Is it possible to remove "modifyThreadGroup" checking from SecureSM? #1649
Comments
ylwu-amzn
added
enhancement
ylwu-amzn
changed the title
|
@ylwu-amzn I afraid that just dropping some checks from the SecureSM could solve your immediate issue with
What do you think? |
|
Tribuo doesn't use the common ForkJoinPool, we use a separate instance, but we also don't expose the construction of that FJP. What would we need to do to make it work with SecureSM? |
@Craigacp would you consider the option to keep the construction sealed but make it aware of the presence of the SecurityManager (and use customized ForkJoinWorkerThreadFactory)? I will be more than happy to submit the pull request. |
|
I would like it to work, but I don't want to take a dependency on |
|
I believe in case of Tribuo, not the
Correct, that is an idea. |
|
No, we use this constructor https://github.com/openjdk/jdk/blob/jdk-17-ga/src/java.base/share/classes/java/util/concurrent/ForkJoinPool.java#L2397, here https://github.com/oracle/tribuo/blob/main/Clustering/KMeans/src/main/java/org/tribuo/clustering/kmeans/KMeansTrainer.java#L205. So we pull in We do use the trick where we execute a parallel stream inside the FJP via a lambda, but that doesn't use the common pool for anything as I understand it. We have a little hook which ensures that the stream sizes the work using the FJP it's executing in rather than the common FJP, but I think that hook is only necessary in Java 8 and 9 (https://bugs.openjdk.java.net/browse/JDK-8190974), and it might be fixed in newer OpenJDK 8u versions. Our workaround for that is here - https://github.com/oracle/olcut/blob/develop/olcut-core/src/main/java/com/oracle/labs/mlrg/olcut/util/StreamUtil.java#L247. |
|
Oh, you are right, the |
|
@Craigacp I have now clear understanding why this exception happens and why permission checks referred in oracle/tribuo#158 did not help. One of the solutions which seems to work: And than we could use a different constructor to supply own I am aware that you prefer not to dial with |
|
So the issue is that the FJP pool threads are created with only the "getClassLoader" and "setContextClassLoader" permissions in Is there any downside to using that thread factory at all times? |
Correct, with the permission granted to the
There are slight differences in the context class loader configuration (comparing to default one) which may cause issues in certain deployments. Keeping it as opt-in option would help to fallback to the default FRJ factory. |
|
Hmm. I'm trying out the custom factory and it's not working for me. I get an identical error message to before. I believe my policy file is correct as when I comment out other things in the permissions I'm assigning to the Tribuo clustering jar then I get different error messages from earlier in the code (e.g. creating the provenance by reflectively accessing the host object). private static final class CustomForkJoinWorkerThreadFactory implements ForkJoinPool.ForkJoinWorkerThreadFactory {
public final ForkJoinWorkerThread newThread(ForkJoinPool pool) {
return AccessController.doPrivileged(new PrivilegedAction<ForkJoinWorkerThread>() {
public ForkJoinWorkerThread run() {
return new ForkJoinWorkerThread(pool) {};
}
});
}
}
private static final CustomForkJoinWorkerThreadFactory THREAD_FACTORY = new CustomForkJoinWorkerThreadFactory();
//inside train
ForkJoinPool fjp = parallel ? new ForkJoinPool(numThreads,THREAD_FACTORY,null,false) : null;Any idea what's wrong? Command: Policy: Stack trace: |
|
@Craigacp hm, I suspect the policy is not precise, I did that (since Would you mind to share a brach (or something) so I could replicate the same setup? Thank you. |
|
It's here - https://github.com/Craigacp/tribuo/tree/kmeans-securesm. You can run it like this: after compiling with |
|
@Craigacp ah nailed it, it comes from This is basically the OpenSearch server security policy. |
|
Ah, ok, thanks for figuring that out. It's surprisingly difficult to find the OpenSearch security policy file on the internet. Is there a canonical location for it? WRT the custom FJP factory approach, I think I'd prefer that we have a custom thread factory inside Tribuo rather than exposing a constructor which accepts a FJP or a |
No objections, the only advice would be to have a check if the SecurityManager is present or not (since you already depend on it through thank you! |
|
Ok, I'll add that check in too. |
|
Thanks for the quick fix @reta and @Craigacp ! I planned to try custom thread factory but found Tribuo doesn't expose interface to specify thread factory. That will be perfect as @Craigacp adding the custom thread factory in Tribuo. That will unblock our integration for KMeans. @Craigacp , when/how do you plan to release this patch? A patch version 4.1.1 and included in 4.2.0? And I think KNN also use FJP, we may integrate KNN later too. Not so urgent, but will be perfect if you can also fix KNN part. Thanks! |
|
Oh, never mind, I see your PR already fixed KNN part. Perfect! Thanks @Craigacp |
|
As Tribuo team fixing by adding custom thread factory. We don't need to change OpenSearch SecureSM now. Close this issue. |
Is your feature request related to a problem? Please describe.
We are developing a new ML plugin with Tribuo library. But found the KMeans algorithm can't run due to this exception.
Have tried adding "modifyThreadGroup" permission in plugin security policy file, doesn't work.
Copy description from oracle/tribuo#158,
Describe the solution you'd like
Remove this "modifyThreadGroup" checking from SecureSM https://github.com/opensearch-project/OpenSearch/blob/main/libs/secure-sm/src/main/java/org/opensearch/secure_sm/SecureSM.java#L62. The default java security manager doesn't check this "modifyThreadGroup" permission, so Tribuo Kmeans can run successfully with default java security manager.
Describe alternatives you've considered
The text was updated successfully, but these errors were encountered: