Remove SecurityManager #111
Labels
enhancement
New feature or request
Comments
|
@dblock done, sorry but cannot add labels to it, whenever you have time please |
|
I suspect the surface area of this will be quite large. I'd be okay targeting 3.0.0? |
|
@nknize we could mark it as |
|
I'm not creating a 3.0 label yet, but I removed untriaged. Thanks! |
dblock
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It has been announced a while ago that
SecurityManageris going to be phased out from the JDK. The first step, the deprecation of theSecurityManager(JEP-411), has been landed in JDK 17 and issues the following warnings onOpenSearchbuilds or server startup:The JDK 18 pushes it even further and now fails on startup (see please https://bugs.openjdk.java.net/browse/JDK-8270380), running OpenSearch builds or server on JDK 18 EA fails with:
What is the problem? What is preventing you from meeting the requirements?
The OpenSearch primary protection mechanism against plugins abuse or misuse is built on top of
SecurityManager. It is very likely, it is going to be removed from the JDK-19+.What are you proposing? What do you suggest we do to solve the problem or improve the existing situation?
There is no alternative or replacement for the
SecurityManager. One of the options is to just drop it, it might be considered risky but combined with Plugin Sandbox (see please [1], [2]) it may sounds like a viable option.What are your assumptions or prerequisites?
It would be great to have Plugin Sandbox design (and ideally, implementation) finalized.
What are remaining open questions?
Basically, the main question is to drop or to replace (bytecode instrumentation? custom classloaders? java agent?).
OpenSearch
Plugins
[1] opensearch-project/OpenSearch#1572
[2] opensearch-project/OpenSearch#1422
The text was updated successfully, but these errors were encountered: