-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[POC] [Security Manager Replacement] Native Java Agent (dynamic code rewriting, must be low overhead) #16731
base: main
Are you sure you want to change the base?
Conversation
❌ Gradle check result for 6b73ddf: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
thanks @reta this is really interesting and such a quick progress. On a side note, it would be useful to add a small intro snippet how the |
Thanks @kumargu
Absolutely, I have updated the description (but will push it a bit once we get JDK-21 baseline with #16366, it would simplify a lot the APIs usage) |
9858717
to
ea045b0
Compare
"Can-Retransform-Classes": "true", | ||
"Agent-Class": "org.opensearch.javaagent.Agent", | ||
"Premain-Class": "org.opensearch.javaagent.Agent", | ||
"Boot-Class-Path": 'byte-buddy-1.15.10.jar opensearch-agent-bootstrap-3.0.0-SNAPSHOT.jar' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
opensearch-agent-bootstrap
is shared between the OpenSearch service and the agent (so the Policy
instance could be propagated)
❌ Gradle check result for ea045b0: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
This PR is stalled because it has been open for 30 days with no activity. |
❌ Gradle check result for 58a227c: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
❌ Gradle check result for 5e20fde: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
❌ Gradle check result for 4688fd1: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
…ing, must be low overhead) Signed-off-by: Andriy Redko <[email protected]>
❌ Gradle check result for 930e6ef: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
@reta is it feasible for the agent to coexist with SM enabled in 3.0, meaning both SM and Agent will enforce socket restrictions? |
I was thinking we could bring in replacements of JSM in 3.0 while JSM remains enabled in 3.0 (because we'd be still on JDK-21 in 3.0). Having the alternatives coexist for sometime will give us confidence and enough community feedback before we decide to remove it in some 3.x or 4.0. |
I think we would only target a most critical APIs by Java Agent (we just cannot much it to SM), however we should be able to run Java Agent on JDK-21 at least. |
100% agree. Maybe just the Socket interceptor for now since we see the problems with defining the port ranges in the PR #17107 |
Description
Explore the the native Java Agent (dynamic code rewriting, must be low overhead).
How does it work:
bootstrap
agent
bootstrap
module apply security policiesExample:
The sample
security.policy
(stays the same as before):The application (OpenSearch) is run with the agent:
The application (OpenSearch) is applies security policy to the agent:
Running with
24-ea+31-3600
:Related Issues
Closes #16633
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.