Skip to content

Create equivalents of JSM's AccessController in the java agent #18346

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 37 commits into from
Jun 23, 2025
Merged

Create equivalents of JSM's AccessController in the java agent #18346

merged 37 commits into from
Jun 23, 2025
+327 −36

Conversation

@cwperks
Copy link
Member

@cwperks cwperks commented May 20, 2025
edited
Loading

Description

The classes in this PR were on a former iteration of #17894

This PR creates replacements for JSM's AccessController which is marked for removal from the JDK. While JSM was replaced with the java agent in 3.0.0, the logic to extract the ProtectionDomains from the call stack relies on the AccessController to limit the frames when examining the stack. The java agent needs to retain this code marker to know when to stop walking the stack and this PR creates OpenSearch equivalents to the AccessController which is a simple wrapper around a runnable block of code.

Related Issues

Resolves #18339

Check List

  • Functionality includes testing.
  • API changes companion pull request created, if applicable.
  • Public documentation issue/PR created, if applicable.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@github-actions github-actions bot added enhancement Enhancement or improvement to existing feature or request Plugins labels May 20, 2025
@cwperks cwperks changed the title Create OpenSearch equivalents of JSM's AccessController Create equivalents of JSM's AccessController in the java agent May 20, 2025
cwperks
cwperks commented May 20, 2025
View reviewed changes
libs/agent-sm/bootstrap/src/main/java/org/opensearch/javaagent/bootstrap/AccessController.java Outdated
* compatible open source license.
*/

package org.opensearch.javaagent.bootstrap;
Copy link
Member Author

@cwperks cwperks May 20, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know the right module for this code. The server has a dependency on this lib, but its marked as compileOnly. How are the other classes in this module (like AgentPolicy) available at runtime?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe jars passed to the JVM via -javaagent are available on the classpath, so the compileOnly dependency is making the assumption this will be provided at runtime via a -javaagent.

@cwperks
Add to CHANGELOG
366406f 
Signed-off-by: Craig Perkins <[email protected]>
@github-actions
Copy link
Contributor

✅ Gradle check result for 366406f: SUCCESS

@codecov
Copy link

codecov bot commented May 20, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 50.00000% with 14 lines in your changes missing coverage. Please review.

Project coverage is 72.62%. Comparing base (a8bd494) to head (e7270f7).
Report is 6 commits behind head on main.

Files with missing lines Patch % Lines
...va/org/opensearch/ingest/geoip/GeoIpProcessor.java 44.44% 10 Missing ⚠️
...ent/StackCallerProtectionDomainChainExtractor.java 0.00% 4 Missing ⚠️
Additional details and impacted files 
@@             Coverage Diff              @@
##               main   #18346      +/-   ##
============================================
- Coverage     72.81%   72.62%   -0.19%     
+ Complexity    68209    68113      -96     
============================================
  Files          5541     5542       +1     
  Lines        313390   313396       +6     
  Branches      45472    45472              
============================================
- Hits         228196   227608     -588     
- Misses        66671    67247     +576     
- Partials      18523    18541      +18

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@cwperks
Address code review feedback
53be672 
Signed-off-by: Craig Perkins <[email protected]>
@github-actions
Copy link
Contributor

❕ Gradle check result for 53be672: UNSTABLE

Please review all flaky tests that succeeded after retry and create an issue if one does not already exist to track the flaky failure.

@github-actions
Copy link
Contributor

❌ Gradle check result for 00c22c7: null

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

@opensearch-ci-bot opensearch-ci-bot mentioned this pull request May 23, 2025
Open
@github-actions
Copy link
Contributor

❌ Gradle check result for d79bdc1: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

cwperks added 2 commits May 23, 2025 16:20
@cwperks
Fix precommit
71ba997 
Signed-off-by: Craig Perkins <[email protected]>
@cwperks
Show example of replacement in a module
9cfa314 
Signed-off-by: Craig Perkins <[email protected]>
@github-actions
Copy link
Contributor

❌ Gradle check result for 9cfa314: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

@github-actions
Copy link
Contributor

✅ Gradle check result for 9a3f3f2: SUCCESS

@kumargu
Copy link
Contributor

kumargu commented Jun 20, 2025

This is going to need changing the imports across multiple plugins?

@andrross
Copy link
Member

This is going to need changing the imports across multiple plugins?

@kumargu We'll continue to support both the JDK-based access controller and the new version as long as the JDK still contains those classes. Plugins should have a long time to make the update (likely the entire 3.x series at least).

@kumargu
Copy link
Contributor

kumargu commented Jun 20, 2025

This is going to need changing the imports across multiple plugins?

@kumargu We'll continue to support both the JDK-based access controller and the new version as long as the JDK still contains those classes. Plugins should have a long time to make the update (likely the entire 3.x series at least).

Gotcha. makes sense.

@cwperks
Address review comments
8950858 
Signed-off-by: Craig Perkins <[email protected]>
@github-actions
Copy link
Contributor

✅ Gradle check result for 8950858: SUCCESS

@cwperks
Move to secure_sm package
c6a61fc 
Signed-off-by: Craig Perkins <[email protected]>
@github-actions
Copy link
Contributor

❌ Gradle check result for c6a61fc: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

@opensearch-ci-bot opensearch-ci-bot mentioned this pull request Jun 20, 2025
Closed
@github-actions
Copy link
Contributor

❌ Gradle check result for 5c32ba2: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

@github-actions
Copy link
Contributor

❕ Gradle check result for 5c32ba2: UNSTABLE

Please review all flaky tests that succeeded after retry and create an issue if one does not already exist to track the flaky failure.

This was referenced Jun 21, 2025
Open
Open
@github-actions
Copy link
Contributor

✅ Gradle check result for e7270f7: SUCCESS

@cwperks cwperks merged commit d015573 into opensearch-project:main Jun 23, 2025
30 of 31 checks passed
neuenfeldttj pushed a commit to neuenfeldttj/OpenSearch that referenced this pull request Jun 26, 2025
@cwperks
Create equivalents of JSM's AccessController in the java agent (opens…
972e303 
…earch-project#18346)

* Create OpenSearch replacements for widely used methods in AccessController

Signed-off-by: Craig Perkins <[email protected]>

* Fix javadoc

Signed-off-by: Craig Perkins <[email protected]>

* Remove getException

Signed-off-by: Craig Perkins <[email protected]>

* Remove other instance of apiNote

Signed-off-by: Craig Perkins <[email protected]>

* Modify javadoc and restart stuck CI checks

Signed-off-by: Craig Perkins <[email protected]>

* Remove mistakenly added line

Signed-off-by: Craig Perkins <[email protected]>

* Add to CHANGELOG

Signed-off-by: Craig Perkins <[email protected]>

* Address code review feedback

Signed-off-by: Craig Perkins <[email protected]>

* Use callable and runnable

Signed-off-by: Craig Perkins <[email protected]>

* Use Callable

Signed-off-by: Craig Perkins <[email protected]>

* Add checked equivalents to interface

Signed-off-by: Craig Perkins <[email protected]>

* Add throws IllegalArgumentException

Signed-off-by: Craig Perkins <[email protected]>

* Fix precommit

Signed-off-by: Craig Perkins <[email protected]>

* Show example of replacement in a module

Signed-off-by: Craig Perkins <[email protected]>

* Address code review comments

Signed-off-by: Craig Perkins <[email protected]>

* Fix precommit

Signed-off-by: Craig Perkins <[email protected]>

* Address code review comments

Signed-off-by: Craig Perkins <[email protected]>

* Create separate agent-api lib and remove compileOnlyApi

Signed-off-by: Craig Perkins <[email protected]>

* Re-use agent-policy lib

Signed-off-by: Craig Perkins <[email protected]>

* Address review comments

Signed-off-by: Craig Perkins <[email protected]>

* Move to secure_sm package

Signed-off-by: Craig Perkins <[email protected]>

* Fix conflicts in CHANGELOG

Signed-off-by: Craig Perkins <[email protected]>

---------

Signed-off-by: Craig Perkins <[email protected]>Signed-off-by: TJ Neuenfeldt <[email protected]>
neuenfeldttj pushed a commit to neuenfeldttj/OpenSearch that referenced this pull request Jun 26, 2025
@cwperks @neuenfeldttj
Create equivalents of JSM's AccessController in the java agent (opens…
bb56a31 
…earch-project#18346)

