From 7295daed62a53a2354033ea2325201591bb4b6bc Mon Sep 17 00:00:00 2001 From: Ubuntu Date: Thu, 9 Jan 2025 23:22:23 +0000 Subject: [PATCH 1/3] Grant qat-java a permission to modify arbitrary thread. Signed-off-by: Ubuntu Signed-off-by: Mulugeta Mammo --- src/main/plugin-metadata/plugin-security.policy | 1 + 1 file changed, 1 insertion(+) diff --git a/src/main/plugin-metadata/plugin-security.policy b/src/main/plugin-metadata/plugin-security.policy index 5b3cac1..615ea9d 100644 --- a/src/main/plugin-metadata/plugin-security.policy +++ b/src/main/plugin-metadata/plugin-security.policy @@ -12,4 +12,5 @@ grant codeBase "${codebase.zstd-jni}" { grant codeBase "${codebase.qat-java}" { permission java.lang.RuntimePermission "loadLibrary.*"; + permission org.opensearch.secure_sm.ThreadPermission "modifyArbitraryThread"; }; From 7b51b37d4f5985e6ba40cff8385c688e0efd9263 Mon Sep 17 00:00:00 2001 From: Mulugeta Mammo Date: Fri, 10 Jan 2025 00:30:06 +0000 Subject: [PATCH 2/3] Wrap a QatZipper() inside AccessController.doPrivileged(). Signed-off-by: Mulugeta Mammo --- .../opensearch/index/codec/customcodecs/QatZipperFactory.java | 4 +++- src/main/plugin-metadata/plugin-security.policy | 1 - 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/src/main/java/org/opensearch/index/codec/customcodecs/QatZipperFactory.java b/src/main/java/org/opensearch/index/codec/customcodecs/QatZipperFactory.java index a02f09a..9afdab6 100644 --- a/src/main/java/org/opensearch/index/codec/customcodecs/QatZipperFactory.java +++ b/src/main/java/org/opensearch/index/codec/customcodecs/QatZipperFactory.java @@ -31,7 +31,9 @@ public class QatZipperFactory { * @param pmode polling mode. */ public static QatZipper createInstance(Algorithm algorithm, int level, Mode mode, int retryCount, PollingMode pmode) { - return new QatZipper(algorithm, level, mode, retryCount, pmode); + return java.security.AccessController.doPrivileged( + (java.security.PrivilegedAction) () -> new QatZipper(algorithm, level, mode, retryCount, pmode) + ); } /** diff --git a/src/main/plugin-metadata/plugin-security.policy b/src/main/plugin-metadata/plugin-security.policy index 615ea9d..5b3cac1 100644 --- a/src/main/plugin-metadata/plugin-security.policy +++ b/src/main/plugin-metadata/plugin-security.policy @@ -12,5 +12,4 @@ grant codeBase "${codebase.zstd-jni}" { grant codeBase "${codebase.qat-java}" { permission java.lang.RuntimePermission "loadLibrary.*"; - permission org.opensearch.secure_sm.ThreadPermission "modifyArbitraryThread"; }; From 10d74855f4d74574f092531a67a8e8217742f315 Mon Sep 17 00:00:00 2001 From: Andriy Redko Date: Fri, 10 Jan 2025 12:07:32 -0500 Subject: [PATCH 3/3] Fix GitHib action workflows (#212) Signed-off-by: Andriy Redko --- .github/workflows/check.yml | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index 3d7930e..63f46ec 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -18,13 +18,11 @@ jobs: # using the same image which is used by opensearch-build team to build the OpenSearch Distribution # this image tag is subject to change as more dependencies and updates will arrive over time image: ${{ needs.Get-CI-Image-Tag.outputs.ci-image-version-linux }} - # need to switch to root so that github actions can install runner binary on container without permission issues. - options: --user root - env: - ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true - + options: ${{ needs.Get-CI-Image-Tag.outputs.ci-image-start-options }} steps: - - uses: actions/checkout@v3 + - name: Run start commands + run: ${{ needs.Get-CI-Image-Tag.outputs.ci-image-start-command }} + - uses: actions/checkout@v4 - name: Run Gradle (check) run: | # https://github.com/opensearch-project/opensearch-build/issues/4191 @@ -44,7 +42,7 @@ jobs: os: [windows-latest, macos-13] runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up JDK ${{ matrix.java }} uses: actions/setup-java@v3 with: