Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add security policy for ml-commons library #945

Merged
merged 1 commit into from
Oct 20, 2022

Conversation

joshuali925
Copy link
Member

@joshuali925 joshuali925 commented Oct 20, 2022

Signed-off-by: Joshua Li joshuali925@gmail.com

Description

ml-commons requires setContextClassLoader to run, ref: https://github.com/opensearch-project/neural-search/blob/d8b24bf5f71c7e8cba5988d6bd18462002802cf7/src/main/plugin-metadata/plugin-security.policy

error:

java.lang.ExceptionInInitializerError
        at org.opensearch.ml.common.output.MLOutput.fromStream(MLOutput.java:35)
        at org.opensearch.ml.common.transport.MLTaskResponse.<init>(MLTaskResponse.java:38)
        at org.opensearch.ml.common.transport.MLTaskResponse.fromActionResponse(MLTaskResponse.java:55)
        at org.opensearch.ml.client.MachineLearningNodeClient.lambda$getMlPredictionTaskResponseActionListener$8(MachineLearningNodeClient.java:148)
        at org.opensearch.ml.client.MachineLearningNodeClient.lambda$wrapActionListener$9(MachineLearningNodeClient.java:156)
        at org.opensearch.action.ActionListener$1.onResponse(ActionListener.java:80)
        at org.opensearch.action.support.TransportAction$1.onResponse(TransportAction.java:113)
        at org.opensearch.action.support.TransportAction$1.onResponse(TransportAction.java:107)
        at org.opensearch.action.ActionListener$5.onResponse(ActionListener.java:266)
        at org.opensearch.ml.task.MLTrainAndPredictTaskRunner.trainAndPredict(MLTrainAndPredictTaskRunner.java:140)
        at org.opensearch.ml.task.MLTrainAndPredictTaskRunner.lambda$executeTask$2(MLTrainAndPredictTaskRunner.java:115)
        at org.opensearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:747)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
        at java.base/java.lang.Thread.run(Thread.java:832)
Caused by: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "setContextClassLoader")
        at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
        at java.base/java.security.AccessController.checkPermission(AccessController.java:1036)
        at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:408)
        at java.base/java.lang.Thread.setContextClassLoader(Thread.java:1514)
        at org.opensearch.ml.common.MLCommonsClassLoader.loadClassMapping(MLCommonsClassLoader.java:55)
        at org.opensearch.ml.common.MLCommonsClassLoader.lambda$static$0(MLCommonsClassLoader.java:37)
        at java.base/java.security.AccessController.doPrivileged(AccessController.java:554)
        at org.opensearch.ml.common.MLCommonsClassLoader.<clinit>(MLCommonsClassLoader.java:36)
        ... 15 more

Issues Resolved

[List any issues this PR will resolve]

Check List

  • New functionality includes testing.
    • All tests pass, including unit test, integration test and doctest
  • New functionality has been documented.
    • New functionality has javadoc added
    • New functionality has user manual doc added
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

Signed-off-by: Joshua Li <joshuali925@gmail.com>
@joshuali925 joshuali925 requested a review from a team as a code owner October 20, 2022 18:02
@joshuali925 joshuali925 self-assigned this Oct 20, 2022
@dai-chen
Copy link
Collaborator

Thanks for the fix! Is this issue new and caused by some changes in ml-commons?

@joshuali925
Copy link
Member Author

Thanks for the fix! Is this issue new and caused by some changes in ml-commons?

I think so, this was added 2 days ago opensearch-project/ml-commons@920507e#diff-8cb0e9eff7b8a1c1d8632bf4b9679d121a91c78b37c0454eb7d461356b1f6e3cR17. prior to it AD command worked without changing PPL policy

Copy link
Collaborator

@dai-chen dai-chen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the fix!

@dai-chen dai-chen merged commit 9debb01 into opensearch-project:2.x Oct 20, 2022
@dai-chen dai-chen added the ml Issues related to integration with ML commons and plugin label Oct 20, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
ml Issues related to integration with ML commons and plugin
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants