Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Blogpost for Introduction to OpenSearch Plugins #526

Merged
merged 11 commits into from
Dec 2, 2021

Conversation

owaiskazi19
Copy link
Member

Signed-off-by: Owais Kazi owaiskazi19@gmail.com

Description

Blogpost for Introduction to OpenSearch Plugins and how a custom Java Security Manager handle the security of OpenSearch.

Issues Resolved

#446

Check List

  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the BSD-3-Clause License.

Signed-off-by: Owais Kazi <owaiskazi19@gmail.com>
Copy link
Member

@dblock dblock left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like it. Needs a thorough grammar pass, but the content is good.

Make links stable to a version of OpenSearch, maybe 1.2 tag.

categories:
- technical-post
twittercard:
description: "This post walks through how plugins work in OpenSearch and how a custom Java Security Manager handle the security of OpenSearch."
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

handleS

also maybe JSM doesn't "handle the security" and it's kind-a odd to mention it here so maybe just "This post contains an overview of how OpenSearch plugins are loaded and interact with Java Security Manager."

---


OpenSearch enables extending core features via plugins. Plugins are empowered to access all extensible features of OpenSearch and extend them. In this blog post we wanted to unbox the plugin architecture and help understand how they work.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Comma before, and help


## Pluggable Architecture

Plugins in OpenSearch bring in modular architecture and enable developing/managing a large code base easier. The [blog post](https://logz.io/blog/opensearch-plugins/) from our partner [Logz.io](http://logz.io/) really helps understand why pluggable architecture is important and how the architecture works.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove "really", add a comma before, and how


## Extension Points

The architecture is built for plugins to hook onto various extension points with in the code base and subscribe to notifications/events they are interested in. There are a bunch of extension points few are default for all plugins and the rest are custom defined by few plugin interfaces.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

within

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The last sentence doesn't quite make sense to me.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, see if it makes sense now.



* `getFeature` - Could be used to implement a custom feature and respond to Cluster state API.
* `createGuiceModules` - Node level guice modules.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Explain what guice is

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Its very hard to explain guice, but put it in generic terms.


OpenSearch bundle comes with a tool `./bin/opensearch-plugin` which helps to install a plugin. [PluginCli](https://github.com/opensearch-project/OpenSearch/blob/main/distribution/tools/plugin-cli/src/main/java/org/opensearch/plugins/PluginCli.java) reads and validates `plugin-descriptor.properties` file packaged with every plugin. For example, OpenSearch security plugin defines [plugin-descriptor.properties](https://github.com/opensearch-project/security/blob/main/plugin-descriptor.properties) file which defines a bunch of parameters, and tool verifies if it is using the right version of OpenSearch, and the dependencies are present.

Also the tool verifies `plugin-security.policy` file, which is defined by the plugin which needs an additional security permissions. For example, OpenSearch security plugin defines a bunch of permissions it needs through [plugin-security.policy](https://github.com/opensearch-project/security/blob/main/plugin-security.policy) file. These permissions are managed via Java Security Manager and have more details later in this post.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

bunch -> many, ... or maybe something else more specific


Also the tool verifies `plugin-security.policy` file, which is defined by the plugin which needs an additional security permissions. For example, OpenSearch security plugin defines a bunch of permissions it needs through [plugin-security.policy](https://github.com/opensearch-project/security/blob/main/plugin-security.policy) file. These permissions are managed via Java Security Manager and have more details later in this post.

