-
Notifications
You must be signed in to change notification settings - Fork 483
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Blogpost for Introduction to OpenSearch Plugins #526
Blogpost for Introduction to OpenSearch Plugins #526
Conversation
Signed-off-by: Owais Kazi <owaiskazi19@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like it. Needs a thorough grammar pass, but the content is good.
Make links stable to a version of OpenSearch, maybe 1.2 tag.
categories: | ||
- technical-post | ||
twittercard: | ||
description: "This post walks through how plugins work in OpenSearch and how a custom Java Security Manager handle the security of OpenSearch." |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
handleS
also maybe JSM doesn't "handle the security" and it's kind-a odd to mention it here so maybe just "This post contains an overview of how OpenSearch plugins are loaded and interact with Java Security Manager."
--- | ||
|
||
|
||
OpenSearch enables extending core features via plugins. Plugins are empowered to access all extensible features of OpenSearch and extend them. In this blog post we wanted to unbox the plugin architecture and help understand how they work. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Comma before, and help
|
||
## Pluggable Architecture | ||
|
||
Plugins in OpenSearch bring in modular architecture and enable developing/managing a large code base easier. The [blog post](https://logz.io/blog/opensearch-plugins/) from our partner [Logz.io](http://logz.io/) really helps understand why pluggable architecture is important and how the architecture works. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
remove "really", add a comma before, and how
|
||
## Extension Points | ||
|
||
The architecture is built for plugins to hook onto various extension points with in the code base and subscribe to notifications/events they are interested in. There are a bunch of extension points few are default for all plugins and the rest are custom defined by few plugin interfaces. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
within
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The last sentence doesn't quite make sense to me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, see if it makes sense now.
|
||
|
||
* `getFeature` - Could be used to implement a custom feature and respond to Cluster state API. | ||
* `createGuiceModules` - Node level guice modules. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Explain what guice is
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Its very hard to explain guice, but put it in generic terms.
|
||
OpenSearch bundle comes with a tool `./bin/opensearch-plugin` which helps to install a plugin. [PluginCli](https://github.com/opensearch-project/OpenSearch/blob/main/distribution/tools/plugin-cli/src/main/java/org/opensearch/plugins/PluginCli.java) reads and validates `plugin-descriptor.properties` file packaged with every plugin. For example, OpenSearch security plugin defines [plugin-descriptor.properties](https://github.com/opensearch-project/security/blob/main/plugin-descriptor.properties) file which defines a bunch of parameters, and tool verifies if it is using the right version of OpenSearch, and the dependencies are present. | ||
|
||
Also the tool verifies `plugin-security.policy` file, which is defined by the plugin which needs an additional security permissions. For example, OpenSearch security plugin defines a bunch of permissions it needs through [plugin-security.policy](https://github.com/opensearch-project/security/blob/main/plugin-security.policy) file. These permissions are managed via Java Security Manager and have more details later in this post. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
bunch -> many, ... or maybe something else more specific
|
||
Also the tool verifies `plugin-security.policy` file, which is defined by the plugin which needs an additional security permissions. For example, OpenSearch security plugin defines a bunch of permissions it needs through [plugin-security.policy](https://github.com/opensearch-project/security/blob/main/plugin-security.policy) file. These permissions are managed via Java Security Manager and have more details later in this post. | ||
|
||
After the tool verifies the plugin is valid, it copies all jars and put them into `plugins` directory. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
verifies the plugin is valid -> validates the plugin
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
and put them into -> into
|
||
### Loading a plugin | ||
|
||
Plugins run within the same process as OpenSearch. As OpenSearch process is bootstraps, it initializes [PluginService](https://github.com/opensearch-project/OpenSearch/blob/main/server/src/main/java/org/opensearch/plugins/PluginsService.java#L124) via [Node.java](https://github.com/opensearch-project/OpenSearch/blob/main/server/src/main/java/org/opensearch/node/Node.java#L392). All plugins are class-loaded via [loadPlugin](https://github.com/opensearch-project/OpenSearch/blob/main/server/src/main/java/org/opensearch/plugins/PluginsService.java#L765:20) during the bootstrap of PluginService. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
bootstrapped
|
||
### Plugins vs Modules | ||
|
||
As you might have noticed, OpenSearch defines [plugins](https://github.com/opensearch-project/OpenSearch/tree/main/plugins) and [modules](https://github.com/opensearch-project/OpenSearch/tree/main/modules) differently. The main difference is modules are [automatically loaded](https://github.com/opensearch-project/OpenSearch/blob/main/server/src/main/java/org/opensearch/plugins/PluginsService.java#L163) in an OpenSearch node and are packaged with `opensearch-min` artifact. On the flip side, plugins are not automatically packaged and have to manually installed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
flipside
|
||
### **Benefit of Security Manager for Plugins** | ||
|
||
* Plugins can create a `plugin-secruity.policy` ``file and write dynamic configuration and permissions required to run from OpenSearch Cluster. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
something off with quotes
Signed-off-by: Owais Kazi <owaiskazi19@gmail.com>
Signed-off-by: Sarat Vemulapalli <vemulapallisarat@gmail.com>
Signed-off-by: Sarat Vemulapalli <vemulapallisarat@gmail.com>
Signed-off-by: Sarat Vemulapalli <vemulapallisarat@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good post but needs some work, especially around grammar and consistency. I probably missed some points so after you revise, I'd like another round to review once it's it's more cohesive.
categories: | ||
- technical-post | ||
twittercard: | ||
description: "This post contains an overview of how OpenSearch plugins are loaded and interact with Java Security Manager." |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Spend a little more time on the description. Usually, it's good of the twitter card and the first paragraph are similar, if not the same. The goal is to entice the reader.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure
--- | ||
|
||
|
||
OpenSearch enables extending core features via plugins. Plugins are empowered to access all extensible features of OpenSearch and extend them. In this blog post we wanted to unbox the plugin architecture, and help understand how they work. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This needs a little work.
- 'extending', 'extensible', and 'extend' are all similar terms and they appear really close together.
- 'help understand how they work' doesn't grammatically fit with 'we wanted to...'
- what is a 'core feature'?
- As a reader, I don't understand why I should read on - that's the job of the first paragraph.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for that. I did try to rephrase it to avoid repeating terms.
|
||
## Pluggable Architecture | ||
|
||
Plugins in OpenSearch bring in modular architecture and enable developing/managing a large code base easier. The [blog post](https://logz.io/blog/opensearch-plugins/) from our partner [Logz.io](http://logz.io/) helps understand why pluggable architecture is important, and how the architecture works. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- Tighten up the first sentence.
- The plugins don't bring in the modular architecture, they are part of it.
- 'enable' doesn't match with 'easier'
- rephrase 'our partner' to something else (maybe "OpenSearch partner" or "project partner"). The collective in this post should refer to the authors, so Logz isn't Sarat and Owais' partner ;)
- 'The blog post' doesn't 'helps understand why', it does 'describes'
- the comma before the 'and' isn't needed if it's not a list.
|
||
Plugins in OpenSearch bring in modular architecture and enable developing/managing a large code base easier. The [blog post](https://logz.io/blog/opensearch-plugins/) from our partner [Logz.io](http://logz.io/) helps understand why pluggable architecture is important, and how the architecture works. | ||
|
||
The Plugin architecture is designed to enable solving specific problems and extending generic features. For example, [Anomaly Detection](https://github.com/opensearch-project/anomaly-detection) plugin reads time stream data ingested and finds anomalies. Another example is [Job Scheduler](https://github.com/opensearch-project/job-scheduler) plugin which schedules and runs generic jobs. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- "Plugin" is capitalized irregularly throughout the blog. It should be lower case unless starting a sentence.
