Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Request] org.opensearch.bootstrap.Security should support codebase for JAR files with classifiers #12581

Closed
reta opened this issue Mar 11, 2024 · 0 comments · Fixed by #12586
Closed

[Feature Request] org.opensearch.bootstrap.Security should support codebase for JAR files with classifiers #12581

reta opened this issue Mar 11, 2024 · 0 comments · Fixed by #12586
Assignees
@reta
Labels
enhancement Enhancement or improvement to existing feature or request Other v2.13.0 Issues and PRs related to version 2.13.0 v3.0.0 Issues and PRs related to version 3.0.0

Comments

@reta
Copy link
Collaborator

reta commented Mar 11, 2024
edited
Loading

Is your feature request related to a problem? Please describe

The issue came out while integration OpenSearch test scaffolding with security plugin. The org.opensearch.bootstrap.Security analyzes the classpath and injects the codebase.* system property for each JAR entry found (so it could be referenced in security policy files), for example:

...

grant codeBase "${codebase.zstd-jni}" {
  permission java.lang.RuntimePermission "loadLibrary.*";
};

grant codeBase "${codebase.jna}" {
  // for registering native methods
  permission java.lang.RuntimePermission "accessDeclaredMembers";
};

...

The codebase.* suffix is constructed from the JAR file name by stripping the version (and .jar extension). However, it causes the issues when there same artifacts with classifiers referenced, for example:

  • netty-tcnative-boringssl-static-2.0.61.Final-linux-x86_64.jar and netty-tcnative-boringssl-static-2.0.61.Final.jar
  • kafka-server-common-3.6.1-test.jar and kafka-server-common-3.6.1.jar

Although different, these artifacts are folded into same codebase suffix, causing the bootstrap process to fail.

Describe the solution you'd like

Add support for artifacts (JARs) with classifiers so they could be distinguished (and also referenced in security policy): codebase.*@<classifier>. For example:

grant codeBase "${codebase.netty-tcnative-boringssl-static@linux-x86_64}" {
  ...
};

grant codeBase "${codebase.kafka-server-common@test}" {
  ...
};

Related component

Security

Describe alternatives you've considered

N.A

Additional context

opensearch-project/security#4077
@reta reta added enhancement Enhancement or improvement to existing feature or request untriaged labels Mar 11, 2024
@github-actions github-actions bot added the Other label Mar 11, 2024
@reta reta removed the untriaged label Mar 11, 2024
@reta reta self-assigned this Mar 11, 2024
@willyborankin willyborankin mentioned this issue Mar 11, 2024
Closed
@reta reta mentioned this issue Mar 11, 2024
Merged
8 tasks
@reta reta added v3.0.0 Issues and PRs related to version 3.0.0 v2.13.0 Issues and PRs related to version 2.13.0 labels Mar 11, 2024
@bbarani bbarani moved this to Features in Test roadmap format Apr 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@reta reta

Labels
enhancement Enhancement or improvement to existing feature or request Other v2.13.0 Issues and PRs related to version 2.13.0 v3.0.0 Issues and PRs related to version 3.0.0
Projects
Test roadmap format
Status: Planned work items
Milestone
No milestone
1 participant
@reta