After the tool verifies the plugin is valid, it copies all jars and put them into `plugins` directory.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

verifies the plugin is valid -> validates the plugin

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

and put them into -> into


### Loading a plugin

Plugins run within the same process as OpenSearch. As OpenSearch process is bootstraps, it initializes [PluginService](https://github.com/opensearch-project/OpenSearch/blob/main/server/src/main/java/org/opensearch/plugins/PluginsService.java#L124) via [Node.java](https://github.com/opensearch-project/OpenSearch/blob/main/server/src/main/java/org/opensearch/node/Node.java#L392). All plugins are class-loaded via [loadPlugin](https://github.com/opensearch-project/OpenSearch/blob/main/server/src/main/java/org/opensearch/plugins/PluginsService.java#L765:20) during the bootstrap of PluginService.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

bootstrapped


### Plugins vs Modules

As you might have noticed, OpenSearch defines [plugins](https://github.com/opensearch-project/OpenSearch/tree/main/plugins) and [modules](https://github.com/opensearch-project/OpenSearch/tree/main/modules) differently. The main difference is modules are [automatically loaded](https://github.com/opensearch-project/OpenSearch/blob/main/server/src/main/java/org/opensearch/plugins/PluginsService.java#L163) in an OpenSearch node and are packaged with `opensearch-min` artifact. On the flip side, plugins are not automatically packaged and have to manually installed.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

flipside


### **Benefit of Security Manager for Plugins**

* Plugins can create a `plugin-secruity.policy` ``file and write dynamic configuration and permissions required to run from OpenSearch Cluster.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

something off with quotes

owaiskazi19 and others added 4 commits November 24, 2021 14:09
Signed-off-by: Owais Kazi <owaiskazi19@gmail.com>
Signed-off-by: Sarat Vemulapalli <vemulapallisarat@gmail.com>
Signed-off-by: Sarat Vemulapalli <vemulapallisarat@gmail.com>
Signed-off-by: Sarat Vemulapalli <vemulapallisarat@gmail.com>
Copy link
Member

@stockholmux stockholmux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good post but needs some work, especially around grammar and consistency. I probably missed some points so after you revise, I'd like another round to review once it's it's more cohesive.

categories:
- technical-post
twittercard:
description: "This post contains an overview of how OpenSearch plugins are loaded and interact with Java Security Manager."
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Spend a little more time on the description. Usually, it's good of the twitter card and the first paragraph are similar, if not the same. The goal is to entice the reader.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure

---


OpenSearch enables extending core features via plugins. Plugins are empowered to access all extensible features of OpenSearch and extend them. In this blog post we wanted to unbox the plugin architecture, and help understand how they work.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This needs a little work.

  • 'extending', 'extensible', and 'extend' are all similar terms and they appear really close together.
  • 'help understand how they work' doesn't grammatically fit with 'we wanted to...'
  • what is a 'core feature'?
  • As a reader, I don't understand why I should read on - that's the job of the first paragraph.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for that. I did try to rephrase it to avoid repeating terms.


## Pluggable Architecture

Plugins in OpenSearch bring in modular architecture and enable developing/managing a large code base easier. The [blog post](https://logz.io/blog/opensearch-plugins/) from our partner [Logz.io](http://logz.io/) helps understand why pluggable architecture is important, and how the architecture works.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. Tighten up the first sentence.
    • The plugins don't bring in the modular architecture, they are part of it.
    • 'enable' doesn't match with 'easier'
  2. rephrase 'our partner' to something else (maybe "OpenSearch partner" or "project partner"). The collective in this post should refer to the authors, so Logz isn't Sarat and Owais' partner ;)
  3. 'The blog post' doesn't 'helps understand why', it does 'describes'
  4. the comma before the 'and' isn't needed if it's not a list.


Plugins in OpenSearch bring in modular architecture and enable developing/managing a large code base easier. The [blog post](https://logz.io/blog/opensearch-plugins/) from our partner [Logz.io](http://logz.io/) helps understand why pluggable architecture is important, and how the architecture works.

The Plugin architecture is designed to enable solving specific problems and extending generic features. For example, [Anomaly Detection](https://github.com/opensearch-project/anomaly-detection) plugin reads time stream data ingested and finds anomalies. Another example is [Job Scheduler](https://github.com/opensearch-project/job-scheduler) plugin which schedules and runs generic jobs.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. "Plugin" is capitalized irregularly throughout the blog. It should be lower case unless starting a sentence.
  2. 'Anomaly Detection plugin' should just be 'Anomaly Detection' or use a definite article in front of it, same for job scheduler.