- 'Anomaly Detection plugin' should just be 'Anomaly Detection' or use a definite article in front of it, same for job scheduler.
|
||
The Plugin architecture is designed to enable solving specific problems and extending generic features. For example, [Anomaly Detection](https://github.com/opensearch-project/anomaly-detection) plugin reads time stream data ingested and finds anomalies. Another example is [Job Scheduler](https://github.com/opensearch-project/job-scheduler) plugin which schedules and runs generic jobs. | ||
|
||
Plugins are of various types, generally could be categorized as: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
be more active: 'could' into 'can'
|
||
Java applications are prone to have vulnerabilities on a remote cluster or by a DDoS attack. To prevent this, JVM can be run in a sandbox mode which will prevent, for example: access to the local hard disk or the network. All of these are handled by the Security Manager. | ||
|
||
### How is it used in OpenSearch? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
how is what used?
### How is it used in OpenSearch? | ||
|
||
1. As OpenSearch bundles a few plugins, every plugin can define its own custom security policy file which will be installed at the same time when OpenSearch is installing the plugin. | ||
2. Security Manager is initialized in [Opensearch.java](https://github.com/opensearch-project/OpenSearch/blob/main/server/src/main/java/org/opensearch/bootstrap/OpenSearch.java#L91) and every plugin has a custom policy file called [plugin-secruity.policy](https://github.com/opensearch-project/anomaly-detection/blob/main/src/main/plugin-metadata/plugin-security.policy). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See previous note about line number links
|
||
1. As OpenSearch bundles a few plugins, every plugin can define its own custom security policy file which will be installed at the same time when OpenSearch is installing the plugin. | ||
2. Security Manager is initialized in [Opensearch.java](https://github.com/opensearch-project/OpenSearch/blob/main/server/src/main/java/org/opensearch/bootstrap/OpenSearch.java#L91) and every plugin has a custom policy file called [plugin-secruity.policy](https://github.com/opensearch-project/anomaly-detection/blob/main/src/main/plugin-metadata/plugin-security.policy). | ||
3. The [getPolicy()](https://github.com/opensearch-project/OpenSearch/blob/main/server/src/main/java/org/opensearch/bootstrap/OpenSearchPolicy.java#L77-L79) method will take care of assigning the initial default policies required for the plugins and [setPolicy()](https://github.com/opensearch-project/OpenSearch/blob/main/server/src/main/java/org/opensearch/bootstrap/Security.java#L134) method will assign the custom policies of the plugins present in `plugin-secruity.policy`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See previous note about line number links
2. Security Manager is initialized in [Opensearch.java](https://github.com/opensearch-project/OpenSearch/blob/main/server/src/main/java/org/opensearch/bootstrap/OpenSearch.java#L91) and every plugin has a custom policy file called [plugin-secruity.policy](https://github.com/opensearch-project/anomaly-detection/blob/main/src/main/plugin-metadata/plugin-security.policy). | ||
3. The [getPolicy()](https://github.com/opensearch-project/OpenSearch/blob/main/server/src/main/java/org/opensearch/bootstrap/OpenSearchPolicy.java#L77-L79) method will take care of assigning the initial default policies required for the plugins and [setPolicy()](https://github.com/opensearch-project/OpenSearch/blob/main/server/src/main/java/org/opensearch/bootstrap/Security.java#L134) method will assign the custom policies of the plugins present in `plugin-secruity.policy`. | ||
4. Each custom security policy file is signed and has a codebase which is a signed key between OpenSearch and the plugin. | ||
5. Each security policy can be attached via gradle plugin [opensearch.opensearchplugin](https://github.com/opensearch-project/anomaly-detection/blob/main/build.gradle#L94) in the `build.gradle` file of the plugin. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See previous note about line number links
|
||
## Closing Notes | ||
|
||
We hope this post helps unbox the mystery of how plugins work within OpenSearch. Now that you learnt how plugins work and what their limitations are, let us know if you have any feedback or would like new features in plugin architecture. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Closing needs a specific call-to-action: what should the reader do next?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thats a good point.
