Switch gRPC transport from grpc-netty-shaded to grpc-netty

[bowenlan-amzn]

Description

Replace grpc-netty-shaded with unshaded grpc-netty in the transport-grpc module so that both the HTTP transport and gRPC transport share the same io.netty.* classes, enabling Netty handler reuse across transports and eliminating the double Netty runtime memory footprint.

• Replace grpc-netty-shaded dependency with grpc-netty and explicit netty dependencies (buffer, codec, codec-base, codec-http, codec-http2, common, handler, resolver, transport, transport-native-unix-common)
• Update all imports from io.grpc.netty.shaded.io.grpc.netty.* to io.grpc.netty.* and io.grpc.netty.shaded.io.netty.* to io.netty.*
• Update plugin-security.policy to grant permissions to individual unshaded netty jar codebases instead of grpc-netty-shaded
• Update thirdPartyAudit ignore lists for unshaded class references
• Add netty license/notice/sha1 files, remove shaded sha1

Related Issues

Resolves #[Issue number to be closed when this PR is merged]

Check List

• Functionality includes testing.
• API changes companion pull request created, if applicable.
• Public documentation issue/PR created, if applicable.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

❗ AI-powered Code-Diff-Analyzer found issues on commit 5255124.

Path	Line	Severity	Description
modules/transport-grpc/src/main/plugin-metadata/plugin-security.policy	28	medium	Malformed RuntimePermission syntax with wildcard '*' as first parameter. Standard RuntimePermission format requires only the permission name (e.g., 'setContextClassLoader'), not a wildcard. This could be an attempt to grant overly broad runtime permissions or a coding error that may result in unintended permission grants.

The table above displays the top 10 most important findings.

Total: 1 | Critical: 0 | High: 0 | Medium: 1 | Low: 0

---

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

---

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

[bowenlan-amzn]

@github-actions commented on Feb 14, 2026, 9:40 PM PST:

❗ AI-powered Code-Diff-Analyzer found issues on commit 5255124.

Path	Line	Severity	Description
modules/transport-grpc/src/main/plugin-metadata/plugin-security.policy	28	medium	Malformed RuntimePermission syntax with wildcard '*' as first parameter. Standard RuntimePermission format requires only the permission name (e.g., 'setContextClassLoader'), not a wildcard. This could be an attempt to grant overly broad runtime permissions or a coding error that may result in unintended permission grants.

The table above displays the top 10 most important findings.

Total: 1 | Critical: 0 | High: 0 | Medium: 1 | Low: 0

---

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

---

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

Originally posted by @github-actions[bot] in #20632 (comment)

The analyzer flagged permission java.lang.RuntimePermission "*", "setContextClassLoader" in the security policy as "malformed syntax." However:

1. This line is not new — the exact same syntax existed in the original grpc-netty-shaded grant block on main. The PR just replicated it to the new netty-common
   grant block.
2. It's a standard pattern used across OpenSearch in transport-netty4, transport-reactor-netty4, and arrow-flight-rpc security policies.
3. The syntax is valid — RuntimePermission(String name, String actions) is a real Java constructor. The actions parameter is ignored per Java docs.

---

Analysis from my AI, will understand later on. Adding label to skip for now.

[github-actions]

❌ Gradle check result for 2c3187b: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[opensearch-trigger-bot]

This PR is stalled because it has been open for 30 days with no activity.

[github-actions]

PR Reviewer Guide 🔍

(Review updated until commit f153367)

Here are some key observations to aid the review process:

🧪 PR contains tests

🔒 No security concerns identified

✅ No TODO sections

🔀 Multiple PR themes Sub-PR theme: Switch gRPC transport Java imports from shaded to unshaded Netty Relevant files: modules/transport-grpc/src/main/java/org/opensearch/transport/grpc/Netty4GrpcServerTransport.java modules/transport-grpc/src/main/java/org/opensearch/transport/grpc/ssl/SecureNetty4GrpcServerTransport.java modules/transport-grpc/src/test/java/org/opensearch/transport/grpc/Netty4GrpcServerTransportTests.java modules/transport-grpc/src/test/java/org/opensearch/transport/grpc/ssl/NettyGrpcClient.java modules/transport-grpc/src/test/java/org/opensearch/transport/grpc/ssl/SecureSettingsHelpers.java Sub-PR theme: Update security policy and license files for unshaded Netty dependencies Relevant files: modules/transport-grpc/src/main/plugin-metadata/plugin-security.policy modules/transport-grpc/licenses/grpc-netty-1.75.0.jar.sha1 modules/transport-grpc/licenses/netty-LICENSE.txt modules/transport-grpc/licenses/netty-NOTICE.txt modules/transport-grpc/licenses/netty-buffer-4.2.12.Final.jar.sha1 modules/transport-grpc/licenses/netty-codec-4.2.12.Final.jar.sha1 modules/transport-grpc/licenses/netty-codec-base-4.2.12.Final.jar.sha1 modules/transport-grpc/licenses/netty-codec-http-4.2.12.Final.jar.sha1 modules/transport-grpc/licenses/netty-codec-http2-4.2.12.Final.jar.sha1 modules/transport-grpc/licenses/netty-common-4.2.12.Final.jar.sha1 modules/transport-grpc/licenses/netty-handler-4.2.12.Final.jar.sha1 modules/transport-grpc/licenses/netty-resolver-4.2.12.Final.jar.sha1 modules/transport-grpc/licenses/netty-transport-4.2.12.Final.jar.sha1 modules/transport-grpc/licenses/netty-transport-native-unix-common-4.2.12.Final.jar.sha1

