Merge remote-tracking branch 'upstream/2.x' into OBOAndServiceAccounts

.github/workflows/auto-release.yml

@@ -13,7 +13,7 @@ jobs:
     steps:
       - name: GitHub App token
         id: github_app_token
-        uses: tibdex/github-app-token@v1.8.0
+        uses: tibdex/github-app-token@v2.1.0
         with:
           app_id: ${{ secrets.APP_ID }}
           private_key: ${{ secrets.APP_PRIVATE_KEY }}

.github/workflows/backport.yml

@@ -15,7 +15,7 @@ jobs:
     steps:
       - name: GitHub App token
         id: github_app_token
-        uses: tibdex/github-app-token@v1.8.0
+        uses: tibdex/github-app-token@v2.1.0
         with:
           app_id: ${{ secrets.APP_ID }}
           private_key: ${{ secrets.APP_PRIVATE_KEY }}

.github/workflows/ci.yml

@@ -62,7 +62,7 @@ jobs:
         action: codecov/codecov-action@v3
         with: |
           token: ${{ secrets.CODECOV_TOKEN }}
-          fail_ci_if_error: true
+          fail_ci_if_error: false
           files: ./build/reports/jacoco/test/jacocoTestReport.xml
 
     - uses: actions/upload-artifact@v3
@@ -96,7 +96,7 @@ jobs:
     - id: build-previous
       uses: ./.github/actions/run-bwc-suite
       with:
-        plugin-previous-branch: "2.9"
+        plugin-previous-branch: "2.10"
         plugin-next-branch: "current_branch"
         report-artifact-name: bwc-${{ matrix.platform }}-jdk${{ matrix.jdk }}
         username: admin

.github/workflows/maven-publish.yml

@@ -21,8 +21,8 @@ jobs:
         with:
           distribution: temurin # Temurin is a distribution of adoptium
           java-version: 11
-      - uses: actions/checkout@v3
-      - uses: aws-actions/configure-aws-credentials@v1
+      - uses: actions/checkout@v4
+      - uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: ${{ secrets.PUBLISH_SNAPSHOTS_ROLE }}
           aws-region: us-east-1

.github/workflows/plugin_install.yml

@@ -3,7 +3,7 @@ name: Plugin Install
 on: [push, pull_request, workflow_dispatch]
 
 env:
-  OPENSEARCH_VERSION: 2.10.0
+  OPENSEARCH_VERSION: 2.11.0
   PLUGIN_NAME: opensearch-security
 
 jobs:

build.gradle

@@ -16,7 +16,7 @@ import groovy.json.JsonBuilder
 
 buildscript {
     ext {
-        opensearch_version = System.getProperty("opensearch.version", "2.10.0-SNAPSHOT")
+        opensearch_version = System.getProperty("opensearch.version", "2.11.0-SNAPSHOT")
         isSnapshot = "true" == System.getProperty("build.snapshot", "true")
         buildVersionQualifier = System.getProperty("build.version_qualifier", "")
 
@@ -26,7 +26,7 @@ buildscript {
 
         common_utils_version = System.getProperty("common_utils.version", '2.9.0.0-SNAPSHOT')
         kafka_version  = '3.5.1'
-        apache_cxf_version = '4.0.2'
+        apache_cxf_version = '4.0.3'
         open_saml_version = '3.4.5'
         one_login_java_saml = '2.9.0'
         jjwt_version = '0.11.5'
@@ -64,7 +64,7 @@ plugins {
     id 'com.diffplug.spotless' version '6.21.0'
     id 'checkstyle'
     id 'com.netflix.nebula.ospackage' version "11.3.0"
-    id "org.gradle.test-retry" version "1.5.4"
+    id "org.gradle.test-retry" version "1.5.5"
     id 'eclipse'
     id "com.github.spotbugs" version "5.1.3"
     id "com.google.osdetector" version "1.7.3"
@@ -432,7 +432,7 @@ configurations {
             force "io.netty:netty-transport-native-unix-common:${versions.netty}"
             force "org.apache.bcel:bcel:6.7.0" // This line should be removed once Spotbugs is upgraded to 4.7.4
             force "com.github.luben:zstd-jni:${versions.zstd}"
-            force "org.xerial.snappy:snappy-java:1.1.10.3"
+            force "org.xerial.snappy:snappy-java:1.1.10.4"
             force "com.google.guava:guava:${guava_version}"
         }
     }
@@ -501,13 +501,13 @@ dependencies {
         exclude group: "com.google.code.gson", module: "gson"
         exclude group: "org.json", module: "json"
     }
-    implementation 'com.github.wnameless.json:json-flattener:0.16.5'
+    implementation 'com.github.wnameless.json:json-flattener:0.16.6'
     // JSON patch
     implementation 'com.flipkart.zjsonpatch:zjsonpatch:0.4.14'
     implementation 'org.apache.commons:commons-collections4:4.4'
 
