[Entitlements] Implement entry point definitions via checker function signature #116754
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ldematte
added
>non-issue
:Core/Infra/Core
|
Pinging @elastic/es-core-infra (Team:Core/Infra) |
ldematte
commented
Nov 13, 2024
...nt/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java
Show resolved
Hide resolved
rjernst
reviewed
Nov 13, 2024
...tlement/bridge/src/main/java/org/elasticsearch/entitlement/bridge/InstrumentationTarget.java
Outdated
Show resolved
Hide resolved
prdoyle
reviewed
Nov 14, 2024
...tlement/bridge/src/main/java/org/elasticsearch/entitlement/bridge/InstrumentationTarget.java
Outdated
Show resolved
Hide resolved
...nt/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java
Show resolved
Hide resolved
prdoyle
reviewed
Nov 14, 2024
...main/java/org/elasticsearch/entitlement/instrumentation/impl/InstrumentationServiceImpl.java
Outdated
Show resolved
Hide resolved
…mentation-targets
|
The annotation name
In an earlier branch of mine, I used the name |
ldematte
changed the title
|
As discussed in the sync, removed annotations in favour of "name mangling", i.e. using only the function signature (name + arguments) to identify the method to instrument. |
|
@elasticmachine update branch |
prdoyle
approved these changes
Nov 20, 2024
...main/java/org/elasticsearch/entitlement/instrumentation/impl/InstrumentationServiceImpl.java
Outdated
Show resolved
Hide resolved
| String.format( | ||
| Locale.ROOT, | ||
| "Checker method %s has incorrect name format. " | ||
| + "It should be either check$$methodName (instance) or check$package_ClassName$methodName (static)", |
There was a problem hiding this comment.
Huh, that's kind of clever, but I'm torn on it. On the one hand, this reduces redundancy because the class could already be derived from the argument list in the case of an instance method. But on the other hand, a uniform name-mangling convention seems desirable too. 🤔
...java/org/elasticsearch/entitlement/instrumentation/impl/InstrumentationServiceImplTests.java
Outdated
Show resolved
Hide resolved
…mentation-targets
💔 Backport failed
You can use sqren/backport to manually backport by running |
rjernst
pushed a commit
to rjernst/elasticsearch
that referenced
this pull request
Nov 22, 2024
rjernst
pushed a commit
to rjernst/elasticsearch
that referenced
this pull request
Nov 22, 2024
elasticsearchmachine
pushed a commit
that referenced
this pull request
Nov 22, 2024
* [Entitlements] Consider only system modules in the boot layer (#117017) * [Entitlements] Implement entry point definitions via checker function signature (#116754) * Policy manager for entitlements (#116695) * Add java version variants of entitlements checker (#116878) As each version of Java is released, there may be additional methods we want to instrument for entitlements. Since new methods won't exist in the base version of Java that Elasticsearch is compiled with, we need to hava different classes and compilation for each version. This commit adds a scaffolding for adding the classes for new versions of Java. Unfortunately it requires several classes in different locations. But hopefully these are infrequent enough that the boilerplate is ok. We could consider adding a helper Gradle task to templatize the new classes in the future if it is too cumbersome. Note that the example for Java23 does not have anything meaningful in it yet, it's only meant as an example until we find go through classes and methods that were added after Java 21. * Spotless --------- Co-authored-by: Lorenzo Dematté <lorenzo.dematte@elastic.co> Co-authored-by: Jack Conradson <osjdconrad@gmail.com> Co-authored-by: Patrick Doyle <patrick.doyle@elastic.co>
alexey-ivanov-es
pushed a commit
to alexey-ivanov-es/elasticsearch
that referenced
this pull request
Nov 28, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR implements automatic entry-point description for Instrumenter, implementing Option 1 from Entitlement checks and entry-point definition.
It introduces one annotation (@InstrumentationTarget) to use onEntitlementCheckermethods to specify which method in the JVM the check is targeting. The annotation will be used to populate aMethodKey, like before.This PR also changes the way to describe the checker method to inject in the target prologue: before, it was a
java.reflect.Method, now it's simple record namedCheckerMethod.This is because we decided to avoid using reflection, and use ASM to scan and find functions, so to avoid any chance of loading additional types before instrumentation.
EDIT:
After discussing options we the team, we came up with the idea to avoid using annotations and try and express everything in one place (in this case, the function signature, name + arguments).
The name and arguments of the checker will directly point to the class/method to instrument (always by populating a
MethodKey, like before.Examples: