[Clone] [Security Manager Replacement] Native Java Agent #17517
Conversation
|
❌ Gradle check result for 1b6692e: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
|
❌ Gradle check result for 2fcdd44: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
kumargu
force-pushed
the
kumargu_java_agent_v1
branch
from
2fcdd44 to
21e708c
Compare
|
❌ Gradle check result for 21e708c: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
kumargu
force-pushed
the
kumargu_java_agent_v1
branch
from
21e708c to
e8aab30
Compare
|
❌ Gradle check result for e8aab30: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
kumargu
force-pushed
the
kumargu_java_agent_v1
branch
from
e8aab30 to
dbbef0e
Compare
|
❌ Gradle check result for dbbef0e: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
kumargu
force-pushed
the
kumargu_java_agent_v1
branch
from
dbbef0e to
1923e2d
Compare
|
❌ Gradle check result for 1923e2d: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
kumargu
force-pushed
the
kumargu_java_agent_v1
branch
from
1923e2d to
5cb1c07
Compare
|
❌ Gradle check result for 5cb1c07: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
kumargu
force-pushed
the
kumargu_java_agent_v1
branch
from
5cb1c07 to
51328a0
Compare
|
❌ Gradle check result for 51328a0: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
kumargu
force-pushed
the
kumargu_java_agent_v1
branch
from
51328a0 to
447c4a8
Compare
|
❌ Gradle check result for 447c4a8: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
kumargu
force-pushed
the
kumargu_java_agent_v1
branch
from
447c4a8 to
88f3d6f
Compare
|
❌ Gradle check result for 88f3d6f: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
kumargu
force-pushed
the
kumargu_java_agent_v1
branch
3 times, most recently
from
12d3cc3 to
ae3e3c2
Compare
|
❌ Gradle check result for ae3e3c2: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
kumargu
force-pushed
the
kumargu_java_agent_v1
branch
from
ae3e3c2 to
a5c15b4
Compare
|
❌ Gradle check result for a5c15b4: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
kumargu
force-pushed
the
kumargu_java_agent_v1
branch
from
a5c15b4 to
5a51029
Compare
|
❌ Gradle check result for 5a51029: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
kumargu
force-pushed
the
kumargu_java_agent_v1
branch
from
5a51029 to
bfe165f
Compare
|
❌ Gradle check result for bfe165f: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
@peterzhuamazon would you know if I can run this check locally and fix it faster? thanks! |
kumargu
force-pushed
the
kumargu_java_agent_v1
branch
from
bfe165f to
1bc341c
Compare
kumargu
force-pushed
the
kumargu_java_agent_v1
branch
from
6570221 to
c4db178
Compare
|
❌ Gradle check result for c4db178: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
kumargu
force-pushed
the
kumargu_java_agent_v1
branch
from
c4db178 to
aa61d93
Compare
|
❌ Gradle check result for 03761a6: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
kumargu
force-pushed
the
kumargu_java_agent_v1
branch
2 times, most recently
from
c8805a6 to
f832563
Compare
|
❌ Gradle check result for f832563: null Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
| @@ -52,19 +52,23 @@ public static void intercept(@Advice.AllArguments Object[] args, @Origin Method | |||
| if (args[0] instanceof InetSocketAddress address) { | |||
| if (!AgentPolicy.isTrustedHost(address.getHostString())) { | |||
| final String host = address.getHostString() + ":" + address.getPort(); | |||
|
|
|||
| final SocketPermission permission = new SocketPermission(host, "connect,resolve"); | |||
| final SocketPermission connectResolve = new SocketPermission("*", "connect,resolve"); | |||
There was a problem hiding this comment.
@kumargu I think this is not the right fix: the host comes from policy and has to be matched.
There was a problem hiding this comment.
you are right. I overlooked it while copying it from the policy.
kumargu
force-pushed
the
kumargu_java_agent_v1
branch
from
f832563 to
c772cc5
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #17517 +/- ##
============================================
- Coverage 72.43% 72.30% -0.13%
- Complexity 65694 65877 +183
============================================
Files 5311 5322 +11
Lines 304937 306408 +1471
Branches 44226 44574 +348
============================================
+ Hits 220872 221555 +683
- Misses 65912 66717 +805
+ Partials 18153 18136 -17 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
@reta thank-you! for pointing out the issue. looks like the all-the-gradle-check passed. |
kumargu
force-pushed
the
kumargu_java_agent_v1
branch
3 times, most recently
from
d5e1c00 to
1483b8b
Compare
|
❕ Gradle check result for 1483b8b: UNSTABLE
Please review all flaky tests that succeeded after retry and create an issue if one does not already exist to track the flaky failure. |
Signed-off-by: Gulshan Kumar <[email protected]>
kumargu
force-pushed
the
kumargu_java_agent_v1
branch
from
1483b8b to
e36c1e5
Compare
|
Commit sha: e36c1e5, Author: Gulshan, Committer: Gulshan; Expected "Gulshan [email protected]", but got "Gulshan Kumar [email protected]". |
|
❌ Gradle check result for e36c1e5: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
| @@ -25,7 +25,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), | |||
| - Add filter function for AbstractQueryBuilder, BoolQueryBuilder, ConstantScoreQueryBuilder([#17409](https://github.com/opensearch-project/OpenSearch/pull/17409)) | |||
| - [Star Tree] [Search] Resolving keyword & numeric bucket aggregation with metric aggregation using star-tree ([#17165](https://github.com/opensearch-project/OpenSearch/pull/17165)) | |||
| - Added error handling support for the pull-based ingestion ([#17427](https://github.com/opensearch-project/OpenSearch/pull/17427)) | |||
|
|
|||
| - A Java Agent for intercepting socket operation and enforcing a security policy to it. | |||
There was a problem hiding this comment.
| - A Java Agent for intercepting socket operation and enforcing a security policy to it. | |
| - A Java Agent for intercepting socket operation and enforcing a security policy to it ([#17517](https://github.com/opensearch-project/OpenSearch/pull/17517)) |
|
|
||
| final SocketPermission permission = new SocketPermission(host, "connect,resolve"); | ||
| final SocketPermission connectResolve = new SocketPermission(host, "connect,resolve"); | ||
| final SocketPermission listenResolve = new SocketPermission(host, "listen,resolve"); |
There was a problem hiding this comment.
@kumargu I am not sure what exactly you are trying to fix here: we are intercepting SocketChannel:connect only which connects to remote address. The listen is not applicable here, we are not be listening on a socket (this is ServerSocketChannel responsibility). Could you please clarify this change?
There was a problem hiding this comment.
I was trying to fix this test failure. Looking at the trace, I think it fails with while attempting "listen & resolve" from localhost:0
There was a problem hiding this comment.
I had a similar assumption that we are only dealing with SocketChannel:connect but all my efforts to just play around with the policy file didn't work-out and this particular does seem to work.
There was a problem hiding this comment.
Thanks @kumargu , I will take a look shortly
Clone of original implementation of Java agent
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.