See if this is better. Ideally what we would want is community developing more plugins, and put thoughts on how the next generation plugin architecture should be.
Signed-off-by: Owais Kazi <owaiskazi19@gmail.com>
…ect-website into plugin-blogpost
Signed-off-by: Sarat Vemulapalli <vemulapallisarat@gmail.com>
Signed-off-by: Owais Kazi <owaiskazi19@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Much improved! It's really coming together. A few little points to address but we're 95% good.
description: "OpenSearch enables enhancing core features in a custom way via Plugins. In this blog post we wanted to unbox how plugins load, install, and run in OpenSearch..." | ||
--- | ||
|
||
OpenSearch enables enhancing core features in a custom way via plugins. For example, plugins could add custom mapping types, engine scripts etc. In this blog post we wanted to unbox how plugins load, install, and run in OpenSearch. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
scripts , etc.
|
||
The Plugin architecture is designed to enable solving specific problems and extending generic features. For example, [Anomaly Detection](https://github.com/opensearch-project/anomaly-detection) reads time stream data ingested and finds anomalies. Another example is [Job Scheduler](https://github.com/opensearch-project/job-scheduler) plugin which schedules and runs generic jobs. | ||
|
||
Plugins are of various types, generally can be categorized as: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
drop 'can be'
|
||
## Extension Points | ||
|
||
The architecture is designed for plugins to hook onto various points within the OpenSearch code base. Plugins can subscribe to notifications/events they are interested in via these extension points. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
'Plugins can subscribe to notifications/events they are interested in via these extension points.'
Rephrase that - plugins are not interested in anything (anthropomorphism).
Maybe something like "Plugins can subscribe to relevant notifications/events via these extension points."
## Extension Points | ||
|
||
The architecture is designed for plugins to hook onto various points within the OpenSearch code base. Plugins can subscribe to notifications/events they are interested in via these extension points. | ||
The `Plugin.java` defines a list default extension points. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The Plugin.java file defines a list default extension points.
The default extension points are defined by [Plugin.java](https://github.com/opensearch-project/OpenSearch/blob/1.2/server/src/main/java/org/opensearch/plugins/Plugin.java#L90) abstract class: | ||
|
||
|
||
* `getFeature` - Could be used to implement a custom feature and respond to cluster state API. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there an important reason why you need "Cloud be"? Like, is this optional?
Seems like "Used to implement a custom feature and respond to cluster state API." seems to have the same meeting without being wishy/washy,
|
||
The OpenSearch bundle comes with a tool `./bin/opensearch-plugin` which installs a plugin. [PluginCli](https://github.com/opensearch-project/OpenSearch/blob/main/distribution/tools/plugin-cli/src/main/java/org/opensearch/plugins/PluginCli.java) reads and validates `plugin-descriptor.properties` file packaged with every plugin. For example, the OpenSearch security plugin defines the [plugin-descriptor.properties](https://github.com/opensearch-project/security/blob/main/plugin-descriptor.properties) file which defines a bunch of parameters, and the tool verifies if it is using the compatible version of OpenSearch, and the dependencies are present. | ||
|
||
Also, the tool verifies the `plugin-security.policy` file, defined by the plugin which needs additional security permissions. For example, the OpenSearch security plugin defines many permissions like file read/write, classloading or networking that it needs through the [plugin-security.policy](https://github.com/opensearch-project/security/blob/main/plugin-security.policy) file. These permissions are managed via Java Security Manager and have more details later in this post. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
'and have more details later in this post' doesn't make grammatical sense. I think I would just drop "and have" and make the rest parenthetical.
|
||
Also, the tool verifies the `plugin-security.policy` file, defined by the plugin which needs additional security permissions. For example, the OpenSearch security plugin defines many permissions like file read/write, classloading or networking that it needs through the [plugin-security.policy](https://github.com/opensearch-project/security/blob/main/plugin-security.policy) file. These permissions are managed via Java Security Manager and have more details later in this post. | ||
|
||
After the tool validates the plugin, it copies all jars into `plugins` directory. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- the
plugins
directory - Did you want this to be a new paragraph? It renders as single paragraph with one carriage return.
