-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Revert 'Added jackson dependency to server" and change extension reading #5768
Revert 'Added jackson dependency to server" and change extension reading #5768
Conversation
…on reading Signed-off-by: Ryan Bogan <rbogan@amazon.com>
Gradle Check (Jenkins) Run Completed with:
|
server/src/main/java/org/opensearch/extensions/ExtensionsManager.java
Outdated
Show resolved
Hide resolved
Signed-off-by: Ryan Bogan <rbogan@amazon.com>
Gradle Check (Jenkins) Run Completed with:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like it @ryanbogan, much cleaner
Signed-off-by: Ryan Bogan <rbogan@amazon.com>
Gradle Check (Jenkins) Run Completed with:
|
Signed-off-by: Ryan Bogan <rbogan@amazon.com>
Gradle Check (Jenkins) Run Completed with:
|
Signed-off-by: Ryan Bogan <rbogan@amazon.com>
Gradle Check (Jenkins) Run Completed with:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Otherwise looks good! Thanks!
@@ -462,6 +463,7 @@ public void testVersionSetting() throws IOException { | |||
} | |||
} | |||
|
|||
@Ignore |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can fix this test in the following way: Add a setter marked as package-private (no access flags) in the s
Settings class to modify the default. By that only a class from the same package can modify the default value, not code anywjere outside.
WARNING: If the fields to modify are final, don't test this at all, kill this test!
Failing test is flaky: #5766 |
I disagree with remove jackson-databind - pragmatically this is a considerable burden on all the plugin times migrated to get Jackson from OpenSearch. Regardless of our feelings of the quality of jackson-databind, it is still popular in the OpenSearch project, complete removal will require effort on the verge of a release. I suggest that all jackson dependencies should be transitively included by OpenSearch for security patching purposes. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought there was a way to keep the dependency in without elevated the permissions in server, is this not the case?
For that we have BOM maven dependencies. You can have an Opensearch BOM that have fixed versions for jackson, but jackson-databind should never ever be in server's classpath. The problem here is: whe each plugin has its own JAR file in its private classpath (shiedled by classloader), there are no malicious interactions between the instances as each only sees its classloader. Without sandboxing, jackson-databind can easily be used to create malicious code if ask it to deserialize classes, also those in server core. So, if jackson-databind is in server's classpath there is a chance that a malicious plugin may deserialize and trigger updates in fields of classes values in server's classpath. If the plugin has its own copy of jackson databind, due to shielding it is not possible to update core's classes, especially when OpenSearch has moved to module system (Elasticsearch aleady did this). |
So please don't do this. Use a POM of opensearch to force versions for downstream code. |
Yes it works, but a plugin can still trick jackson-databind to access server's classes if it is not only in its private module/classloader. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought there was a way to keep the dependency in without elevated the permissions in server, is this not the case?
Yes it works, but a plugin can still trick jackson-databind to access server's classes if it is not only in its private module/classloader.
Well damn. Thanks for the details. Lets get this in
Signed-off-by: Ryan Bogan <rbogan@amazon.com>
Signed-off-by: Ryan Bogan <rbogan@amazon.com>
Gradle Check (Jenkins) Run Completed with:
|
Gradle Check (Jenkins) Run Completed with:
|
The backport to
To backport manually, run these commands in your terminal: # Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/backport-2.5 2.5
# Navigate to the new working tree
pushd ../.worktrees/backport-2.5
# Create a new branch
git switch --create backport/backport-5768-to-2.5
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 d22610b91729f596f273cdd44e836929f897f2e4
# Push it to GitHub
git push --set-upstream origin backport/backport-5768-to-2.5
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/backport-2.5 Then, create a pull request where the |
The backport to
To backport manually, run these commands in your terminal: # Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/backport-2.x
# Create a new branch
git switch --create backport/backport-5768-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 d22610b91729f596f273cdd44e836929f897f2e4
# Push it to GitHub
git push --set-upstream origin backport/backport-5768-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/backport-2.x Then, create a pull request where the |
Hi,
I have to admit that without using the Java Module System, it is still possible that a plugin may change server's data using deep reflection, as only the module system prevents setAccessible() when the core does not "open" the module to specific submodules. So a stong deep reflection protection is only there if the Java moudle system is used (this was already suggested by @rmuir). But the revert is also useful to actually migrate to the module system, because if you don't use a dependency it should never ever be part of the "requires" clauses of a module. Sure, you could exclude it in the So my proposal to proceed would be:
|
@uschindler As an additional option to JMS, a handful of folks (w/@saratvemulapalli) are working on extracting an SDK out of OpenSearch (https://github.com/opensearch-project/opensearch-sdk-java) and stop plugins from taking direct dependencies on OpenSearch or executing in the same JVM. Ultimately that should allow full sandboxing of plugins (extensions), including by containerizing them or running them on something like firecracker vm. Lots of words in #2447. |
Signed-off-by: Ryan Bogan rbogan@amazon.com
Description
Reverts #5366. Changes extension reading to use SnakeYAML instead of jackson-databind
Issues Resolved
#5504
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.