⚡ Recommended focus areas for review Permission Scope The original policy used a broad grant block (no codeBase restriction) which granted permissions to all code. The new policy grants permissions to specific codebases (grpc-netty, netty-common, netty-transport, netty-handler), but other unshaded netty jars added as dependencies (e.g., netty-buffer, netty-codec, netty-codec-http, netty-codec-http2, netty-resolver, netty-transport-native-unix-common) are not granted any permissions. Verify that none of these jars require socket, file, or classloader permissions at runtime. grant codeBase "${codebase.grpc-netty}" { // for reading the system-wide configuration for the backlog of established sockets permission java.io.FilePermission "/proc/sys/net/core/somaxconn", "read"; // netty makes and accepts socket connections permission java.net.SocketPermission "*", "accept,connect"; // Netty sets custom classloader for some of its internal threads permission java.lang.RuntimePermission "*", "setContextClassLoader"; // Netty on Windows uses WEPollSelectorImpl which needs to delete temporary socket files permission java.net.NetPermission "accessUnixDomainSocket"; }; grant codeBase "${codebase.netty-common}" { // netty makes and accepts socket connections permission java.net.SocketPermission "*", "accept,connect"; // Netty sets custom classloader for some of its internal threads permission java.lang.RuntimePermission "*", "setContextClassLoader"; }; grant codeBase "${codebase.netty-transport}" { // for reading the system-wide configuration for the backlog of established sockets permission java.io.FilePermission "/proc/sys/net/core/somaxconn", "read"; // netty makes and accepts socket connections permission java.net.SocketPermission "*", "accept,connect"; // Netty on Windows uses WEPollSelectorImpl which needs to delete temporary socket files permission java.net.NetPermission "accessUnixDomainSocket"; }; grant codeBase "${codebase.netty-handler}" { // netty makes and accepts socket connections permission java.net.SocketPermission "*", "accept,connect"; }; Netty Version Conflict Switching from grpc-netty-shaded to grpc-netty means the gRPC transport now shares the same io.netty.* classes with the HTTP transport. If the Netty version required by gRPC (4.2.12.Final as seen in the sha1 files) differs from the Netty version used by the HTTP transport module, there could be classpath conflicts or incompatibilities. Verify that both modules use the exact same Netty version. import io.netty.channel.EventLoopGroup; import io.netty.channel.nio.NioEventLoopGroup; import io.netty.channel.socket.nio.NioServerSocketChannel;

[github-actions]

PR Code Suggestions ✨

Latest suggestions up to f153367

Explore these optional code suggestions:

Category	Suggestion	Impact
Security	Avoid duplicate over-broad permissions in security policy The grpc-netty grant block still includes permissions for reading /proc/sys/net/core/somaxconn, socket connections, and accessUnixDomainSocket, but these low-level network/OS permissions are now handled by the dedicated netty-transport and netty-common grant blocks. The grpc-netty codebase grant should only retain permissions that are specific to the gRPC-Netty layer itself (e.g., setContextClassLoader), to avoid over-granting permissions and to keep the policy minimal. modules/transport-grpc/src/main/plugin-metadata/plugin-security.policy [9-21] grant codeBase "${codebase.grpc-netty}" { - // for reading the system-wide configuration for the backlog of established sockets - permission java.io.FilePermission "/proc/sys/net/core/somaxconn", "read"; - - // netty makes and accepts socket connections - permission java.net.SocketPermission "*", "accept,connect"; - // Netty sets custom classloader for some of its internal threads permission java.lang.RuntimePermission "*", "setContextClassLoader"; - - // Netty on Windows uses WEPollSelectorImpl which needs to delete temporary socket files - permission java.net.NetPermission "accessUnixDomainSocket"; }; Suggestion importance[1-10]: 5 __ Why: The suggestion has merit in reducing duplicate permissions across grant blocks, but the grpc-netty jar itself may legitimately need these permissions directly (e.g., for its own socket operations), and removing them could cause runtime security exceptions. The separation into dedicated netty-transport and netty-common blocks doesn't necessarily mean grpc-netty doesn't also need those permissions independently.	Low

---

Previous suggestions

Suggestions up to commit 7f96bb9

Category	Suggestion	Impact
Security	Reduce overly broad security permissions grant The grpc-netty codeBase grant still includes permissions for reading /proc/sys/net/core/somaxconn, socket connections, and accessUnixDomainSocket, which are now handled by the more specific netty-transport grant. Since grpc-netty is the gRPC layer and not the Netty transport layer itself, its grant should only include permissions directly needed by gRPC-Netty code (e.g., setContextClassLoader), to follow the principle of least privilege and avoid redundant broad grants. modules/transport-grpc/src/main/plugin-metadata/plugin-security.policy [9-21] grant codeBase "${codebase.grpc-netty}" { - // for reading the system-wide configuration for the backlog of established sockets - permission java.io.FilePermission "/proc/sys/net/core/somaxconn", "read"; - - // netty makes and accepts socket connections - permission java.net.SocketPermission "*", "accept,connect"; - // Netty sets custom classloader for some of its internal threads permission java.lang.RuntimePermission "*", "setContextClassLoader"; - - // Netty on Windows uses WEPollSelectorImpl which needs to delete temporary socket files - permission java.net.NetPermission "accessUnixDomainSocket"; }; Suggestion importance[1-10]: 4 __ Why: The suggestion to reduce permissions in the grpc-netty grant has merit from a least-privilege perspective, but it's not clear that grpc-netty doesn't need these permissions directly (e.g., it may initiate socket connections itself). The separation into specific netty-transport and netty-common grants is already done in this PR, but removing permissions from grpc-netty without certainty could break functionality.	Low

Suggestions up to commit b05c78d

Category	Suggestion	Impact
Security	Reduce overly broad security permissions for new codeBase The grpc-netty codeBase grant still includes permissions for reading /proc/sys/net/core/somaxconn, socket connections, and accessUnixDomainSocket, but with the switch to unshaded grpc-netty, these low-level Netty operations are now performed by the separate netty-transport and netty-common jars (which have their own grants). The grpc-netty grant should only retain permissions specific to gRPC-netty itself to follow the principle of least privilege and avoid redundant grants. modules/transport-grpc/src/main/plugin-metadata/plugin-security.policy [9-21] grant codeBase "${codebase.grpc-netty}" { - // for reading the system-wide configuration for the backlog of established sockets - permission java.io.FilePermission "/proc/sys/net/core/somaxconn", "read"; - // netty makes and accepts socket connections permission java.net.SocketPermission "*", "accept,connect"; // Netty sets custom classloader for some of its internal threads permission java.lang.RuntimePermission "*", "setContextClassLoader"; - - // Netty on Windows uses WEPollSelectorImpl which needs to delete temporary socket files - permission java.net.NetPermission "accessUnixDomainSocket"; }; Suggestion importance[1-10]: 4 __ Why: The suggestion has merit from a least-privilege perspective, but the grpc-netty jar itself may still need these permissions for its own operations (e.g., reading somaxconn during server bootstrap). Without clear evidence that these permissions are truly redundant for grpc-netty specifically, this is a minor style/security hardening suggestion rather than a critical fix.	Low

Suggestions up to commit 58617cc

Category	Suggestion	Impact
Security	Avoid over-granting permissions to gRPC codebase The grpc-netty codeBase grant still includes permissions for reading /proc/sys/net/core/somaxconn, socket connections, and accessUnixDomainSocket, but with the switch to unshaded grpc-netty, these low-level Netty permissions are now handled by the separate netty-transport and netty-common grants. The grpc-netty grant should only retain permissions that are specific to the gRPC-Netty integration layer itself (e.g., setContextClassLoader), to avoid over-granting permissions to the gRPC library code. modules/transport-grpc/src/main/plugin-metadata/plugin-security.policy [9-21] grant codeBase "${codebase.grpc-netty}" { - // for reading the system-wide configuration for the backlog of established sockets - permission java.io.FilePermission "/proc/sys/net/core/somaxconn", "read"; - - // netty makes and accepts socket connections - permission java.net.SocketPermission "*", "accept,connect"; - // Netty sets custom classloader for some of its internal threads permission java.lang.RuntimePermission "*", "setContextClassLoader"; - - // Netty on Windows uses WEPollSelectorImpl which needs to delete temporary socket files - permission java.net.NetPermission "accessUnixDomainSocket"; }; Suggestion importance[1-10]: 5 __ Why: The suggestion has merit in principle - separating permissions by codebase is a good security practice. However, it's not clear that grpc-netty itself doesn't need these permissions directly, as the gRPC-Netty integration layer may still perform socket operations. The separate grants for netty-transport and netty-common don't necessarily make the grpc-netty grants redundant, and removing them could break functionality.	Low