The Plugin architecture is designed to enable solving specific problems and extending generic features. For example, [Anomaly Detection](https://github.com/opensearch-project/anomaly-detection) plugin reads time stream data ingested and finds anomalies. Another example is [Job Scheduler](https://github.com/opensearch-project/job-scheduler) plugin which schedules and runs generic jobs.

Plugins are of various types, generally could be categorized as:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

be more active: 'could' into 'can'


Java applications are prone to have vulnerabilities on a remote cluster or by a DDoS attack. To prevent this, JVM can be run in a sandbox mode which will prevent, for example: access to the local hard disk or the network. All of these are handled by the Security Manager.

### How is it used in OpenSearch?
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

how is what used?

### How is it used in OpenSearch?

1. As OpenSearch bundles a few plugins, every plugin can define its own custom security policy file which will be installed at the same time when OpenSearch is installing the plugin.
2. Security Manager is initialized in [Opensearch.java](https://github.com/opensearch-project/OpenSearch/blob/main/server/src/main/java/org/opensearch/bootstrap/OpenSearch.java#L91) and every plugin has a custom policy file called [plugin-secruity.policy](https://github.com/opensearch-project/anomaly-detection/blob/main/src/main/plugin-metadata/plugin-security.policy).
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See previous note about line number links


1. As OpenSearch bundles a few plugins, every plugin can define its own custom security policy file which will be installed at the same time when OpenSearch is installing the plugin.
2. Security Manager is initialized in [Opensearch.java](https://github.com/opensearch-project/OpenSearch/blob/main/server/src/main/java/org/opensearch/bootstrap/OpenSearch.java#L91) and every plugin has a custom policy file called [plugin-secruity.policy](https://github.com/opensearch-project/anomaly-detection/blob/main/src/main/plugin-metadata/plugin-security.policy).
3. The [getPolicy()](https://github.com/opensearch-project/OpenSearch/blob/main/server/src/main/java/org/opensearch/bootstrap/OpenSearchPolicy.java#L77-L79) method will take care of assigning the initial default policies required for the plugins and [setPolicy()](https://github.com/opensearch-project/OpenSearch/blob/main/server/src/main/java/org/opensearch/bootstrap/Security.java#L134) method will assign the custom policies of the plugins present in `plugin-secruity.policy`.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See previous note about line number links

2. Security Manager is initialized in [Opensearch.java](https://github.com/opensearch-project/OpenSearch/blob/main/server/src/main/java/org/opensearch/bootstrap/OpenSearch.java#L91) and every plugin has a custom policy file called [plugin-secruity.policy](https://github.com/opensearch-project/anomaly-detection/blob/main/src/main/plugin-metadata/plugin-security.policy).
3. The [getPolicy()](https://github.com/opensearch-project/OpenSearch/blob/main/server/src/main/java/org/opensearch/bootstrap/OpenSearchPolicy.java#L77-L79) method will take care of assigning the initial default policies required for the plugins and [setPolicy()](https://github.com/opensearch-project/OpenSearch/blob/main/server/src/main/java/org/opensearch/bootstrap/Security.java#L134) method will assign the custom policies of the plugins present in `plugin-secruity.policy`.
4. Each custom security policy file is signed and has a codebase which is a signed key between OpenSearch and the plugin.
5. Each security policy can be attached via gradle plugin [opensearch.opensearchplugin](https://github.com/opensearch-project/anomaly-detection/blob/main/build.gradle#L94) in the `build.gradle` file of the plugin.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See previous note about line number links


## Closing Notes

We hope this post helps unbox the mystery of how plugins work within OpenSearch. Now that you learnt how plugins work and what their limitations are, let us know if you have any feedback or would like new features in plugin architecture.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Closing needs a specific call-to-action: what should the reader do next?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thats a good point.
See if this is better. Ideally what we would want is community developing more plugins, and put thoughts on how the next generation plugin architecture should be.

