Skip to content

Fix compilation issue after change to Subject interface in core and bump to 3.2.0 #5423

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
shikharj05 merged 7 commits into from
Jun 23, 2025
Merged

Fix compilation issue after change to Subject interface in core and bump to 3.2.0 #5423

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
bea1bf4
Fix compilation issue after change to Subject interface in core
cwperks Jun 21, 2025
94cc9b9
Remove duplicate NoopPluginSubject
cwperks Jun 21, 2025
ead635c
Bump to 3.2.0
cwperks Jun 21, 2025
5572689
Add to CHANGELOG
cwperks Jun 21, 2025
2e9b147
Merge branch 'main' into run-as-compile
cwperks Jun 21, 2025
26ac6e0
Fix compilation issues
cwperks Jun 21, 2025
24ee2a7
Merge branch 'run-as-compile' of https://github.com/cwperks/security …
cwperks Jun 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/plugin_install.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ name: Plugin Install
on: [push, pull_request, workflow_dispatch]

env:
OPENSEARCH_VERSION: 3.1.0
OPENSEARCH_VERSION: 3.2.0
PLUGIN_NAME: opensearch-security

jobs:
Expand Down
2 changes: 1 addition & 1 deletion CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),

### Changed
- Moved OpenSAML jars to a Shadow Jar configuration to facilitate its use in FIPS enabled environments ([#5400](https://github.com/opensearch-project/security/pull/5404))

- Fix compilation issue after change to Subject interface in core and bump to 3.2.0 ([#5423](https://github.com/opensearch-project/security/pull/5423))

### Dependencies
- Bump `org.eclipse.platform:org.eclipse.core.runtime` from 3.33.0 to 3.33.100 ([#5400](https://github.com/opensearch-project/security/pull/5400))
Expand Down
2 changes: 1 addition & 1 deletion build.gradle
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ import groovy.json.JsonBuilder

buildscript {
ext {
opensearch_version = System.getProperty("opensearch.version", "3.1.0-SNAPSHOT")
opensearch_version = System.getProperty("opensearch.version", "3.2.0-SNAPSHOT")
isSnapshot = "true" == System.getProperty("build.snapshot", "true")
buildVersionQualifier = System.getProperty("build.version_qualifier", "")

Expand Down
2 changes: 1 addition & 1 deletion bwc-test/build.gradle
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ ext {

buildscript {
ext {
opensearch_version = System.getProperty("opensearch.version", "3.1.0-SNAPSHOT")
opensearch_version = System.getProperty("opensearch.version", "3.2.0-SNAPSHOT")
opensearch_group = "org.opensearch"
common_utils_version = System.getProperty("common_utils.version", '3.1.0.0-SNAPSHOT')
jackson_version = System.getProperty("jackson_version", "2.15.2")
Expand Down
2 changes: 1 addition & 1 deletion sample-resource-plugin/build.gradle
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ ext {
projectSubstitutions = [:]
licenseFile = rootProject.file('LICENSE.txt')
noticeFile = rootProject.file('NOTICE.txt')
opensearch_version = System.getProperty("opensearch.version", "3.1.0-SNAPSHOT")
opensearch_version = System.getProperty("opensearch.version", "3.2.0-SNAPSHOT")
isSnapshot = "true" == System.getProperty("build.snapshot", "true")
buildVersionQualifier = System.getProperty("build.version_qualifier", "")

Expand Down
6 changes: 3 additions & 3 deletions sample-resource-plugin/src/main/java/org/opensearch/sample/SampleResourcePlugin.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@
import org.opensearch.sample.secure.actions.rest.create.SecurePluginAction;
import org.opensearch.sample.secure.actions.rest.create.SecurePluginRestAction;
import org.opensearch.sample.secure.actions.transport.SecurePluginTransportAction;
import org.opensearch.sample.utils.RunAsSubjectClient;
import org.opensearch.sample.utils.PluginClient;
import org.opensearch.script.ScriptService;
import org.opensearch.threadpool.ThreadPool;
import org.opensearch.transport.client.Client;
Expand All @@ -78,7 +78,7 @@ public class SampleResourcePlugin extends Plugin implements ActionPlugin, System
private static final Logger log = LogManager.getLogger(SampleResourcePlugin.class);
private boolean isResourceSharingEnabled = false;

private RunAsSubjectClient pluginClient;
private PluginClient pluginClient;

public SampleResourcePlugin(final Settings settings) {
isResourceSharingEnabled = settings.getAsBoolean(OPENSEARCH_RESOURCE_SHARING_ENABLED, OPENSEARCH_RESOURCE_SHARING_ENABLED_DEFAULT);
Expand All @@ -98,7 +98,7 @@ public Collection<Object> createComponents(
IndexNameExpressionResolver indexNameExpressionResolver,
Supplier<RepositoriesService> repositoriesServiceSupplier
) {
this.pluginClient = new RunAsSubjectClient(client);
this.pluginClient = new PluginClient(client);
return List.of(pluginClient);
}

Expand Down
6 changes: 2 additions & 4 deletions ...main/java/org/opensearch/sample/secure/actions/transport/SecurePluginTransportAction.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@
import org.opensearch.sample.secure.actions.rest.create.SecurePluginAction;
import org.opensearch.sample.secure.actions.rest.create.SecurePluginRequest;
import org.opensearch.sample.secure.actions.rest.create.SecurePluginResponse;
import org.opensearch.sample.utils.RunAsSubjectClient;
import org.opensearch.sample.utils.PluginClient;
import org.opensearch.tasks.Task;
import org.opensearch.transport.TransportService;
import org.opensearch.transport.client.Client;
Expand All @@ -35,12 +35,10 @@
public class SecurePluginTransportAction extends HandledTransportAction<SecurePluginRequest, SecurePluginResponse> {
private static final Logger log = LogManager.getLogger(SecurePluginTransportAction.class);

// TODO Get RunAsClient

private final Client pluginClient;

@Inject
public SecurePluginTransportAction(TransportService transportService, ActionFilters actionFilters, RunAsSubjectClient pluginClient) {
public SecurePluginTransportAction(TransportService transportService, ActionFilters actionFilters, PluginClient pluginClient) {
super(SecurePluginAction.NAME, transportService, actionFilters, SecurePluginRequest::new);
this.pluginClient = pluginClient;
}
Expand Down
14 changes: 6 additions & 8 deletions ...arch/sample/utils/RunAsSubjectClient.java → ...opensearch/sample/utils/PluginClient.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,20 +21,19 @@
import org.opensearch.transport.client.FilterClient;

/**
* Implementation of client that will run transport actions in a stashed context and inject the name of the provided
* subject into the context.
* A special client for executing transport actions as this plugin's system subject.
*/
public class RunAsSubjectClient extends FilterClient {
public class PluginClient extends FilterClient {

private static final Logger logger = LogManager.getLogger(RunAsSubjectClient.class);
private static final Logger logger = LogManager.getLogger(PluginClient.class);

private Subject subject;

public RunAsSubjectClient(Client delegate) {
public PluginClient(Client delegate) {
super(delegate);
}

public RunAsSubjectClient(Client delegate, Subject subject) {
public PluginClient(Client delegate, Subject subject) {
super(delegate);
this.subject = subject;
}
Expand All @@ -50,13 +49,12 @@
ActionListener<Response> listener
) {
if (subject == null) {
throw new IllegalStateException("RunAsSubjectClient is not initialized.");
throw new IllegalStateException("PluginClient is not initialized.");

Check warning on line 52 in sample-resource-plugin/src/main/java/org/opensearch/sample/utils/PluginClient.java

View check run for this annotation

Codecov / codecov/patch

sample-resource-plugin/src/main/java/org/opensearch/sample/utils/PluginClient.java#L52 

Added line #L52 was not covered by tests
}
try (ThreadContext.StoredContext ctx = threadPool().getThreadContext().newStoredContext(false)) {
subject.runAs(() -> {
logger.info("Running transport action with subject: {}", subject.getPrincipal().getName());
super.doExecute(action, request, ActionListener.runBefore(listener, ctx::restore));
return null;
});
} catch (RuntimeException e) {
throw e;
Expand Down
2 changes: 1 addition & 1 deletion spi/build.gradle
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ plugins {
}

ext {
opensearch_version = System.getProperty("opensearch.version", "3.1.0-SNAPSHOT")
opensearch_version = System.getProperty("opensearch.version", "3.2.0-SNAPSHOT")
}

repositories {
Expand Down
12 changes: 5 additions & 7 deletions ...ndex/sampleplugin/RunAsSubjectClient.java → ...ystemindex/sampleplugin/PluginClient.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,20 +21,19 @@
import org.opensearch.transport.client.FilterClient;

