinkPermission "hard";
   // needed for RAMUsageTester
   permission java.lang.RuntimePermission "accessDeclaredMembers";
+  permission java.net.NetPermission "accessUnixDomainSocket";
 };
 
 grant codeBase "${codebase.randomizedtesting-runner}" {
@@ -92,6 +93,7 @@ grant codeBase "${codebase.randomizedtesting-runner}" {
   permission org.opensearch.secure_sm.ThreadPermission "modifyArbitraryThreadGroup";
   // needed for TestClass creation
   permission java.lang.RuntimePermission "accessDeclaredMembers";
+  permission java.net.NetPermission "accessUnixDomainSocket";
 };
 
 grant codeBase "${codebase.junit}" {
@@ -176,4 +178,5 @@ grant {
   permission org.opensearch.secure_sm.ThreadContextPermission "stashAndMergeHeaders";
   permission org.opensearch.secure_sm.ThreadContextPermission "stashWithOrigin";
   permission java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler";
+  permission java.net.NetPermission "accessUnixDomainSocket";
 };

Original file line number	Diff line number	Diff line change
`@@ -49,6 +49,10 @@ if (System.getProperty('idea.active') == 'true') {`
`49`	`49`	`}`
`50`	`50`	`}`
`51`	`51`
	`52`	`+ buildScan {`
	`53`	`+ server = 'https://127.0.0.1'`
	`54`	`+ }`
	`55`	`+`
`52`	`56`	`idea {`
`53`	`57`	`project {`
`54`	`58`	`vcs = 'Git'`
`@@ -81,8 +85,14 @@ if (System.getProperty('idea.active') == 'true') {`
`81`	`85`	`}`
`82`	`86`	`runConfigurations {`
`83`	`87`	`defaults(JUnit) {`
`84`		`- vmParameters = '-ea -Djava.locale.providers=SPI,CLDR'`
`85`		`- vmParameters += ' -javaagent:' + project(':libs:agent-sm:agent').jar.archiveFile.get()`
	`88`	`+ project(':libs:agent-sm:agent').afterEvaluate { agentProject ->`
	`89`	`+ vmParameters = '-ea -Djava.locale.providers=SPI,CLDR'`
	`90`	`+ def jarName = "${agentProject.base.archivesName.get()}-${project.version}.jar"`
	`91`	`+ vmParameters += ' -javaagent:' + agentProject.layout.buildDirectory`
	`92`	`+ .dir('distributions')`
	`93`	`+ .map { it.file(jarName) }`
	`94`	`+ .get()`
	`95`	`+ }`
`86`	`96`	`}`
`87`	`97`	`}`
`88`	`98`	`copyright {`
Original file line number	Diff line number	Diff line change
`@@ -40,7 +40,7 @@ opensearchplugin {`
`40`	`40`	`versions << [`
`41`	`41`	`'tika' : '2.9.2',`
`42`	`42`	`'pdfbox': '2.0.31',`
`43`		`- 'poi' : '5.2.5',`
	`43`	`+ 'poi' : '5.4.1',`
`44`	`44`	`'mime4j': '0.8.11'`
`45`	`45`	`]`
`46`	`46`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+e4c74c59e13f62d8edd215756d14ce55566c6efe`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+508ed3e7fcc775738415870d0bc6d27196317fe3`