Add ThreadContextPermission for markAsSystemContext and allow core to perform the method by cwperks · Pull Request #15016 · opensearch-project/OpenSearch

cwperks · 2024-07-30T02:25:53Z

Description

This PR replaces a previous PR and takes a different approach to protect methods in the ThreadContext class. Instead of changing the access modifier, this PR shows how permissions can be declared to protect methods within the ThreadContext class that should not be accessible outside of the core without explicit permission.

With this change, plugins would be able to utilize the method but permission needs to be granted through an entry in the plugin-security.policy file. The permissions would be:

permission java.lang.RuntimePermission "markAsSystemContext";

Related Issues

Resolves #14931

Check List

Functionality includes testing.
API changes companion pull request created, if applicable.
Public documentation issue/PR created, if applicable.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

…rm the method Signed-off-by: Craig Perkins <cwperx@amazon.com>

Signed-off-by: Craig Perkins <cwperx@amazon.com>

…d allow core to perform the method (#15038) * Add ThreadContextPermission for markAsSystemContext and allow core to perform the method (#15016) * Add RuntimePermission for markAsSystemContext and allow core to perform the method Signed-off-by: Craig Perkins <cwperx@amazon.com> * private Signed-off-by: Craig Perkins <cwperx@amazon.com> * Surround with doPrivileged Signed-off-by: Craig Perkins <cwperx@amazon.com> * Create ThreadContextAccess Signed-off-by: Craig Perkins <cwperx@amazon.com> * Create notion of ThreadContextPermission Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add to CHANGELOG Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add javadoc Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add to test-framework.policy file Signed-off-by: Craig Perkins <cwperx@amazon.com> * Mark as internal Signed-off-by: Craig Perkins <cwperx@amazon.com> --------- Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add deprecationLogger Signed-off-by: Craig Perkins <cwperx@amazon.com> --------- Signed-off-by: Craig Perkins <cwperx@amazon.com>

… perform the method (opensearch-project#15016) * Add RuntimePermission for markAsSystemContext and allow core to perform the method Signed-off-by: Craig Perkins <cwperx@amazon.com> * private Signed-off-by: Craig Perkins <cwperx@amazon.com> * Surround with doPrivileged Signed-off-by: Craig Perkins <cwperx@amazon.com> * Create ThreadContextAccess Signed-off-by: Craig Perkins <cwperx@amazon.com> * Create notion of ThreadContextPermission Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add to CHANGELOG Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add javadoc Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add to test-framework.policy file Signed-off-by: Craig Perkins <cwperx@amazon.com> * Mark as internal Signed-off-by: Craig Perkins <cwperx@amazon.com> --------- Signed-off-by: Craig Perkins <cwperx@amazon.com>

cwperks added 2 commits July 29, 2024 22:21

Add RuntimePermission for markAsSystemContext and allow core to perfo…

518c9d2

…rm the method Signed-off-by: Craig Perkins <cwperx@amazon.com>

private

0360a5e

Signed-off-by: Craig Perkins <cwperx@amazon.com>

cwperks requested review from Bukhtawar, CEHENKLE, Rishikesh1159, VachaShah, anasalkouz, andrross, ashking94, dblock, dbwiddis, gbbafna, kotwanikunal, mch2, msfroh, nknize, owaiskazi19, reta, sachinpkale, saratvemulapalli, shwetathareja and sohami as code owners July 30, 2024 02:25

github-actions bot added enhancement Enhancement or improvement to existing feature or request Identity PR/Issues associated with Authentication or Authorization Plugins security Anything security related labels Jul 30, 2024

This was referenced Jul 31, 2024

[META] Breaking changes in 3.0 #3351

Closed

[Backport 2.x] Add ThreadContextPermission for stashAndMergeHeaders and stashWithOrigin #15046

Closed

BrewTestBot mentioned this pull request Sep 18, 2024

opensearch 2.17.0 Homebrew/homebrew-core#191052

Merged

opensearch-ci-bot mentioned this pull request Sep 6, 2024

[AUTOCUT] Gradle Check Flaky Test Report for IndexServiceTests #14407

Open

cwperks mentioned this pull request Sep 20, 2024

[RFC] Strengthen System Index Protection in the Plugin Ecosystem opensearch-project/security#4439

Open

opensearch-ci-bot mentioned this pull request Oct 1, 2024

[AUTOCUT] Gradle Check Flaky Test Report for EhCacheDiskCacheTests #16159

Open

opensearch-ci-bot mentioned this pull request Oct 11, 2024

[AUTOCUT] Gradle Check Flaky Test Report for ReindexFailureTests #16286

Closed

opensearch-ci-bot mentioned this pull request Oct 23, 2024

[AUTOCUT] Gradle Check Flaky Test Report for UpdateByQueryBasicTests #16439

Open

opensearch-ci-bot mentioned this pull request Jan 13, 2025

[AUTOCUT] Gradle Check Flaky Test Report for InternalSnapshotsInfoServiceTests #17018

Open

dbwiddis mentioned this pull request Jan 17, 2025

Add Craig Perkins as OpenSearch Maintainer #17046

Merged

This was referenced Apr 14, 2025

[AUTOCUT] Gradle Check Flaky Test Report for DeleteByQueryConcurrentTests #17933

Open

[AUTOCUT] Gradle Check Flaky Test Report for RethrottleTests #17937

Open

opensearch-ci-bot mentioned this pull request Sep 9, 2024

[AUTOCUT] Gradle Check Flaky Test Report for RemoteCloneIndexIT #14292

Closed

BrewTestBot mentioned this pull request May 6, 2025

opensearch 3.0.0 Homebrew/homebrew-core#222665

Merged

opensearch-ci-bot mentioned this pull request May 8, 2025

[AUTOCUT] Gradle Check Flaky Test Report for SearchServiceTests #18238

Closed

opensearch-ci-bot mentioned this pull request May 28, 2025

[AUTOCUT] Gradle Check Flaky Test Report for BlobStoreRepositoryRemoteIndexTests #18380

Open

opensearch-ci-bot mentioned this pull request Aug 13, 2025

[AUTOCUT] Gradle Check Flaky Test Report for MetadataIndexTemplateServiceTests #19058

Open

opensearch-ci-bot mentioned this pull request Oct 22, 2025

[AUTOCUT] Gradle Check Flaky Test Report for IndexFieldDataServiceTests #19730

Open

opensearch-ci-bot mentioned this pull request Feb 18, 2026

[AUTOCUT] Gradle Check Flaky Test Report for SearchSlowLogTests #20653

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add ThreadContextPermission for markAsSystemContext and allow core to perform the method#15016

Add ThreadContextPermission for markAsSystemContext and allow core to perform the method#15016
reta merged 10 commits intoopensearch-project:mainfrom
cwperks:mark-as-system-permission

cwperks commented Jul 30, 2024

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

cwperks commented Jul 30, 2024

Description

Related Issues

Check List

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants