Simplify policy evaluation #17712
Simplify policy evaluation #17712
Conversation
| Enumeration<PolicyParser.GrantEntry> enum_ = pp.grantElements(); | ||
| while (enum_.hasMoreElements()) { | ||
| PolicyParser.GrantEntry ge = enum_.nextElement(); | ||
| addGrantEntry(ge, keyStore, newInfo); |
There was a problem hiding this comment.
In addition to the keystore, it looks like the GrantEntry itself supports some additional configurations, like signedBy, that are unnecessary. I believe that signedBy is also used in the context of keystore, where you can specify that jars are signed by the alias of a particular key.
See jarsigner which is a tool shipped with the JDK for signing jars
There was a problem hiding this comment.
Similarly to signedBy, principal also goes unused within the project: https://docs.oracle.com/javase/7/docs/technotes/guides/security/PolicyFiles.html
There was a problem hiding this comment.
I just realized that OpenSearch already has some custom logic around the policy files here. This function pre-processes the policy files, looks for jars with possible classifiers and then sets system properties to ensure that the property expansion works on the grant statements.
For example the entry for:
grant codeBase "${codebase.jackson-core}" {
permission java.net.SocketPermission "*", "connect,resolve";
};
will get the property replaced with the system property of the same name. In my case, when testing locally it would make this substitution.
grant codeBase "file:/Users/cwperx/Projects/opensearch/OpenSearch/build/distribution/local/opensearch-3.0.0-SNAPSHOT/lib/jackson-core-2.18.2.jar" {
permission java.net.SocketPermission "*", "connect,resolve";
};
After the PropertyFile is instantiated at the end of that method, it will clear the system properties for the codebases.
There was a problem hiding this comment.
In addition to the keystore, it looks like the GrantEntry itself supports some additional configurations, like signedBy, that are unnecessary.
You are right. I think I removed the traces of signedBy, i will check if they are still out there.
There was a problem hiding this comment.
I just realized that OpenSearch already has some custom logic around the policy files here.
Ah great find. We can try to reuse that code part, over skimming, it does look sufficient to me.
There was a problem hiding this comment.
We need this code block since it sets the system properties needed for the PolicyParser to do property expansion.
|
❌ Gradle check result for df4f4be: Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
kumargu
force-pushed
the
simplify_policy_evaluation
branch
from
df4f4be to
d9eeb20
Compare
|
❌ Gradle check result for d9eeb20: Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
|
❌ Gradle check result for d6f928c: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
|
❌ Gradle check result for 6dd55b7: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
|
❌ Gradle check result for 36b6c96: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
|
❌ Gradle check result for 0e15d94: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
kumargu
force-pushed
the
simplify_policy_evaluation
branch
from
0e15d94 to
507cab5
Compare
|
❌ Gradle check result for 507cab5: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
kumargu
force-pushed
the
simplify_policy_evaluation
branch
from
bc88d00 to
52fd718
Compare
|
❌ Gradle check result for 52fd718: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
kumargu
force-pushed
the
simplify_policy_evaluation
branch
from
52fd718 to
56a1e87
Compare
|
❌ Gradle check result for 56a1e87: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
kumargu
force-pushed
the
simplify_policy_evaluation
branch
from
56a1e87 to
bba8b59
Compare
|
❌ Gradle check result for bba8b59: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
kumargu
force-pushed
the
simplify_policy_evaluation
branch
from
bba8b59 to
eafb80b
Compare
|
❌ Gradle check result for eafb80b: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
kumargu
force-pushed
the
simplify_policy_evaluation
branch
from
eafb80b to
6d44cec
Compare
|
❌ Gradle check result for 6d44cec: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
kumargu
force-pushed
the
simplify_policy_evaluation
branch
from
6d44cec to
40efa5a
Compare
kumargu
force-pushed
the
simplify_policy_evaluation
branch
2 times, most recently
from
414e4b6 to
dc7e124
Compare
|
❌ Gradle check result for dc7e124: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
kumargu
force-pushed
the
simplify_policy_evaluation
branch
from
dc7e124 to
0c60c59
Compare
|
❌ Gradle check result for 0c60c59: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
kumargu
force-pushed
the
simplify_policy_evaluation
branch
from
0c60c59 to
2b18f7d
Compare
|
❌ Gradle check result for 2b18f7d: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
kumargu
force-pushed
the
simplify_policy_evaluation
branch
from
2b18f7d to
6aa4d19
Compare
|
❌ Gradle check result for 6aa4d19: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
kumargu
force-pushed
the
simplify_policy_evaluation
branch
from
6aa4d19 to
0942b10
Compare
|
❌ Gradle check result for 0942b10: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
|
❌ Gradle check result for b2ae05d: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
kumargu
force-pushed
the
simplify_policy_evaluation
branch
from
b2ae05d to
3091cba
Compare
|
❌ Gradle check result for 3091cba: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
|
Assuming this can be closed now @kumargu ? Thanks. |
|
yes closed in favour of #17753 |
A draft to simplify policy evaluation
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.