owaiskazi19 and others added 4 commits November 29, 2021 10:29
Signed-off-by: Owais Kazi <owaiskazi19@gmail.com>
Signed-off-by: Sarat Vemulapalli <vemulapallisarat@gmail.com>
Signed-off-by: Owais Kazi <owaiskazi19@gmail.com>
Copy link
Member

@stockholmux stockholmux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Much improved! It's really coming together. A few little points to address but we're 95% good.

description: "OpenSearch enables enhancing core features in a custom way via Plugins. In this blog post we wanted to unbox how plugins load, install, and run in OpenSearch..."
---

OpenSearch enables enhancing core features in a custom way via plugins. For example, plugins could add custom mapping types, engine scripts etc. In this blog post we wanted to unbox how plugins load, install, and run in OpenSearch.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

scripts , etc.


The Plugin architecture is designed to enable solving specific problems and extending generic features. For example, [Anomaly Detection](https://github.com/opensearch-project/anomaly-detection) reads time stream data ingested and finds anomalies. Another example is [Job Scheduler](https://github.com/opensearch-project/job-scheduler) plugin which schedules and runs generic jobs.

Plugins are of various types, generally can be categorized as:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

drop 'can be'


## Extension Points

The architecture is designed for plugins to hook onto various points within the OpenSearch code base. Plugins can subscribe to notifications/events they are interested in via these extension points.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

'Plugins can subscribe to notifications/events they are interested in via these extension points.'

Rephrase that - plugins are not interested in anything (anthropomorphism).

Maybe something like "Plugins can subscribe to relevant notifications/events via these extension points."

## Extension Points

The architecture is designed for plugins to hook onto various points within the OpenSearch code base. Plugins can subscribe to notifications/events they are interested in via these extension points.
The `Plugin.java` defines a list default extension points.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Plugin.java file defines a list default extension points.

The default extension points are defined by [Plugin.java](https://github.com/opensearch-project/OpenSearch/blob/1.2/server/src/main/java/org/opensearch/plugins/Plugin.java#L90) abstract class:


* `getFeature` - Could be used to implement a custom feature and respond to cluster state API.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there an important reason why you need "Cloud be"? Like, is this optional?

Seems like "Used to implement a custom feature and respond to cluster state API." seems to have the same meeting without being wishy/washy,


The OpenSearch bundle comes with a tool `./bin/opensearch-plugin` which installs a plugin. [PluginCli](https://github.com/opensearch-project/OpenSearch/blob/main/distribution/tools/plugin-cli/src/main/java/org/opensearch/plugins/PluginCli.java) reads and validates `plugin-descriptor.properties` file packaged with every plugin. For example, the OpenSearch security plugin defines the [plugin-descriptor.properties](https://github.com/opensearch-project/security/blob/main/plugin-descriptor.properties) file which defines a bunch of parameters, and the tool verifies if it is using the compatible version of OpenSearch, and the dependencies are present.

Also, the tool verifies the `plugin-security.policy` file, defined by the plugin which needs additional security permissions. For example, the OpenSearch security plugin defines many permissions like file read/write, classloading or networking that it needs through the [plugin-security.policy](https://github.com/opensearch-project/security/blob/main/plugin-security.policy) file. These permissions are managed via Java Security Manager and have more details later in this post.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

'and have more details later in this post' doesn't make grammatical sense. I think I would just drop "and have" and make the rest parenthetical.


Also, the tool verifies the `plugin-security.policy` file, defined by the plugin which needs additional security permissions. For example, the OpenSearch security plugin defines many permissions like file read/write, classloading or networking that it needs through the [plugin-security.policy](https://github.com/opensearch-project/security/blob/main/plugin-security.policy) file. These permissions are managed via Java Security Manager and have more details later in this post.

After the tool validates the plugin, it copies all jars into `plugins` directory.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • the plugins directory
  • Did you want this to be a new paragraph? It renders as single paragraph with one carriage return.