     //Password generation
-    implementation 'org.passay:passay:1.6.3'
+    implementation 'org.passay:passay:1.6.4'
 
     implementation "org.apache.kafka:kafka-clients:${kafka_version}"
 
@@ -524,7 +524,7 @@ dependencies {
     runtimeOnly 'com.eclipsesource.minimal-json:minimal-json:0.9.5'
     runtimeOnly 'commons-codec:commons-codec:1.16.0'
     runtimeOnly 'org.cryptacular:cryptacular:1.2.5'
-    runtimeOnly 'com.google.errorprone:error_prone_annotations:2.20.0'
+    runtimeOnly 'com.google.errorprone:error_prone_annotations:2.22.0'
     runtimeOnly 'com.sun.istack:istack-commons-runtime:4.2.0'
     runtimeOnly 'jakarta.xml.bind:jakarta.xml.bind-api:4.0.0'
     runtimeOnly 'org.ow2.asm:asm:9.5'
@@ -550,7 +550,7 @@ dependencies {
     runtimeOnly "org.opensaml:opensaml-soap-impl:${open_saml_version}"
     implementation "org.opensaml:opensaml-storage-api:${open_saml_version}"
 
-    implementation "com.nulab-inc:zxcvbn:1.8.0"
+    implementation "com.nulab-inc:zxcvbn:1.8.2"
 
     runtimeOnly 'com.google.guava:failureaccess:1.0.1'
     runtimeOnly 'org.apache.commons:commons-text:1.10.0'
@@ -562,14 +562,14 @@ dependencies {
     runtimeOnly 'io.dropwizard.metrics:metrics-core:4.2.19'
     runtimeOnly 'org.slf4j:slf4j-api:1.7.36'
     runtimeOnly "org.apache.logging.log4j:log4j-slf4j-impl:${versions.log4j}"
-    runtimeOnly 'org.xerial.snappy:snappy-java:1.1.10.3'
+    runtimeOnly 'org.xerial.snappy:snappy-java:1.1.10.4'
     runtimeOnly 'org.codehaus.woodstox:stax2-api:4.2.1'
     runtimeOnly "org.glassfish.jaxb:txw2:${jaxb_version}"
     runtimeOnly 'com.fasterxml.woodstox:woodstox-core:6.5.1'
-    runtimeOnly 'org.apache.ws.xmlschema:xmlschema-core:2.2.5'
+    runtimeOnly 'org.apache.ws.xmlschema:xmlschema-core:2.3.1'
     runtimeOnly 'org.apache.santuario:xmlsec:2.3.3'
     runtimeOnly "com.github.luben:zstd-jni:${versions.zstd}"
-    runtimeOnly 'org.checkerframework:checker-qual:3.36.0'
+    runtimeOnly 'org.checkerframework:checker-qual:3.38.0'
     runtimeOnly "org.bouncycastle:bcpkix-jdk15to18:${versions.bouncycastle}"
     runtimeOnly 'org.scala-lang.modules:scala-java8-compat_3:1.0.2'
 
@@ -595,7 +595,7 @@ dependencies {
     testImplementation "org.apache.kafka:kafka_2.13:${kafka_version}:test"
     testImplementation "org.apache.kafka:kafka-clients:${kafka_version}:test"
     testImplementation 'org.springframework.kafka:spring-kafka-test:2.9.6'
-    testImplementation 'org.springframework:spring-beans:5.3.20'
+    testImplementation 'org.springframework:spring-beans:5.3.30'
     testImplementation 'org.junit.jupiter:junit-jupiter:5.10.0'
     testImplementation 'org.junit.jupiter:junit-jupiter-api:5.10.0'
     // Only osx-x86_64, osx-aarch_64, linux-x86_64, linux-aarch_64, windows-x86_64 are available
@@ -607,7 +607,7 @@ dependencies {
     testCompileOnly 'org.apiguardian:apiguardian-api:1.1.2'
     // Kafka test execution
     testRuntimeOnly 'org.springframework.retry:spring-retry:1.3.3'
-    testRuntimeOnly ('org.springframework:spring-core:5.3.27') {
+    testRuntimeOnly ('org.springframework:spring-core:5.3.30') {
         exclude(group:'org.springframework', module: 'spring-jcl' )
     }
     testRuntimeOnly 'org.scala-lang:scala-library:2.13.11'

bwc-test/build.gradle

@@ -44,7 +44,7 @@ ext {
 
 buildscript {
     ext {
-        opensearch_version = System.getProperty("opensearch.version", "2.10.0-SNAPSHOT")
+        opensearch_version = System.getProperty("opensearch.version", "2.11.0-SNAPSHOT")
         opensearch_group = "org.opensearch"
         common_utils_version = System.getProperty("common_utils.version", '2.9.0.0-SNAPSHOT')
     }
@@ -78,8 +78,8 @@ loggerUsageCheck.enabled = false
 testingConventions.enabled = false
 validateNebulaPom.enabled = false
 
-String previousVersion = System.getProperty("bwc.version.previous", "2.9.0.0")
-String nextVersion = System.getProperty("bwc.version.next", "2.10.0.0")
+String previousVersion = System.getProperty("bwc.version.previous", "2.10.0.0")
+String nextVersion = System.getProperty("bwc.version.next", "2.11.0.0")
 
 String bwcVersion = previousVersion
 String baseName = "securityBwcCluster"

src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java

@@ -183,6 +183,7 @@
 import org.opensearch.security.user.User;
 import org.opensearch.security.user.UserService;
 import org.opensearch.tasks.Task;
+import org.opensearch.telemetry.tracing.Tracer;
 import org.opensearch.threadpool.ThreadPool;
 import org.opensearch.transport.RemoteClusterService;
 import org.opensearch.transport.Transport;
@@ -871,7 +872,8 @@ public Map<String, Supplier<HttpServerTransport>> getHttpTransports(
         NamedXContentRegistry xContentRegistry,
         NetworkService networkService,
         Dispatcher dispatcher,
-        ClusterSettings clusterSettings
+        ClusterSettings clusterSettings,
+        Tracer tracer
     ) {
 
         if (SSLConfig.isSslOnlyMode()) {
@@ -884,7 +886,8 @@ public Map<String, Supplier<HttpServerTransport>> getHttpTransports(
                 xContentRegistry,
                 networkService,
                 dispatcher,
-                clusterSettings
+                clusterSettings,
+                tracer
             );
         }
 
@@ -909,7 +912,8 @@ public Map<String, Supplier<HttpServerTransport>> getHttpTransports(
                     xContentRegistry,
                     validatingDispatcher,
                     clusterSettings,
-                    sharedGroupFactory
+                    sharedGroupFactory,
+                    tracer
                 );
 
                 return Collections.singletonMap("org.opensearch.security.http.SecurityHttpServerTransport", () -> odshst);
@@ -924,7 +928,8 @@ public Map<String, Supplier<HttpServerTransport>> getHttpTransports(
                         xContentRegistry,
                         dispatcher,
                         clusterSettings,
-                        sharedGroupFactory
+                        sharedGroupFactory,
+                        tracer
                     )
                 );
             }

src/main/java/org/opensearch/security/http/SecurityHttpServerTransport.java

@@ -35,6 +35,7 @@
 import org.opensearch.security.ssl.SslExceptionHandler;
 import org.opensearch.security.ssl.http.netty.SecuritySSLNettyHttpServerTransport;
 import org.opensearch.security.ssl.http.netty.ValidatingDispatcher;
+import org.opensearch.telemetry.tracing.Tracer;
 import org.opensearch.threadpool.ThreadPool;
 import org.opensearch.transport.SharedGroupFactory;
 
@@ -50,7 +51,8 @@ public SecurityHttpServerTransport(
         final NamedXContentRegistry namedXContentRegistry,
         final ValidatingDispatcher dispatcher,
         final ClusterSettings clusterSettings,
-        SharedGroupFactory sharedGroupFactory
+        SharedGroupFactory sharedGroupFactory,
+        Tracer tracer
     ) {
         super(
             settings,
@@ -62,7 +64,8 @@ public SecurityHttpServerTransport(
             dispatcher,
             sslExceptionHandler,
             clusterSettings,
-            sharedGroupFactory
+            sharedGroupFactory,
+            tracer
         );
     }
 }

src/main/java/org/opensearch/security/http/SecurityNonSslHttpServerTransport.java

@@ -36,6 +36,7 @@
 import org.opensearch.core.xcontent.NamedXContentRegistry;
 import org.opensearch.http.HttpHandlingSettings;
 import org.opensearch.http.netty4.Netty4HttpServerTransport;
+import org.opensearch.telemetry.tracing.Tracer;
 import org.opensearch.threadpool.ThreadPool;
 import org.opensearch.transport.SharedGroupFactory;
 
@@ -49,9 +50,20 @@ public SecurityNonSslHttpServerTransport(
         final NamedXContentRegistry namedXContentRegistry,
         final Dispatcher dispatcher,
         ClusterSettings clusterSettings,
-        SharedGroupFactory sharedGroupFactory
+        SharedGroupFactory sharedGroupFactory,
+        Tracer tracer
     ) {
-        super(settings, networkService, bigArrays, threadPool, namedXContentRegistry, dispatcher, clusterSettings, sharedGroupFactory);
+        super(
+            settings,
+            networkService,
+            bigArrays,
+            threadPool,
+            namedXContentRegistry,
+            dispatcher,
+            clusterSettings,
+            sharedGroupFactory,
+            tracer
+        );
     }
 
     @Override

src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java

@@ -80,6 +80,7 @@
 import org.opensearch.security.ssl.transport.SecuritySSLNettyTransport;
 import org.opensearch.security.ssl.transport.SecuritySSLTransportInterceptor;
 import org.opensearch.security.ssl.util.SSLConfigConstants;
+import org.opensearch.telemetry.tracing.Tracer;
 import org.opensearch.threadpool.ThreadPool;
 import org.opensearch.transport.SharedGroupFactory;
 import org.opensearch.transport.Transport;
@@ -242,7 +243,8 @@ public Map<String, Supplier<HttpServerTransport>> getHttpTransports(
         NamedXContentRegistry xContentRegistry,
         NetworkService networkService,
         Dispatcher dispatcher,
-        ClusterSettings clusterSettings
+        ClusterSettings clusterSettings,
+        Tracer tracer
     ) {
 
         if (!client && httpSSLEnabled) {
@@ -264,7 +266,8 @@ public Map<String, Supplier<HttpServerTransport>> getHttpTransports(
                 validatingDispatcher,
                 NOOP_SSL_EXCEPTION_HANDLER,
                 clusterSettings,
-                sharedGroupFactory
+                sharedGroupFactory,
+                tracer
             );
 
             return Collections.singletonMap("org.opensearch.security.ssl.http.netty.SecuritySSLNettyHttpServerTransport", () -> sgsnht);

src/main/java/org/opensearch/security/ssl/http/netty/SecuritySSLNettyHttpServerTransport.java

@@ -34,6 +34,7 @@
 import org.opensearch.http.netty4.Netty4HttpServerTransport;
 import org.opensearch.security.ssl.SecurityKeyStore;
 import org.opensearch.security.ssl.SslExceptionHandler;
+import org.opensearch.telemetry.tracing.Tracer;
 import org.opensearch.threadpool.ThreadPool;
 import org.opensearch.transport.SharedGroupFactory;
 
@@ -53,9 +54,20 @@ public SecuritySSLNettyHttpServerTransport(
         final ValidatingDispatcher dispatcher,
         final SslExceptionHandler errorHandler,
         ClusterSettings clusterSettings,
-        SharedGroupFactory sharedGroupFactory
+        SharedGroupFactory sharedGroupFactory,
+        Tracer tracer
     ) {
-        super(settings, networkService, bigArrays, threadPool, namedXContentRegistry, dispatcher, clusterSettings, sharedGroupFactory);
+        super(
+            settings,
+            networkService,
+            bigArrays,
+            threadPool,
+            namedXContentRegistry,
+            dispatcher,
+            clusterSettings,
+            sharedGroupFactory,
+            tracer
+        );
         this.sks = sks;
         this.errorHandler = errorHandler;
     }

src/test/java/org/opensearch/security/test/plugin/UserInjectorPlugin.java

@@ -48,6 +48,7 @@
 import org.opensearch.rest.RestChannel;
 import org.opensearch.rest.RestRequest;
 import org.opensearch.security.support.ConfigConstants;
+import org.opensearch.telemetry.tracing.Tracer;
 import org.opensearch.threadpool.ThreadPool;
 import org.opensearch.transport.SharedGroupFactory;
 
@@ -78,7 +79,8 @@ public Map<String, Supplier<HttpServerTransport>> getHttpTransports(
         NamedXContentRegistry xContentRegistry,
         NetworkService networkService,
         Dispatcher dispatcher,
-        ClusterSettings clusterSettings
+        ClusterSettings clusterSettings,
+        Tracer tracer
     ) {
 
         final UserInjectingDispatcher validatingDispatcher = new UserInjectingDispatcher(dispatcher);
@@ -92,7 +94,8 @@ public Map<String, Supplier<HttpServerTransport>> getHttpTransports(
                 xContentRegistry,
                 validatingDispatcher,
                 clusterSettings,
-                sharedGroupFactory
+                sharedGroupFactory,
+                tracer
             )
         );
     }
@@ -107,9 +110,20 @@ public UserInjectingServerTransport(
             final NamedXContentRegistry namedXContentRegistry,
             final Dispatcher dispatcher,
             ClusterSettings clusterSettings,
-            SharedGroupFactory sharedGroupFactory
+            SharedGroupFactory sharedGroupFactory,
+            Tracer tracer
         ) {
-            super(settings, networkService, bigArrays, threadPool, namedXContentRegistry, dispatcher, clusterSettings, sharedGroupFactory);
+            super(
+                settings,
+                networkService,
+                bigArrays,
+                threadPool,
+                namedXContentRegistry,
+                dispatcher,
+                clusterSettings,
+                sharedGroupFactory,
+                tracer
+            );
         }
     }