Also, the tool verifies the `plugin-security.policy` file, defined by the plugin which needs additional security permissions. For example, the OpenSearch security plugin defines many permissions like file read/write, classloading or networking that it needs through the [plugin-security.policy](https://github.com/opensearch-project/security/blob/main/plugin-security.policy) file. These permissions are managed via Java Security Manager and have more details later in this post. | ||
|
||
After the tool validates the plugin, it copies all jars into `plugins` directory. | ||
By default, opensearch-min artifact does not package any plugins including the [native plugins](https://github.com/opensearch-project/OpenSearch/tree/main/plugins) which exist in the OpenSearch code base. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
opensearch-min
is not used very frequently. It might be more user friendly if you change "opensearch-min artifact" to "the OpenSearch Minimum distribution'
``` | ||
|
||
As the plugins are class-loaded during the node bootstrap, the extension points (defined by the plugin interface) initialize the data structures. | ||
This design of loading plugins during the node bootstrap prevents them to be loaded on the fly and cannot be hot swapped. Each node within the cluster has to be restarted to load a new plugin. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
'to be loaded' -> 'being loaded'
948ebee
to
8ff2605
Compare
Signed-off-by: Owais Kazi <owaiskazi19@gmail.com>
8ff2605
to
c005cff
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some tiny issues with spacing that I will solve before publishing but otherwise LGTM.
Thanks for the time on this @owaiskazi19 and @saratvemulapalli!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Definitely change bundle -> distribution and correct typos. Please consider everything else.
|
||
## Pluggable Architecture | ||
|
||
The modular architecture in OpenSearch makes it easier to develop on a large code base (4.5MM lines). The [blog post](https://logz.io/blog/opensearch-plugins/) from OpenSearch partner [Logz.io](http://logz.io/) describes why pluggable architecture is important and how plugins can be developed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
code base is spelled as one word, codebase
, couple of instances
The default extension points are defined by [Plugin.java](https://github.com/opensearch-project/OpenSearch/blob/1.2/server/src/main/java/org/opensearch/plugins/Plugin.java#L90) abstract class: | ||
|
||
|
||
* `getFeature` - Used to implement a custom feature and respond to cluster state API. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Normalize language here? We have "Used to implement...", "Implement", "Modify" or "Custom xyz", sounds like everything should be either a verb or a noun.
* `getRoles` - Implement additional DiscoveryNodeRole’s. | ||
* `getAdditionalIndexSettingProviders` - Implement additional index level settings for newly created indices. | ||
|
||
Custom plugin interfaces can define new extension points for plugins to hook onto. For example, the [Engine Plugin](https://github.com/opensearch-project/OpenSearch/blob/main/server/src/main/java/org/opensearch/plugins/EnginePlugin.java) interface could be used to provide additional implementations to the core engine, expose a hook to [node bootstrap](https://github.com/opensearch-project/OpenSearch/blob/1.2/server/src/main/java/org/opensearch/node/Node.java#L577) to load the custom `engineFactory` and the [Index Service](https://github.com/opensearch-project/OpenSearch/blob/1.2/server/src/main/java/org/opensearch/indices/IndicesService.java#L763) overrides it if plugin chooses to override. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could be used -> can be used
|
||
## How do plugins work? | ||
|
||
As you might have used plugins in the OpenSearch bundle. There are two parts for plugins to work with OpenSearch: Installing a plugin, and Loading a plugin. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
bundle -> distribution everywhere
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are two parts for plugins to work with OpenSearch: Installing a plugin, and Loading a plugin.