/**
* Implementation of client that will run transport actions in a stashed context and inject the name of the provided
* subject into the context.
* A special client for executing transport actions as this plugin's system subject.
*/
public class RunAsSubjectClient extends FilterClient {
public class PluginClient extends FilterClient {

private static final Logger logger = LogManager.getLogger(RunAsSubjectClient.class);
private static final Logger logger = LogManager.getLogger(PluginClient.class);

private Subject subject;

public RunAsSubjectClient(Client delegate) {
public PluginClient(Client delegate) {
super(delegate);
}

public RunAsSubjectClient(Client delegate, Subject subject) {
public PluginClient(Client delegate, Subject subject) {
super(delegate);
this.subject = subject;
}
Expand All @@ -53,7 +52,6 @@ protected <Request extends ActionRequest, Response extends ActionResponse> void
subject.runAs(() -> {
logger.info("Running transport action with subject: {}", subject.getPrincipal().getName());
super.doExecute(action, request, ActionListener.runBefore(listener, ctx::restore));
return null;
});
} catch (RuntimeException e) {
throw e;
Expand Down
4 changes: 2 additions & 2 deletions ...ch/security/systemindex/sampleplugin/RestBulkIndexDocumentIntoMixOfSystemIndexAction.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,9 +34,9 @@
public class RestBulkIndexDocumentIntoMixOfSystemIndexAction extends BaseRestHandler {

private final Client client;
private final RunAsSubjectClient pluginClient;
private final PluginClient pluginClient;

public RestBulkIndexDocumentIntoMixOfSystemIndexAction(Client client, RunAsSubjectClient pluginClient) {
public RestBulkIndexDocumentIntoMixOfSystemIndexAction(Client client, PluginClient pluginClient) {
this.client = client;
this.pluginClient = pluginClient;
}
Expand Down
4 changes: 2 additions & 2 deletions ...nsearch/security/systemindex/sampleplugin/RestBulkIndexDocumentIntoSystemIndexAction.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,9 +34,9 @@
public class RestBulkIndexDocumentIntoSystemIndexAction extends BaseRestHandler {

private final Client client;
private final RunAsSubjectClient pluginClient;
private final PluginClient pluginClient;

public RestBulkIndexDocumentIntoSystemIndexAction(Client client, RunAsSubjectClient pluginClient) {
public RestBulkIndexDocumentIntoSystemIndexAction(Client client, PluginClient pluginClient) {
this.client = client;
this.pluginClient = pluginClient;
}
Expand Down
4 changes: 2 additions & 2 deletions ...est/java/org/opensearch/security/systemindex/sampleplugin/RestGetOnSystemIndexAction.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,9 +27,9 @@

public class RestGetOnSystemIndexAction extends BaseRestHandler {

private final RunAsSubjectClient pluginClient;
private final PluginClient pluginClient;

public RestGetOnSystemIndexAction(RunAsSubjectClient pluginClient) {
public RestGetOnSystemIndexAction(PluginClient pluginClient) {
this.pluginClient = pluginClient;
}

Expand Down
4 changes: 2 additions & 2 deletions .../java/org/opensearch/security/systemindex/sampleplugin/RestSearchOnSystemIndexAction.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,9 +29,9 @@

public class RestSearchOnSystemIndexAction extends BaseRestHandler {

private final RunAsSubjectClient pluginClient;
private final PluginClient pluginClient;

public RestSearchOnSystemIndexAction(RunAsSubjectClient pluginClient) {
public RestSearchOnSystemIndexAction(PluginClient pluginClient) {
this.pluginClient = pluginClient;
}

Expand Down
4 changes: 2 additions & 2 deletions .../java/org/opensearch/security/systemindex/sampleplugin/RestUpdateOnSystemIndexAction.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,9 +27,9 @@

public class RestUpdateOnSystemIndexAction extends BaseRestHandler {

private final RunAsSubjectClient pluginClient;
private final PluginClient pluginClient;

public RestUpdateOnSystemIndexAction(RunAsSubjectClient pluginClient) {
public RestUpdateOnSystemIndexAction(PluginClient pluginClient) {
this.pluginClient = pluginClient;
}

Expand Down
4 changes: 2 additions & 2 deletions ...grationTest/java/org/opensearch/security/systemindex/sampleplugin/SystemIndexPlugin1.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@
public class SystemIndexPlugin1 extends Plugin implements SystemIndexPlugin, IdentityAwarePlugin {
public static final String SYSTEM_INDEX_1 = ".system-index1";

private RunAsSubjectClient pluginClient;
private PluginClient pluginClient;

private Client client;

Expand All @@ -64,7 +64,7 @@ public Collection<Object> createComponents(
Supplier<RepositoriesService> repositoriesServiceSupplier
) {
this.client = client;
this.pluginClient = new RunAsSubjectClient(client);
this.pluginClient = new PluginClient(client);
return List.of(pluginClient);
}

Expand Down
4 changes: 2 additions & 2 deletions ...search/security/systemindex/sampleplugin/TransportIndexDocumentIntoSystemIndexAction.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,14 +30,14 @@ public class TransportIndexDocumentIntoSystemIndexAction extends HandledTranspor
AcknowledgedResponse> {

private final Client client;
private final RunAsSubjectClient pluginClient;
private final PluginClient pluginClient;

@Inject
public TransportIndexDocumentIntoSystemIndexAction(
final TransportService transportService,
final ActionFilters actionFilters,
final Client client,
final RunAsSubjectClient pluginClient
final PluginClient pluginClient
) {
super(IndexDocumentIntoSystemIndexAction.NAME, transportService, actionFilters, IndexDocumentIntoSystemIndexRequest::new);
this.client = client;
Expand Down
4 changes: 2 additions & 2 deletions ...ava/org/opensearch/security/systemindex/sampleplugin/TransportRunClusterHealthAction.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,14 +26,14 @@
public class TransportRunClusterHealthAction extends HandledTransportAction<RunClusterHealthRequest, AcknowledgedResponse> {

private final Client client;
private final RunAsSubjectClient pluginClient;
private final PluginClient pluginClient;

@Inject
public TransportRunClusterHealthAction(
final TransportService transportService,
final ActionFilters actionFilters,
final Client client,
final RunAsSubjectClient pluginClient
final PluginClient pluginClient
) {
super(RunClusterHealthAction.NAME, transportService, actionFilters, RunClusterHealthRequest::new);
this.client = client;
Expand Down
8 changes: 2 additions & 6 deletions src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -167,8 +167,7 @@
import org.opensearch.security.hasher.PasswordHasherFactory;
import org.opensearch.security.http.NonSslHttpServerTransport;
import org.opensearch.security.http.XFFResolver;
import org.opensearch.security.identity.ContextProvidingPluginSubject;
import org.opensearch.security.identity.NoopPluginSubject;
import org.opensearch.security.identity.SecurePluginSubject;
import org.opensearch.security.identity.SecurityTokenManager;
import org.opensearch.security.privileges.PrivilegesEvaluationException;
import org.opensearch.security.privileges.PrivilegesEvaluator;
Expand Down Expand Up @@ -2292,9 +2291,8 @@ public SecurityTokenManager getTokenManager() {

@Override
public PluginSubject getPluginSubject(Plugin plugin) {
PluginSubject subject;
PluginSubject subject = new SecurePluginSubject(threadPool, settings, plugin);
if (!client && !disabled && !SSLConfig.isSslOnlyMode()) {
subject = new ContextProvidingPluginSubject(threadPool, settings, plugin);
String pluginPrincipal = subject.getPrincipal().getName();
URL resource = plugin.getClass().getClassLoader().getResource("plugin-additional-permissions.yml");
RoleV7 pluginPermissions;
Expand All @@ -2314,8 +2312,6 @@ public PluginSubject getPluginSubject(Plugin plugin) {
}
pluginPermissions.getCluster_permissions().add(BulkAction.NAME);
evaluator.updatePluginToActionPrivileges(pluginPrincipal, pluginPermissions);
} else {
subject = new NoopPluginSubject(threadPool);
}
return subject;
}
Expand Down
6 changes: 3 additions & 3 deletions src/main/java/org/opensearch/security/auth/UserSubjectImpl.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,8 @@
package org.opensearch.security.auth;

import java.security.Principal;
import java.util.concurrent.Callable;

import org.opensearch.common.CheckedRunnable;
import org.opensearch.common.util.concurrent.ThreadContext;
import org.opensearch.identity.NamedPrincipal;
import org.opensearch.identity.UserSubject;
Expand Down Expand Up @@ -42,10 +42,10 @@ public Principal getPrincipal() {
}

@Override
public <T> T runAs(Callable<T> callable) throws Exception {
public <E extends Exception> void runAs(CheckedRunnable<E> r) throws E {
try (ThreadContext.StoredContext ctx = threadPool.getThreadContext().stashContext()) {
threadPool.getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_USER, user);
return callable.call();
r.run();
}
}

Expand Down
41 changes: 0 additions & 41 deletions src/main/java/org/opensearch/security/identity/NoopPluginSubject.java
View file
Open in desktop

This file was deleted.

Loading
Loading