[PROPOSAL] Delay OpenSearch 3.0 Beta (by 2 weeks)

[kumargu]

opensearch-project/OpenSearch#17181 proposes turning off the Security Manager in the 3.0 release of OpenSearch. On 08/02/25, based on community feedback, we reached a consensus to proceed with the deprecation. The deprecation requires building two replacement alternatives [1] and [2]. While [1] has already been merged, [2] is at risk of missing delivery given the 3.0.0 Beta timelines.

To fully implement the two agreed alternatives, we think the launch of 3.0-Beta would needs to be delayed by 2 weeks. It is also very likely that this Beta delay will push the GA release by the same number of weeks.

This proposal is to get an approval from TSC for this extension.

[1] Systemd strengthening: leveraging operating system (linux) security primitives.

[2] Java Agent: A platform-independent component that can intercept socket and file operations and enforce, at the plugin level, whether a plugin is allowed to perform socket or file operations.

Meta Issues

• Permanently turn-off Security Manager (JSM) starting 3.0 OpenSearch#17181
• [Security Manager Replacement] Strengthen OS core security via systemd configuration  OpenSearch#16729
• [POC] [Security Manager Replacement] Native Java Agent (dynamic code rewriting, must be low overhead) OpenSearch#16731

Why do we want to turn-off JSM in 3.0?

[1] JDK 21 introduces virtual threads, based on: JEP 444: Virtual Threads, "Virtual threads have no permissions when running with a SecurityManager set." This means that any code using virtual threads under a Security Manager will not work. While OpenSearch 3.0 itself will not contain virtual threads, we anticipate that developers—especially plugin developers—will want to leverage them in future 3.x versions. To support this, we could consider disabling the Security Manager in a later 3.x release. There is a strong argument for not deprecating a security feature unless absolutely necessary. However, deprecating such a significant security feature in a minor version release is generally not acceptable. An alternative approach could be to introduce a new major version (4.0) with the Security Manager disabled. However, it is too early to predict the lifecycle of major versions, as they tend to last a long time (for example, the 2.x series lasted around two years).

Are there any security considerations?

We necessarily want both alternatives [1] and [2] to be released before turning off the Security Manager. Releasing just one of them is not an option. The delivery of [2], which is causing the delay, is needed because it is platform-independent and the only available alternative for non-Linux platforms. Additionally, [2] can enforce restrictions at the plugin level, whereas [1] operates only at the OS layer.

However, a delay of a new release will not have any security implications.

What is the primary alternative plan of action in lack of TSC agreement/approval.

The alternative plan could be to introduce the disablement of the Security Manager in version 4.0. Once the development of [2] (Java Agent) is completed, a new proposal for a major version release will be filed. This release could be dedicated to Security Manager disablement but may also introduce other breaking changes that could not make it into 3.0. This new major release would be faster than a typical major release cycle, with the trade-off that we do not want developers to be blocked from leveraging virtual threads.

Generally, a major version release has higher developer work cycles as compared to minor version releases. Given that we are only asking for a two-week extension, we propose to deliver this feature within the current release cycle rather than deferring it to a future major release. We would want to hear from TSC the implication of delay to their software and company.

What users have asked for this feature?

The feature (turn-off of security manager) has been widely upvoted by the community maintainers.

• Permanently turn-off Security Manager (JSM) starting 3.0 OpenSearch#17181

[reta]

Thanks @kumargu I don't think we need to delay 3.0.0.beta:

• the main branch is bundled with JDK-21, the SM is still there, no issues
• the [POC] [Security Manager Replacement] Native Java Agent (dynamic code rewriting, must be low overhead) OpenSearch#16731 should help us to identify (and rollout) the breaking changes that we need to account for when SM is phased out (but the SM replacement does not need to be delivered in 3.0.0)

PS: JDK-24 is due next week, we could run all the tests against it.

@andrross @dblock what do you think folks?

[kumargu]

but the SM replacement does not need to be delivered in 3.0.0

You are right. We don't necessarily need to disable security manager in 3.0.0. There are two motivations to pursue this route --

1. Disabling in a minor version doesn't sound like a clean approach, since it brings a major shift in the security posture.
2. Disabling in a later version say 4.0 means holding developers from leveraging Virtual threads which doesn't work with SM in JAVA 21.

[reta]

1. Disabling in a minor version doesn't sound like a clean approach, since it brings a major shift in the security posture.

It could be done on opt-in basis only (JDK-24 and above), if we have all the pieces ready. But I agree, this is a major shift in the security posture.

Disabling in a later version say 4.0 means holding developers from leveraging Virtual threads which doesn't work with SM in JAVA 21.

This is not strictly the case (it really depends what is being offloaded into VirtualThreads) but I also agree, it is limiting their usefulness. Let's see what others think, thanks @kumargu

[getsaurabh02]

Thanks @kumargu for opening this. Adding more folks for sharing thoughts and align on the consensus @andrross @mch2 @msfroh @Pallavi-AWS @dblock @mch2

[andrross]

It could be done on opt-in basis only (JDK-24 and above), if we have all the pieces ready. But I agree, this is a major shift in the security posture.

I don't love the idea of conditionally using security manager for JDK-21 and using the alternative for newer runtimes. It adds complexity in needing to write code compatible with both (i.e. AccessController.doPrivileged). I'm definitely advocating for a full cutover, and given the foundational nature of this it makes sense to try to do this in a major version release. So basically I think we should try to get the full cutover in the 3.0 release, even if it means a bit of a delay.

[reta]

So basically I think we should try to get the full cutover in the 3.0 release, even if it means a bit of a delay.

This is reasonable, but in this case AccessController.doPrivileged becomes noop, should we remove it from the codebase as well?

[kumargu]

This is reasonable, but in this case AccessController.doPrivileged becomes noop, should we remove it from the codebase as well?

Ideally yes, but because we are already running in a tight deadline, we may defer the clean-up in the next minor version. Since its a no-op we can bear it being removed in a minor version.

[dblock]

My vote is to remove it and not leave it as optional opt-in because it's a lot of maintenance and overhead (e.g. would require running tests with SM enabled). I would not delay the release to get an alternative either, it can be added in minor versions. Users don't upgrade to a 3.0 when that ships without great care and by the time any meaningful number wants to be on the cutting edge we'll have a 3.3 or something like that.

[getsaurabh02]

Looks like we do have a consensus to remove the Security Manager (SM) in OpenSearch 3.0 and achieve a full cutover. On delay, I am in agreement with @andrross here and inclined for this proposed two-week delay to fully implement the agreed-upon alternatives. Ensuring that both the Systemd and Java Agent components are initially integrated will help avoid any known adoption blockers.

Although this might outweigh the impact of delay here @kumargu could you please confirm if this delay will help achieve our goal?

[kumargu]

Although this might outweigh the impact of delay here @kumargu could you please confirm if this delay will help achieve our goal?

We should be good to get this integrated given we have 2 additional weeks. (note systemd is already integrated). This week is going to be critical for us: I think we should have an all gradle-check passing soon, we have been making good progress towards a green gradle check.

We did an isolated perf benchmark of cost of stack walking: there is indeed very low overhead (nanos for stack of depth 500). This week we will work on running a OSB based perf test with SocketInterceptor. This week we will also target the FileInterceptor (@reta , I will sync offline with you).

Please let's go and publish new dates on the calendar. thanks everyone for your feedbacks.

[kumargu]

we will take a call in next couple of weeks, if we can remove the usages/dependency of SM from tests, even if we are not able to deal with tests within the timelines, the dependency can be removed in minor versions.