[Security Manager Replacement] Phase off SecurityManager usage in favor of Java Agent

[reta]

Description

Phase off SecurityManager usage in favor of Java Agent

⚠️⚠️⚠️ High risks of breaking all third-party and non-core plugins due to the changes in how the security verification is going to be performed. ⚠️⚠️⚠️

Related Issues

Closes #17662

Check List

• Functionality includes testing.
• API changes companion pull request created, if applicable.
• Public documentation issue/PR created, if applicable.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[github-actions]

❌ Gradle check result for e4b0865: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for 5f67ad7: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[kumargu]

overall LGTM!. thank-you @reta for this beautiful work!

[github-actions]

✅ Gradle check result for ebbd764: SUCCESS

[codecov]

Codecov Report

Attention: Patch coverage is 16.66667% with 10 lines in your changes missing coverage. Please review.

Project coverage is 72.34%. Comparing base (7b6108b) to head (ebbd764).
Report is 3 commits behind head on main.

Files with missing lines	Patch %	Lines
...c/main/java/org/opensearch/bootstrap/Security.java	12.50%	7 Missing ⚠️
...java/org/opensearch/bootstrap/BootstrapChecks.java	33.33%	1 Missing and 1 partial ⚠️
.../src/main/java/org/opensearch/javaagent/Agent.java	0.00%	1 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##               main   #17861      +/-   ##
============================================
- Coverage     72.44%   72.34%   -0.11%     
+ Complexity    66483    66436      -47     
============================================
  Files          5409     5407       -2     
  Lines        308282   308167     -115     
  Branches      44759    44737      -22     
============================================
- Hits         223344   222950     -394     
- Misses        66608    67027     +419     
+ Partials      18330    18190     -140     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[peterzhuamazon]

We will onboard this to RC1 since it is merged early.

Thanks.

[skumawat2025]

Hi @reta
After pulling the latest change i am facing issues in building a non-core plugin.

MyPluginIT > classMethod FAILED
    java.lang.NoClassDefFoundError: org/opensearch/javaagent/bootstrap/AgentPolicy$AnyCanExit
        at org.opensearch.bootstrap.BootstrapForTesting.<clinit>(BootstrapForTesting.java:191)
        at org.opensearch.test.OpenSearchTestCase.<clinit>(OpenSearchTestCase.java:331)
        at java.base/java.lang.Class.forName0(Native Method)
        at java.base/java.lang.Class.forName(Class.java:534)
        at java.base/java.lang.Class.forName(Class.java:513)
        at com.carrotsearch.randomizedtesting.RandomizedRunner$2.run(RandomizedRunner.java:623)

        Caused by:
        java.lang.ClassNotFoundException: org.opensearch.javaagent.bootstrap.AgentPolicy$AnyCanExit
            at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:641)
            at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:188)
            at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:526)
            ... 6 more


Suite: Test class com.amazon.myplugin.MyPluginITPluginIT
  2> java.lang.NoClassDefFoundError: org/opensearch/javaagent/bootstrap/AgentPolicy$AnyCanExit
        at org.opensearch.bootstrap.BootstrapForTesting.<clinit>(BootstrapForTesting.java:191)
        at org.opensearch.test.OpenSearchTestCase.<clinit>(OpenSearchTestCase.java:331)
        at java.base/java.lang.Class.forName0(Native Method)
        at java.base/java.lang.Class.forName(Class.java:534)
        at java.base/java.lang.Class.forName(Class.java:513)
        at com.carrotsearch.randomizedtesting.RandomizedRunner$2.run(RandomizedRunner.java:623)

        Caused by:
        java.lang.ClassNotFoundException: org.opensearch.javaagent.bootstrap.AgentPolicy$AnyCanExit
            at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:641)
            at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:188)
            at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:526)
            ... 6 more

And i doubt this is related to the Java Agent changes that we have done. Can you please take a look and suggest if its related and any resolution?

[peterzhuamazon]

Hi @reta After pulling the latest change i am facing issues in building a non-core plugin.

MyPluginIT > classMethod FAILED
    java.lang.NoClassDefFoundError: org/opensearch/javaagent/bootstrap/AgentPolicy$AnyCanExit
        at org.opensearch.bootstrap.BootstrapForTesting.<clinit>(BootstrapForTesting.java:191)
        at org.opensearch.test.OpenSearchTestCase.<clinit>(OpenSearchTestCase.java:331)
        at java.base/java.lang.Class.forName0(Native Method)
        at java.base/java.lang.Class.forName(Class.java:534)
        at java.base/java.lang.Class.forName(Class.java:513)
        at com.carrotsearch.randomizedtesting.RandomizedRunner$2.run(RandomizedRunner.java:623)

        Caused by:
        java.lang.ClassNotFoundException: org.opensearch.javaagent.bootstrap.AgentPolicy$AnyCanExit
            at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:641)
            at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:188)
            at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:526)
            ... 6 more


Suite: Test class com.amazon.myplugin.MyPluginITPluginIT
  2> java.lang.NoClassDefFoundError: org/opensearch/javaagent/bootstrap/AgentPolicy$AnyCanExit
        at org.opensearch.bootstrap.BootstrapForTesting.<clinit>(BootstrapForTesting.java:191)
        at org.opensearch.test.OpenSearchTestCase.<clinit>(OpenSearchTestCase.java:331)
        at java.base/java.lang.Class.forName0(Native Method)
        at java.base/java.lang.Class.forName(Class.java:534)
        at java.base/java.lang.Class.forName(Class.java:513)
        at com.carrotsearch.randomizedtesting.RandomizedRunner$2.run(RandomizedRunner.java:623)

        Caused by:
        java.lang.ClassNotFoundException: org.opensearch.javaagent.bootstrap.AgentPolicy$AnyCanExit
            at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:641)
            at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:188)
            at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:526)
            ... 6 more

And i doubt this is related to the Java Agent changes that we have done. Can you please take a look and suggest if its related and any resolution?

opensearch-project/ml-commons@f9edbb0

[reta]

And i doubt this is related to the Java Agent changes that we have done. Can you please take a look and suggest if its related and any resolution?

Hi @skumawat2025 , I cannot reproduce the issue locally (and on CI as well), the error is related to Java agent changes but should be addressed (@peterzhuamazon pointed out the right commit).