Suggestions up to commit 2f04074

Category	Suggestion	Impact
Security	Remove duplicate permissions from gRPC codeBase grant The grpc-netty codeBase grant still includes permissions for reading /proc/sys/net/core/somaxconn, socket connections, and accessUnixDomainSocket, but with the switch to grpc-netty, these low-level Netty permissions have been moved to separate netty-transport and netty-common grants. The grpc-netty grant should only retain permissions that are specific to the gRPC-Netty integration layer, to avoid granting overly broad permissions to the gRPC library itself. Consider removing the duplicated permissions from the grpc-netty grant that are already covered by the netty-transport and netty-common grants. modules/transport-grpc/src/main/plugin-metadata/plugin-security.policy [9-21] grant codeBase "${codebase.grpc-netty}" { - // for reading the system-wide configuration for the backlog of established sockets - permission java.io.FilePermission "/proc/sys/net/core/somaxconn", "read"; - - // netty makes and accepts socket connections - permission java.net.SocketPermission "*", "accept,connect"; - // Netty sets custom classloader for some of its internal threads permission java.lang.RuntimePermission "*", "setContextClassLoader"; - - // Netty on Windows uses WEPollSelectorImpl which needs to delete temporary socket files - permission java.net.NetPermission "accessUnixDomainSocket"; }; Suggestion importance[1-10]: 5 __ Why: The suggestion has merit as it identifies that grpc-netty grant contains permissions that overlap with the newly added netty-transport and netty-common grants. However, the security policy structure may be intentionally redundant for defense-in-depth, and the grpc-netty jar itself may legitimately need these permissions. The suggestion is valid but the impact is moderate since it's about permission scoping rather than a critical bug.	Low

Suggestions up to commit 483339d

Category	Suggestion	Impact
Security	Reduce over-granted permissions to gRPC library codebase The grpc-netty codeBase grant still includes permissions for reading /proc/sys/net/core/somaxconn, socket connections, and accessUnixDomainSocket, but with the switch to grpc-netty, these low-level Netty permissions are now handled by the dedicated netty-transport and netty-common grants. The grpc-netty grant should only retain permissions that are specific to the gRPC-Netty integration layer, to avoid over-granting permissions to the gRPC library itself. modules/transport-grpc/src/main/plugin-metadata/plugin-security.policy [9-21] grant codeBase "${codebase.grpc-netty}" { - // for reading the system-wide configuration for the backlog of established sockets - permission java.io.FilePermission "/proc/sys/net/core/somaxconn", "read"; - - // netty makes and accepts socket connections - permission java.net.SocketPermission "*", "accept,connect"; - // Netty sets custom classloader for some of its internal threads permission java.lang.RuntimePermission "*", "setContextClassLoader"; - - // Netty on Windows uses WEPollSelectorImpl which needs to delete temporary socket files - permission java.net.NetPermission "accessUnixDomainSocket"; }; Suggestion importance[1-10]: 5 __ Why: The suggestion has merit from a security perspective - the grpc-netty codeBase grant does include permissions that are now also covered by the dedicated netty-transport and netty-common grants. However, it's not necessarily wrong to have overlapping permissions, and the grpc-netty jar itself may legitimately need these permissions for its own code paths. The suggestion is reasonable but not critical.	Low

[github-actions]

Persistent review updated to latest commit 483339d

[github-actions]

❌ Gradle check result for 483339d: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

Persistent review updated to latest commit 2f04074

[github-actions]

✅ Gradle check result for 2f04074: SUCCESS

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.31%. Comparing base (0f8cc13) to head (2f04074).
⚠️ Report is 11 commits behind head on main.

Additional details and impacted files

@@             Coverage Diff              @@
##               main   #20632      +/-   ##
============================================
+ Coverage     73.20%   73.31%   +0.10%     
- Complexity    72751    73142     +391     
============================================
  Files          5871     5921      +50     
  Lines        332688   333644     +956     
  Branches      48017    48108      +91     
============================================
+ Hits         243543   244601    +1058     
+ Misses        69625    69470     -155     
- Partials      19520    19573      +53     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[github-actions]

Persistent review updated to latest commit 58617cc

[github-actions]

Persistent review updated to latest commit b05c78d

[github-actions]

❌ Gradle check result for b05c78d:

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

Persistent review updated to latest commit 7f96bb9

[github-actions]

❌ Gradle check result for 7f96bb9: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

Persistent review updated to latest commit f153367

[github-actions]

❌ Gradle check result for f153367: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?