Also, the tool verifies the `plugin-security.policy` file, defined by the plugin which needs additional security permissions. For example, the OpenSearch security plugin defines many permissions like file read/write, classloading or networking that it needs through the [plugin-security.policy](https://github.com/opensearch-project/security/blob/main/plugin-security.policy) file. These permissions are managed via Java Security Manager and have more details later in this post.

After the tool validates the plugin, it copies all jars into `plugins` directory.
By default, opensearch-min artifact does not package any plugins including the [native plugins](https://github.com/opensearch-project/OpenSearch/tree/main/plugins) which exist in the OpenSearch code base.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

opensearch-min is not used very frequently. It might be more user friendly if you change "opensearch-min artifact" to "the OpenSearch Minimum distribution'

```

As the plugins are class-loaded during the node bootstrap, the extension points (defined by the plugin interface) initialize the data structures.
This design of loading plugins during the node bootstrap prevents them to be loaded on the fly and cannot be hot swapped. Each node within the cluster has to be restarted to load a new plugin.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

'to be loaded' -> 'being loaded'

@owaiskazi19 owaiskazi19 force-pushed the plugin-blogpost branch 2 times, most recently from 948ebee to 8ff2605 Compare November 30, 2021 22:06
Signed-off-by: Owais Kazi <owaiskazi19@gmail.com>
stockholmux
stockholmux previously approved these changes Dec 1, 2021
Copy link
Member

@stockholmux stockholmux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some tiny issues with spacing that I will solve before publishing but otherwise LGTM.

Thanks for the time on this @owaiskazi19 and @saratvemulapalli!

Copy link
Member

@dblock dblock left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Definitely change bundle -> distribution and correct typos. Please consider everything else.


## Pluggable Architecture

The modular architecture in OpenSearch makes it easier to develop on a large code base (4.5MM lines). The [blog post](https://logz.io/blog/opensearch-plugins/) from OpenSearch partner [Logz.io](http://logz.io/) describes why pluggable architecture is important and how plugins can be developed.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

code base is spelled as one word, codebase, couple of instances

The default extension points are defined by [Plugin.java](https://github.com/opensearch-project/OpenSearch/blob/1.2/server/src/main/java/org/opensearch/plugins/Plugin.java#L90) abstract class:


* `getFeature` - Used to implement a custom feature and respond to cluster state API.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Normalize language here? We have "Used to implement...", "Implement", "Modify" or "Custom xyz", sounds like everything should be either a verb or a noun.

* `getRoles` - Implement additional DiscoveryNodeRole’s.
* `getAdditionalIndexSettingProviders` - Implement additional index level settings for newly created indices.

Custom plugin interfaces can define new extension points for plugins to hook onto. For example, the [Engine Plugin](https://github.com/opensearch-project/OpenSearch/blob/main/server/src/main/java/org/opensearch/plugins/EnginePlugin.java) interface could be used to provide additional implementations to the core engine, expose a hook to [node bootstrap](https://github.com/opensearch-project/OpenSearch/blob/1.2/server/src/main/java/org/opensearch/node/Node.java#L577) to load the custom `engineFactory` and the [Index Service](https://github.com/opensearch-project/OpenSearch/blob/1.2/server/src/main/java/org/opensearch/indices/IndicesService.java#L763) overrides it if plugin chooses to override.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could be used -> can be used


## How do plugins work?

As you might have used plugins in the OpenSearch bundle. There are two parts for plugins to work with OpenSearch: Installing a plugin, and Loading a plugin.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

bundle -> distribution everywhere

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are two parts for plugins to work with OpenSearch: Installing a plugin, and Loading a plugin.

Not so English. Maybe "Plugins are installed and loaded when OpenSearch starts."

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds more simpler, I like it. Sure.