Not so English. Maybe "Plugins are installed and loaded when OpenSearch starts."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds more simpler, I like it. Sure.
|
||
The OpenSearch bundle comes with a tool `./bin/opensearch-plugin` which installs a plugin. [PluginCli](https://github.com/opensearch-project/OpenSearch/blob/main/distribution/tools/plugin-cli/src/main/java/org/opensearch/plugins/PluginCli.java) reads and validates `plugin-descriptor.properties` file packaged with every plugin. For example, the OpenSearch security plugin defines the [plugin-descriptor.properties](https://github.com/opensearch-project/security/blob/main/plugin-descriptor.properties) file which defines a bunch of parameters, and the tool verifies if it is using the compatible version of OpenSearch, and the dependencies are present. | ||
|
||
Also, the tool verifies the `plugin-security.policy` file, defined by the plugin which needs additional security permissions. For example, the OpenSearch security plugin defines many permissions like file read/write, classloading or networking that it needs through the [plugin-security.policy](https://github.com/opensearch-project/security/blob/main/plugin-security.policy) file. These permissions are managed via Java Security Manager(more details later in this post).After the tool validates the plugin, it copies all jars into the `plugins` directory. By default, the OpenSearch Minimum distribution does not package any plugins including the [native plugins](https://github.com/opensearch-project/OpenSearch/tree/main/plugins) which exist in the OpenSearch code base. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove Also,
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add space before (more details ...
|
||
### **Benefit of Security Manager for Plugins** | ||
|
||
* Plugins can create a `plugin-secruity.policy` file and write dynamic configuration and permissions required to run from OpenSearch Cluster. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's just one item, maybe combine with above?
|
||
### How Security Manager is used in OpenSearch? | ||
|
||
1. As OpenSearch bundles a few plugins, every plugin can define its own custom security policy file which will be installed at the same time when OpenSearch is installing the plugin. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We didn't use numbering above, maybe just remove the numbers?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Makes sense. Moved to bullets.
|
||
## Closing Notes | ||
|
||
We hope this post helps unbox the mystery of how plugins work within OpenSearch. Now that you learnt how plugins work and their limitations, we would love to see you getting your hands dirty and develop plugins for OpenSearch. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't love "mystery", would say "We hope this post helped explain how plugins work within OpenSearch".
Then, repeating ourselves "Now that you learnt ...", which should be "learned", is redundant, and getting -> get.
I would just say: "We would love to see you get your hands dirty, and develop a new plugin for OpenSearch."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Haha sure.
## Closing Notes | ||
|
||
We hope this post helps unbox the mystery of how plugins work within OpenSearch. Now that you learnt how plugins work and their limitations, we would love to see you getting your hands dirty and develop plugins for OpenSearch. | ||
Looking forward, we are thinking about solving the limitations in plugin architecture and would love your [feedback/thoughts](https://github.com/opensearch-project/OpenSearch/issues/1422). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
love -> ask you for your feedback in OpenSearch#1422
.
We hope this post helps unbox the mystery of how plugins work within OpenSearch. Now that you learnt how plugins work and their limitations, we would love to see you getting your hands dirty and develop plugins for OpenSearch. | ||
Looking forward, we are thinking about solving the limitations in plugin architecture and would love your [feedback/thoughts](https://github.com/opensearch-project/OpenSearch/issues/1422). | ||
|
||
In the coming days, lookout for a follow-up post soon on intro to plugins with OpenSearch Dashboards. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lookout -> look out
Signed-off-by: Sarat Vemulapalli <vemulapallisarat@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Let's update the date based on when the blog will go live.
@elfisher I can make that change at the time of publishing (it's a typical problem - publish date is unpredictable). If you're ok with this otherwise, I think we should proceed. |
@stockholmux / @elfisher let us know if you'd like us to make the change. If so, when will this blog be published? |
@saratvemulapalli I'm going to make the changes and publish today. |
Change will be made prior to publish
Signed-off-by: Owais Kazi owaiskazi19@gmail.com
Description
Blogpost for Introduction to OpenSearch Plugins and how a custom Java Security Manager handle the security of OpenSearch.
Issues Resolved
#446
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the BSD-3-Clause License.