* Create OpenSearch replacements for widely used methods in AccessController

Signed-off-by: Craig Perkins <[email protected]>

* Fix javadoc

Signed-off-by: Craig Perkins <[email protected]>

* Remove getException

Signed-off-by: Craig Perkins <[email protected]>

* Remove other instance of apiNote

Signed-off-by: Craig Perkins <[email protected]>

* Modify javadoc and restart stuck CI checks

Signed-off-by: Craig Perkins <[email protected]>

* Remove mistakenly added line

Signed-off-by: Craig Perkins <[email protected]>

* Add to CHANGELOG

Signed-off-by: Craig Perkins <[email protected]>

* Address code review feedback

Signed-off-by: Craig Perkins <[email protected]>

* Use callable and runnable

Signed-off-by: Craig Perkins <[email protected]>

* Use Callable

Signed-off-by: Craig Perkins <[email protected]>

* Add checked equivalents to interface

Signed-off-by: Craig Perkins <[email protected]>

* Add throws IllegalArgumentException

Signed-off-by: Craig Perkins <[email protected]>

* Fix precommit

Signed-off-by: Craig Perkins <[email protected]>

* Show example of replacement in a module

Signed-off-by: Craig Perkins <[email protected]>

* Address code review comments

Signed-off-by: Craig Perkins <[email protected]>

* Fix precommit

Signed-off-by: Craig Perkins <[email protected]>

* Address code review comments

Signed-off-by: Craig Perkins <[email protected]>

* Create separate agent-api lib and remove compileOnlyApi

Signed-off-by: Craig Perkins <[email protected]>

* Re-use agent-policy lib

Signed-off-by: Craig Perkins <[email protected]>

* Address review comments

Signed-off-by: Craig Perkins <[email protected]>

* Move to secure_sm package

Signed-off-by: Craig Perkins <[email protected]>

* Fix conflicts in CHANGELOG

Signed-off-by: Craig Perkins <[email protected]>

---------

Signed-off-by: Craig Perkins <[email protected]>
This was referenced Jun 27, 2025
Open
Open
tandonks pushed a commit to tandonks/OpenSearch that referenced this pull request Aug 5, 2025
@cwperks @tandonks
Create equivalents of JSM's AccessController in the java agent (opens…
8ffc818 
…earch-project#18346)

* Create OpenSearch replacements for widely used methods in AccessController

Signed-off-by: Craig Perkins <[email protected]>

* Fix javadoc

Signed-off-by: Craig Perkins <[email protected]>

* Remove getException

Signed-off-by: Craig Perkins <[email protected]>

* Remove other instance of apiNote

Signed-off-by: Craig Perkins <[email protected]>

* Modify javadoc and restart stuck CI checks

Signed-off-by: Craig Perkins <[email protected]>

* Remove mistakenly added line

Signed-off-by: Craig Perkins <[email protected]>

* Add to CHANGELOG

Signed-off-by: Craig Perkins <[email protected]>

* Address code review feedback

Signed-off-by: Craig Perkins <[email protected]>

* Use callable and runnable

Signed-off-by: Craig Perkins <[email protected]>

* Use Callable

Signed-off-by: Craig Perkins <[email protected]>

* Add checked equivalents to interface

Signed-off-by: Craig Perkins <[email protected]>

* Add throws IllegalArgumentException

Signed-off-by: Craig Perkins <[email protected]>

* Fix precommit

Signed-off-by: Craig Perkins <[email protected]>

* Show example of replacement in a module

Signed-off-by: Craig Perkins <[email protected]>

* Address code review comments

Signed-off-by: Craig Perkins <[email protected]>

* Fix precommit

Signed-off-by: Craig Perkins <[email protected]>

* Address code review comments

Signed-off-by: Craig Perkins <[email protected]>

* Create separate agent-api lib and remove compileOnlyApi

Signed-off-by: Craig Perkins <[email protected]>

* Re-use agent-policy lib

Signed-off-by: Craig Perkins <[email protected]>

* Address review comments

Signed-off-by: Craig Perkins <[email protected]>

* Move to secure_sm package

Signed-off-by: Craig Perkins <[email protected]>

* Fix conflicts in CHANGELOG

Signed-off-by: Craig Perkins <[email protected]>

---------

Signed-off-by: Craig Perkins <[email protected]>
@BrewTestBot BrewTestBot mentioned this pull request Aug 20, 2025
Merged
@Jorgesnchz Jorgesnchz mentioned this pull request Aug 22, 2025
Closed
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andrross andrross andrross approved these changes

+1 more reviewer

@kumargu kumargu kumargu approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

enhancement Enhancement or improvement to existing feature or request Plugins

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Java Agent] Create OpenSearch replacement for AccessController.doPrivileged

3 participants

@cwperks @kumargu @andrross