The OpenSearch bundle comes with a tool `./bin/opensearch-plugin` which installs a plugin. [PluginCli](https://github.com/opensearch-project/OpenSearch/blob/main/distribution/tools/plugin-cli/src/main/java/org/opensearch/plugins/PluginCli.java) reads and validates `plugin-descriptor.properties` file packaged with every plugin. For example, the OpenSearch security plugin defines the [plugin-descriptor.properties](https://github.com/opensearch-project/security/blob/main/plugin-descriptor.properties) file which defines a bunch of parameters, and the tool verifies if it is using the compatible version of OpenSearch, and the dependencies are present.

Also, the tool verifies the `plugin-security.policy` file, defined by the plugin which needs additional security permissions. For example, the OpenSearch security plugin defines many permissions like file read/write, classloading or networking that it needs through the [plugin-security.policy](https://github.com/opensearch-project/security/blob/main/plugin-security.policy) file. These permissions are managed via Java Security Manager(more details later in this post).After the tool validates the plugin, it copies all jars into the `plugins` directory. By default, the OpenSearch Minimum distribution does not package any plugins including the [native plugins](https://github.com/opensearch-project/OpenSearch/tree/main/plugins) which exist in the OpenSearch code base.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove Also,

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add space before (more details ...


### **Benefit of Security Manager for Plugins**

* Plugins can create a `plugin-secruity.policy` file and write dynamic configuration and permissions required to run from OpenSearch Cluster.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's just one item, maybe combine with above?


### How Security Manager is used in OpenSearch?

1. As OpenSearch bundles a few plugins, every plugin can define its own custom security policy file which will be installed at the same time when OpenSearch is installing the plugin.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We didn't use numbering above, maybe just remove the numbers?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense. Moved to bullets.


## Closing Notes

We hope this post helps unbox the mystery of how plugins work within OpenSearch. Now that you learnt how plugins work and their limitations, we would love to see you getting your hands dirty and develop plugins for OpenSearch.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't love "mystery", would say "We hope this post helped explain how plugins work within OpenSearch".

Then, repeating ourselves "Now that you learnt ...", which should be "learned", is redundant, and getting -> get.

I would just say: "We would love to see you get your hands dirty, and develop a new plugin for OpenSearch."

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Haha sure.

## Closing Notes

We hope this post helps unbox the mystery of how plugins work within OpenSearch. Now that you learnt how plugins work and their limitations, we would love to see you getting your hands dirty and develop plugins for OpenSearch.
Looking forward, we are thinking about solving the limitations in plugin architecture and would love your [feedback/thoughts](https://github.com/opensearch-project/OpenSearch/issues/1422).
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

love -> ask you for your feedback in OpenSearch#1422.

We hope this post helps unbox the mystery of how plugins work within OpenSearch. Now that you learnt how plugins work and their limitations, we would love to see you getting your hands dirty and develop plugins for OpenSearch.
Looking forward, we are thinking about solving the limitations in plugin architecture and would love your [feedback/thoughts](https://github.com/opensearch-project/OpenSearch/issues/1422).

In the coming days, lookout for a follow-up post soon on intro to plugins with OpenSearch Dashboards.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lookout -> look out

Signed-off-by: Sarat Vemulapalli <vemulapallisarat@gmail.com>
Copy link
Member

@stockholmux stockholmux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Copy link
Collaborator

@elfisher elfisher left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Let's update the date based on when the blog will go live.

@stockholmux
Copy link
Member

@elfisher I can make that change at the time of publishing (it's a typical problem - publish date is unpredictable). If you're ok with this otherwise, I think we should proceed.

@saratvemulapalli
Copy link
Member

saratvemulapalli commented Dec 2, 2021

@stockholmux / @elfisher let us know if you'd like us to make the change. If so, when will this blog be published?
cc: @owaiskazi19

@stockholmux
Copy link
Member

@saratvemulapalli I'm going to make the changes and publish today.

@stockholmux stockholmux dismissed elfisher’s stale review December 2, 2021 21:29

Change will be made prior to publish

@stockholmux stockholmux merged commit d5a5ae6 into opensearch-project:main Dec 2, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants