New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fork or replace elasticsearch dependencies #114
Comments
We've initially forked, but chose to, for now, archive securemock, mocksocket and jna-build and use the existing dependencies.
|
securemock: The grant permissions feature provided by securemock does not look to be readily available in the new mockito version. We could either upstream the changes to mockito or fork the repo. If we successfully upstream the changes, we would also have to upgrade mockito version in OpenSearch since the version currently being used is 1.9.5. mocksocket: The grant permissions feature on top of Socket and ServerSocket apis could also either be upstreamed to mockito or something similar that can house it. It could also be implemented as a utility in OpenSearch or the repo could be forked similar to securemock. @dblock @saratvemulapalli @CEHENKLE thoughts? |
Thanks @VachaShah,
If (2) is true, I think we should start by extracting the features into a new OSS library that is dependent on mockito, rather than a fork, so we can have a clear cut dependency. If that's not possible, definitely upstream. Either way we want to be upgrading mockito, the version used here is ancient. |
Definitely agree on upgrading the mockito version! |
Can you help me understand how that's useful? This is used in tests on throwaway CI infrastructure, and not at runtime. So why does one need it? |
I think from what I understood from the repos, it helps avoid giving permissions to all of the code for mocking and for using sockets during tests. I see that this practice has also been used for other codebases in the test framework: https://github.com/opensearch-project/OpenSearch/blob/main/server/src/main/resources/org/opensearch/bootstrap/test-framework.policy. Let me know if you think this might not be required for us. |
Ok, but why? ;) This is used in tests. What bad things happen if this code doesn't exist and those permissions are given? I have not read a good reason why one would want this. Maybe @nknize can explain? |
Honestly, I am also unclear on what the consequences would be of removing it. But whether we decide to keep it or remove it, we can update the mockito version. If we decide to keep it though, there will be an interdependency where the functionalities of securemock will have to be implemented on the newer version of mockito and we would update the version of mockito on OpenSearch as well. |
Elasticsearch rebuilds JNA to strip out native libraries for platforms that not supported by elastic. |
Without mocksocket core opensearch would need to grant the following so integration tests could be executed:
These permissions would be carried forward in the production clusters making them vulnerable. With mocksocket those permissions are granted to the mocksocket jar only which is used in the MockNioTransport inside the test framework. |
Thanks for the clear explanation @nknize, I understand why we need mocksocket. Let's reproduce this verbatim in our mocksocket fork's README or somewhere else where it's not going to be lost @VachaShah. |
My vote would be yes. I don't see why we would keep restricting platforms. While we may not be releasing a package that has been tested on some platform, it doesn't feel right to artificially prevent others from trying to run on those platforms, reporting bugs, etc. Looking for @nknize to agree/disagree here as well to make sure I'm not missing more history or context. |
Sure, will do!
@nknize Thanks for the explanation, that really helps! For securemock, it gives permissions to mockito during the tests, does this apply to securemock as well? |
Here is the list of native libraries that JNA supports - https://github.com/java-native-access/jna/tree/master/lib/native |
Those seem minor, or aren't they? Are we worried about the bit of disk space? Rebuilding native bits has its own risks. |
I'm not worried about the disk space, but there must be some reason why elastic chose to go this route. We should find that out and if that seems like an unreasonable reason we can start using the upstream JNA. |
The original intent is explained here https://discuss.elastic.co/t/why-elasticsearch-has-separate-jna-library/194986/4 |
I don't see any real problems or bugs in that explanation, only FUD. |
@dblock my apologies, I cannot update the description of the issue but we could put checks on: [X] client/rest/build.gradle Those are out of scope now, thank you! @VachaShah do you need help with this issue? There are a few options (besides forking and giving all permissions) which we could explore, what do you think? |
@reta Thank you for the offer! @xuezhou25 will be working on this. |
@dblock absolutely, @xuezhou25 how does it sound to you? |
@reta Cool beans! Thank you :) |
@reta My plan is still forking and giving all permissions to mocksocket & securemock. Since you have the better solution and are ahead of us, it's all yours! :) |
@xuezhou25 thank you, since there is a dedicated security manager for testing, I will try to prototype the dedicated security checks in there, hopefully (:crossed_fingers: ) the forks will not be needed anymore. |
Signed-off-by: Poojita Raj <poojiraj@amazon.com>
Signed-off-by: Poojita Raj <poojiraj@amazon.com>
The elasticsearch build relies on the following libraries independently built by elastic.co:
This issue is to track the tasks needed to fork into the following repos:
Update the OpenSearch build files for these dependencies
Remove the exclusions for thirdPartyAudit task
The text was updated successfully, but these errors were encountered: