From f7991de466634227a8f0a3d906cb17cb69374997 Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Thu, 7 Sep 2023 17:53:07 -0400 Subject: [PATCH 01/18] [Backport 2.x] Demo Configuration changes for 2.10 release (#3330) Backport of - https://github.com/opensearch-project/security/pull/3326 - https://github.com/opensearch-project/security/pull/3237 Signed-off-by: Craig Perkins Co-authored-by: HenryL27 --- tools/install_demo_configuration.bat | 2 +- tools/install_demo_configuration.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/install_demo_configuration.bat b/tools/install_demo_configuration.bat index 607cce1cd8..6bb115fb3e 100755 --- a/tools/install_demo_configuration.bat +++ b/tools/install_demo_configuration.bat @@ -317,7 +317,7 @@ echo plugins.security.enable_snapshot_restore_privilege: true >> "%OPENSEARCH_CO echo plugins.security.check_snapshot_restore_write_privileges: true >> "%OPENSEARCH_CONF_FILE%" echo plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"] >> "%OPENSEARCH_CONF_FILE%" echo plugins.security.system_indices.enabled: true >> "%OPENSEARCH_CONF_FILE%" -echo plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models", ".geospatial-ip2geo-data*"] >> "%OPENSEARCH_CONF_FILE%" +echo plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".plugins-ml-conversation-meta", ".plugins-ml-conversation-interactions", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models", ".geospatial-ip2geo-data*", ".opendistro-job-scheduler-lock"] >> "%OPENSEARCH_CONF_FILE%" :: network.host >nul findstr /b /c:"network.host" "%OPENSEARCH_CONF_FILE%" && ( diff --git a/tools/install_demo_configuration.sh b/tools/install_demo_configuration.sh index b49d2c2f54..7428ea7b14 100755 --- a/tools/install_demo_configuration.sh +++ b/tools/install_demo_configuration.sh @@ -385,7 +385,7 @@ echo "plugins.security.enable_snapshot_restore_privilege: true" | $SUDO_CMD tee echo "plugins.security.check_snapshot_restore_write_privileges: true" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null echo 'plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null echo 'plugins.security.system_indices.enabled: true' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null -echo 'plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models", ".geospatial-ip2geo-data*"]' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null +echo 'plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".plugins-ml-conversation-meta", ".plugins-ml-conversation-interactions", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models", ".geospatial-ip2geo-data*", ".opendistro-job-scheduler-lock"]' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null #network.host if $SUDO_CMD grep --quiet -i "^network.host" "$OPENSEARCH_CONF_FILE"; then From 10d98a747acb00341ced38a528708064e2ddafb6 Mon Sep 17 00:00:00 2001 From: "opensearch-trigger-bot[bot]" <98922864+opensearch-trigger-bot[bot]@users.noreply.github.com> Date: Mon, 11 Sep 2023 20:01:35 -0500 Subject: [PATCH 02/18] [AUTO] Increment version to 2.11.0-SNAPSHOT (#3323) - Incremented version to **2.11.0-SNAPSHOT**. - Backport c9e109f3814aaafab670a88a2a37810d14932685 from #3338. --------- Signed-off-by: opensearch-ci-bot Signed-off-by: Peter Nied Signed-off-by: Ryan Liang Signed-off-by: github-actions[bot] Co-authored-by: opensearch-ci-bot Co-authored-by: Peter Nied Co-authored-by: github-actions[bot] --- .github/workflows/ci.yml | 2 +- .github/workflows/plugin_install.yml | 2 +- build.gradle | 2 +- bwc-test/build.gradle | 6 ++--- .../security/OpenSearchSecurityPlugin.java | 13 +++++++---- .../http/SecurityHttpServerTransport.java | 7 ++++-- .../SecurityNonSslHttpServerTransport.java | 16 ++++++++++++-- .../ssl/OpenSearchSecuritySSLPlugin.java | 7 ++++-- .../SecuritySSLNettyHttpServerTransport.java | 16 ++++++++++++-- .../test/plugin/UserInjectorPlugin.java | 22 +++++++++++++++---- .../transport/SecurityInterceptorTests.java | 4 +++- 11 files changed, 74 insertions(+), 23 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 05ff3e2c17..bef0203832 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -96,7 +96,7 @@ jobs: - id: build-previous uses: ./.github/actions/run-bwc-suite with: - plugin-previous-branch: "2.9" + plugin-previous-branch: "2.10" plugin-next-branch: "current_branch" report-artifact-name: bwc-${{ matrix.platform }}-jdk${{ matrix.jdk }} username: admin diff --git a/.github/workflows/plugin_install.yml b/.github/workflows/plugin_install.yml index d96caef67f..934fa4e714 100644 --- a/.github/workflows/plugin_install.yml +++ b/.github/workflows/plugin_install.yml @@ -3,7 +3,7 @@ name: Plugin Install on: [push, pull_request, workflow_dispatch] env: - OPENSEARCH_VERSION: 2.10.0 + OPENSEARCH_VERSION: 2.11.0 PLUGIN_NAME: opensearch-security jobs: diff --git a/build.gradle b/build.gradle index 83482e97fd..2b00941597 100644 --- a/build.gradle +++ b/build.gradle @@ -16,7 +16,7 @@ import groovy.json.JsonBuilder buildscript { ext { - opensearch_version = System.getProperty("opensearch.version", "2.10.0-SNAPSHOT") + opensearch_version = System.getProperty("opensearch.version", "2.11.0-SNAPSHOT") isSnapshot = "true" == System.getProperty("build.snapshot", "true") buildVersionQualifier = System.getProperty("build.version_qualifier", "") diff --git a/bwc-test/build.gradle b/bwc-test/build.gradle index 9999c631dc..e02750c7a7 100644 --- a/bwc-test/build.gradle +++ b/bwc-test/build.gradle @@ -44,7 +44,7 @@ ext { buildscript { ext { - opensearch_version = System.getProperty("opensearch.version", "2.10.0-SNAPSHOT") + opensearch_version = System.getProperty("opensearch.version", "2.11.0-SNAPSHOT") opensearch_group = "org.opensearch" common_utils_version = System.getProperty("common_utils.version", '2.9.0.0-SNAPSHOT') } @@ -78,8 +78,8 @@ loggerUsageCheck.enabled = false testingConventions.enabled = false validateNebulaPom.enabled = false -String previousVersion = System.getProperty("bwc.version.previous", "2.9.0.0") -String nextVersion = System.getProperty("bwc.version.next", "2.10.0.0") +String previousVersion = System.getProperty("bwc.version.previous", "2.10.0.0") +String nextVersion = System.getProperty("bwc.version.next", "2.11.0.0") String bwcVersion = previousVersion String baseName = "securityBwcCluster" diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java index 54f47841ff..97986dc82b 100644 --- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java +++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java @@ -176,6 +176,7 @@ import org.opensearch.security.user.User; import org.opensearch.security.user.UserService; import org.opensearch.tasks.Task; +import org.opensearch.telemetry.tracing.Tracer; import org.opensearch.threadpool.ThreadPool; import org.opensearch.transport.RemoteClusterService; import org.opensearch.transport.Transport; @@ -842,7 +843,8 @@ public Map> getHttpTransports( NamedXContentRegistry xContentRegistry, NetworkService networkService, Dispatcher dispatcher, - ClusterSettings clusterSettings + ClusterSettings clusterSettings, + Tracer tracer ) { if (SSLConfig.isSslOnlyMode()) { @@ -855,7 +857,8 @@ public Map> getHttpTransports( xContentRegistry, networkService, dispatcher, - clusterSettings + clusterSettings, + tracer ); } @@ -880,7 +883,8 @@ public Map> getHttpTransports( xContentRegistry, validatingDispatcher, clusterSettings, - sharedGroupFactory + sharedGroupFactory, + tracer ); return Collections.singletonMap("org.opensearch.security.http.SecurityHttpServerTransport", () -> odshst); @@ -895,7 +899,8 @@ public Map> getHttpTransports( xContentRegistry, dispatcher, clusterSettings, - sharedGroupFactory + sharedGroupFactory, + tracer ) ); } diff --git a/src/main/java/org/opensearch/security/http/SecurityHttpServerTransport.java b/src/main/java/org/opensearch/security/http/SecurityHttpServerTransport.java index e9487a49a9..fc36e2411b 100644 --- a/src/main/java/org/opensearch/security/http/SecurityHttpServerTransport.java +++ b/src/main/java/org/opensearch/security/http/SecurityHttpServerTransport.java @@ -35,6 +35,7 @@ import org.opensearch.security.ssl.SslExceptionHandler; import org.opensearch.security.ssl.http.netty.SecuritySSLNettyHttpServerTransport; import org.opensearch.security.ssl.http.netty.ValidatingDispatcher; +import org.opensearch.telemetry.tracing.Tracer; import org.opensearch.threadpool.ThreadPool; import org.opensearch.transport.SharedGroupFactory; @@ -50,7 +51,8 @@ public SecurityHttpServerTransport( final NamedXContentRegistry namedXContentRegistry, final ValidatingDispatcher dispatcher, final ClusterSettings clusterSettings, - SharedGroupFactory sharedGroupFactory + SharedGroupFactory sharedGroupFactory, + Tracer tracer ) { super( settings, @@ -62,7 +64,8 @@ public SecurityHttpServerTransport( dispatcher, sslExceptionHandler, clusterSettings, - sharedGroupFactory + sharedGroupFactory, + tracer ); } } diff --git a/src/main/java/org/opensearch/security/http/SecurityNonSslHttpServerTransport.java b/src/main/java/org/opensearch/security/http/SecurityNonSslHttpServerTransport.java index 1c21f0c4a2..a8e675ec74 100644 --- a/src/main/java/org/opensearch/security/http/SecurityNonSslHttpServerTransport.java +++ b/src/main/java/org/opensearch/security/http/SecurityNonSslHttpServerTransport.java @@ -36,6 +36,7 @@ import org.opensearch.core.xcontent.NamedXContentRegistry; import org.opensearch.http.HttpHandlingSettings; import org.opensearch.http.netty4.Netty4HttpServerTransport; +import org.opensearch.telemetry.tracing.Tracer; import org.opensearch.threadpool.ThreadPool; import org.opensearch.transport.SharedGroupFactory; @@ -49,9 +50,20 @@ public SecurityNonSslHttpServerTransport( final NamedXContentRegistry namedXContentRegistry, final Dispatcher dispatcher, ClusterSettings clusterSettings, - SharedGroupFactory sharedGroupFactory + SharedGroupFactory sharedGroupFactory, + Tracer tracer ) { - super(settings, networkService, bigArrays, threadPool, namedXContentRegistry, dispatcher, clusterSettings, sharedGroupFactory); + super( + settings, + networkService, + bigArrays, + threadPool, + namedXContentRegistry, + dispatcher, + clusterSettings, + sharedGroupFactory, + tracer + ); } @Override diff --git a/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java b/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java index 711d7ff99e..bff2cf02d5 100644 --- a/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java +++ b/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java @@ -80,6 +80,7 @@ import org.opensearch.security.ssl.transport.SecuritySSLNettyTransport; import org.opensearch.security.ssl.transport.SecuritySSLTransportInterceptor; import org.opensearch.security.ssl.util.SSLConfigConstants; +import org.opensearch.telemetry.tracing.Tracer; import org.opensearch.threadpool.ThreadPool; import org.opensearch.transport.SharedGroupFactory; import org.opensearch.transport.Transport; @@ -242,7 +243,8 @@ public Map> getHttpTransports( NamedXContentRegistry xContentRegistry, NetworkService networkService, Dispatcher dispatcher, - ClusterSettings clusterSettings + ClusterSettings clusterSettings, + Tracer tracer ) { if (!client && httpSSLEnabled) { @@ -264,7 +266,8 @@ public Map> getHttpTransports( validatingDispatcher, NOOP_SSL_EXCEPTION_HANDLER, clusterSettings, - sharedGroupFactory + sharedGroupFactory, + tracer ); return Collections.singletonMap("org.opensearch.security.ssl.http.netty.SecuritySSLNettyHttpServerTransport", () -> sgsnht); diff --git a/src/main/java/org/opensearch/security/ssl/http/netty/SecuritySSLNettyHttpServerTransport.java b/src/main/java/org/opensearch/security/ssl/http/netty/SecuritySSLNettyHttpServerTransport.java index 5f5d58defa..04f71485ba 100644 --- a/src/main/java/org/opensearch/security/ssl/http/netty/SecuritySSLNettyHttpServerTransport.java +++ b/src/main/java/org/opensearch/security/ssl/http/netty/SecuritySSLNettyHttpServerTransport.java @@ -34,6 +34,7 @@ import org.opensearch.http.netty4.Netty4HttpServerTransport; import org.opensearch.security.ssl.SecurityKeyStore; import org.opensearch.security.ssl.SslExceptionHandler; +import org.opensearch.telemetry.tracing.Tracer; import org.opensearch.threadpool.ThreadPool; import org.opensearch.transport.SharedGroupFactory; @@ -53,9 +54,20 @@ public SecuritySSLNettyHttpServerTransport( final ValidatingDispatcher dispatcher, final SslExceptionHandler errorHandler, ClusterSettings clusterSettings, - SharedGroupFactory sharedGroupFactory + SharedGroupFactory sharedGroupFactory, + Tracer tracer ) { - super(settings, networkService, bigArrays, threadPool, namedXContentRegistry, dispatcher, clusterSettings, sharedGroupFactory); + super( + settings, + networkService, + bigArrays, + threadPool, + namedXContentRegistry, + dispatcher, + clusterSettings, + sharedGroupFactory, + tracer + ); this.sks = sks; this.errorHandler = errorHandler; } diff --git a/src/test/java/org/opensearch/security/test/plugin/UserInjectorPlugin.java b/src/test/java/org/opensearch/security/test/plugin/UserInjectorPlugin.java index 1046bc81e9..73ede93651 100644 --- a/src/test/java/org/opensearch/security/test/plugin/UserInjectorPlugin.java +++ b/src/test/java/org/opensearch/security/test/plugin/UserInjectorPlugin.java @@ -48,6 +48,7 @@ import org.opensearch.rest.RestChannel; import org.opensearch.rest.RestRequest; import org.opensearch.security.support.ConfigConstants; +import org.opensearch.telemetry.tracing.Tracer; import org.opensearch.threadpool.ThreadPool; import org.opensearch.transport.SharedGroupFactory; @@ -78,7 +79,8 @@ public Map> getHttpTransports( NamedXContentRegistry xContentRegistry, NetworkService networkService, Dispatcher dispatcher, - ClusterSettings clusterSettings + ClusterSettings clusterSettings, + Tracer tracer ) { final UserInjectingDispatcher validatingDispatcher = new UserInjectingDispatcher(dispatcher); @@ -92,7 +94,8 @@ public Map> getHttpTransports( xContentRegistry, validatingDispatcher, clusterSettings, - sharedGroupFactory + sharedGroupFactory, + tracer ) ); } @@ -107,9 +110,20 @@ public UserInjectingServerTransport( final NamedXContentRegistry namedXContentRegistry, final Dispatcher dispatcher, ClusterSettings clusterSettings, - SharedGroupFactory sharedGroupFactory + SharedGroupFactory sharedGroupFactory, + Tracer tracer ) { - super(settings, networkService, bigArrays, threadPool, namedXContentRegistry, dispatcher, clusterSettings, sharedGroupFactory); + super( + settings, + networkService, + bigArrays, + threadPool, + namedXContentRegistry, + dispatcher, + clusterSettings, + sharedGroupFactory, + tracer + ); } } diff --git a/src/test/java/org/opensearch/security/transport/SecurityInterceptorTests.java b/src/test/java/org/opensearch/security/transport/SecurityInterceptorTests.java index 73c5edd8b0..d3363c54d8 100644 --- a/src/test/java/org/opensearch/security/transport/SecurityInterceptorTests.java +++ b/src/test/java/org/opensearch/security/transport/SecurityInterceptorTests.java @@ -33,6 +33,7 @@ import org.opensearch.security.support.Base64Helper; import org.opensearch.security.support.ConfigConstants; import org.opensearch.security.user.User; +import org.opensearch.telemetry.tracing.noop.NoopTracer; import org.opensearch.test.transport.MockTransport; import org.opensearch.threadpool.ThreadPool; import org.opensearch.transport.Transport.Connection; @@ -122,7 +123,8 @@ public void testSendRequestDecorate() { TransportService.NOOP_TRANSPORT_INTERCEPTOR, boundTransportAddress -> clusterService.state().nodes().get(SecurityInterceptor.class.getSimpleName()), null, - emptySet() + emptySet(), + NoopTracer.INSTANCE ); // CS-SUPPRESS-SINGLE: RegexpSingleline Extensions manager used for creating a mock From c00ddd0b28bff2c16aaca1280aca11e0c640678d Mon Sep 17 00:00:00 2001 From: "opensearch-trigger-bot[bot]" <98922864+opensearch-trigger-bot[bot]@users.noreply.github.com> Date: Thu, 14 Sep 2023 10:56:50 -0400 Subject: [PATCH 03/18] [Backport 2.x] dependabot: bump com.nulab-inc:zxcvbn from 1.8.0 to 1.8.2 (#3357) Backport 2ad8272b8f1df1ba439de85dc9e27cff4c752077 from #3343. Signed-off-by: dependabot[bot] Signed-off-by: github-actions[bot] Co-authored-by: github-actions[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index 2b00941597..8204e0be90 100644 --- a/build.gradle +++ b/build.gradle @@ -550,7 +550,7 @@ dependencies { runtimeOnly "org.opensaml:opensaml-soap-impl:${open_saml_version}" implementation "org.opensaml:opensaml-storage-api:${open_saml_version}" - implementation "com.nulab-inc:zxcvbn:1.8.0" + implementation "com.nulab-inc:zxcvbn:1.8.2" runtimeOnly 'com.google.guava:failureaccess:1.0.1' runtimeOnly 'org.apache.commons:commons-text:1.10.0' From 4edd40164884422032cc95bfbe38b5565560057c Mon Sep 17 00:00:00 2001 From: "opensearch-trigger-bot[bot]" <98922864+opensearch-trigger-bot[bot]@users.noreply.github.com> Date: Mon, 18 Sep 2023 10:37:35 -0400 Subject: [PATCH 04/18] [Backport 2.x] dependabot: bump org.checkerframework:checker-qual from 3.36.0 to 3.38.0 (#3378) Backport 5e0ab680a99cf5e8ad7b08b1d9752a15692a96ff from #3367. Signed-off-by: dependabot[bot] Signed-off-by: github-actions[bot] Co-authored-by: github-actions[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index 8204e0be90..0bc7af1e36 100644 --- a/build.gradle +++ b/build.gradle @@ -569,7 +569,7 @@ dependencies { runtimeOnly 'org.apache.ws.xmlschema:xmlschema-core:2.2.5' runtimeOnly 'org.apache.santuario:xmlsec:2.3.3' runtimeOnly "com.github.luben:zstd-jni:${versions.zstd}" - runtimeOnly 'org.checkerframework:checker-qual:3.36.0' + runtimeOnly 'org.checkerframework:checker-qual:3.38.0' runtimeOnly "org.bouncycastle:bcpkix-jdk15to18:${versions.bouncycastle}" runtimeOnly 'org.scala-lang.modules:scala-java8-compat_3:1.0.2' From 4cf885245927e7a3a9204be05fb31e7d6bc9d0fc Mon Sep 17 00:00:00 2001 From: Andrey Pleskach Date: Mon, 18 Sep 2023 16:38:17 +0200 Subject: [PATCH 05/18] [Backport 2.x] dependabot: bump aws-actions/configure-aws-credentials from 3 to 4 (#3373) Backport bec360afd7973c7acff8e92e34906d241c72affd from #3370 Signed-off-by: dependabot[bot] Signed-off-by: Andrey Pleskach Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/maven-publish.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/maven-publish.yml b/.github/workflows/maven-publish.yml index 1490e1d7f6..1d904020ca 100644 --- a/.github/workflows/maven-publish.yml +++ b/.github/workflows/maven-publish.yml @@ -21,8 +21,8 @@ jobs: with: distribution: temurin # Temurin is a distribution of adoptium java-version: 11 - - uses: actions/checkout@v3 - - uses: aws-actions/configure-aws-credentials@v1 + - uses: actions/checkout@v4 + - uses: aws-actions/configure-aws-credentials@v4 with: role-to-assume: ${{ secrets.PUBLISH_SNAPSHOTS_ROLE }} aws-region: us-east-1 From aead0dcdc76e6b39e8a0ffaae65c58405b5a54c7 Mon Sep 17 00:00:00 2001 From: "opensearch-trigger-bot[bot]" <98922864+opensearch-trigger-bot[bot]@users.noreply.github.com> Date: Mon, 18 Sep 2023 10:38:57 -0400 Subject: [PATCH 06/18] [Backport 2.x] dependabot: bump com.github.wnameless.json:json-flattener from 0.16.5 to 0.16.6 (#3371) Backport e61e8d4f77b0dc1ac5db2829d56629159c354900 from #3369. Signed-off-by: dependabot[bot] Signed-off-by: github-actions[bot] Co-authored-by: github-actions[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index 0bc7af1e36..8a5b14847f 100644 --- a/build.gradle +++ b/build.gradle @@ -501,7 +501,7 @@ dependencies { exclude group: "com.google.code.gson", module: "gson" exclude group: "org.json", module: "json" } - implementation 'com.github.wnameless.json:json-flattener:0.16.5' + implementation 'com.github.wnameless.json:json-flattener:0.16.6' // JSON patch implementation 'com.flipkart.zjsonpatch:zjsonpatch:0.4.14' implementation 'org.apache.commons:commons-collections4:4.4' From d6ad731ca02deaa6fee5e557efce79e1514b955d Mon Sep 17 00:00:00 2001 From: "opensearch-trigger-bot[bot]" <98922864+opensearch-trigger-bot[bot]@users.noreply.github.com> Date: Mon, 18 Sep 2023 13:33:15 -0500 Subject: [PATCH 07/18] [Backport 2.x] Disable codecov from failing CI if there is an upload issue (#3379) Backport 6d78bce0de6b19b6d55b89eb1a9465c3c6079edb from #3353. Signed-off-by: Peter Nied Signed-off-by: github-actions[bot] Co-authored-by: github-actions[bot] --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index bef0203832..ca0427be62 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -62,7 +62,7 @@ jobs: action: codecov/codecov-action@v3 with: | token: ${{ secrets.CODECOV_TOKEN }} - fail_ci_if_error: true + fail_ci_if_error: false files: ./build/reports/jacoco/test/jacocoTestReport.xml - uses: actions/upload-artifact@v3 From 34dd1f604e11e4d83356b236dbefd44f7f05de9d Mon Sep 17 00:00:00 2001 From: Andrey Pleskach Date: Mon, 18 Sep 2023 20:34:58 +0200 Subject: [PATCH 08/18] [Backport 2.x] dependabot: bump org.springframework:spring-beans from 5.3.29 to 5.3.30 (#3375) Backpor 660e2da1fada1fcf949233a79bfddb2adb280e45 from #3366 Signed-off-by: Andrey Pleskach --- build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index 8a5b14847f..3dc05cd344 100644 --- a/build.gradle +++ b/build.gradle @@ -595,7 +595,7 @@ dependencies { testImplementation "org.apache.kafka:kafka_2.13:${kafka_version}:test" testImplementation "org.apache.kafka:kafka-clients:${kafka_version}:test" testImplementation 'org.springframework.kafka:spring-kafka-test:2.9.6' - testImplementation 'org.springframework:spring-beans:5.3.20' + testImplementation 'org.springframework:spring-beans:5.3.30' testImplementation 'org.junit.jupiter:junit-jupiter:5.10.0' testImplementation 'org.junit.jupiter:junit-jupiter-api:5.10.0' // Only osx-x86_64, osx-aarch_64, linux-x86_64, linux-aarch_64, windows-x86_64 are available From 8435ead9e44fabda7b06b2102ef9b83efcf758cf Mon Sep 17 00:00:00 2001 From: Andrey Pleskach Date: Tue, 19 Sep 2023 13:12:12 +0200 Subject: [PATCH 09/18] [Backport 2.x] dependabot: bump apache_cxf_version from 4.0.2 to 4.0.3 (#3376) Backport 558f47e622efa9de1c352feaefcf33c588dcb020 from #3365 Signed-off-by: Andrey Pleskach --- build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index 3dc05cd344..103992e19f 100644 --- a/build.gradle +++ b/build.gradle @@ -26,7 +26,7 @@ buildscript { common_utils_version = System.getProperty("common_utils.version", '2.9.0.0-SNAPSHOT') kafka_version = '3.5.1' - apache_cxf_version = '4.0.2' + apache_cxf_version = '4.0.3' open_saml_version = '3.4.5' one_login_java_saml = '2.9.0' jjwt_version = '0.11.5' From b351f36ec1a8f4edd10064a63f760337e8c189cb Mon Sep 17 00:00:00 2001 From: Andrey Pleskach Date: Tue, 19 Sep 2023 13:12:24 +0200 Subject: [PATCH 10/18] [Backport 2.x] dependabot: bump org.apache.ws.xmlschema:xmlschema-core from 2.3.0 to 2.3.1 (#3374) Backport 283c3be8244dff5d6efc19ec10e82e81098dee4f from #3368 Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index 103992e19f..f1fce0161f 100644 --- a/build.gradle +++ b/build.gradle @@ -566,7 +566,7 @@ dependencies { runtimeOnly 'org.codehaus.woodstox:stax2-api:4.2.1' runtimeOnly "org.glassfish.jaxb:txw2:${jaxb_version}" runtimeOnly 'com.fasterxml.woodstox:woodstox-core:6.5.1' - runtimeOnly 'org.apache.ws.xmlschema:xmlschema-core:2.2.5' + runtimeOnly 'org.apache.ws.xmlschema:xmlschema-core:2.3.1' runtimeOnly 'org.apache.santuario:xmlsec:2.3.3' runtimeOnly "com.github.luben:zstd-jni:${versions.zstd}" runtimeOnly 'org.checkerframework:checker-qual:3.38.0' From a2daf9f73bfa18164a1b2cfa957bf56e7625eeef Mon Sep 17 00:00:00 2001 From: "opensearch-trigger-bot[bot]" <98922864+opensearch-trigger-bot[bot]@users.noreply.github.com> Date: Tue, 19 Sep 2023 20:00:09 -0400 Subject: [PATCH 11/18] [Backport 2.x] Add release notes for 2.10.0.0 (#3382) Backport 737b53110f3b503fe10812c0fdab4014d6b0a5e9 from #3360. Signed-off-by: Peter Nied Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> Signed-off-by: Craig Perkins Signed-off-by: github-actions[bot] Co-authored-by: github-actions[bot] Co-authored-by: Peter Nied Co-authored-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> --- ...nsearch-security.release-notes-2.10.0.0.md | 76 +++++++++++++++++++ 1 file changed, 76 insertions(+) create mode 100644 release-notes/opensearch-security.release-notes-2.10.0.0.md diff --git a/release-notes/opensearch-security.release-notes-2.10.0.0.md b/release-notes/opensearch-security.release-notes-2.10.0.0.md new file mode 100644 index 0000000000..19548d5930 --- /dev/null +++ b/release-notes/opensearch-security.release-notes-2.10.0.0.md @@ -0,0 +1,76 @@ +## 2023-08-31 Version 2.10.0.0 + +Compatible with OpenSearch 2.10.0 + +### Enhancements +* Add .plugins-ml-config to the demo configuration system indices ([#2993](https://github.com/opensearch-project/security/pull/2993)) +* Add workflow cluster permissions to alerting roles ([#2994](https://github.com/opensearch-project/security/pull/2994)) +* Include password regex for Dashboardsinfo to display to users ([#2999](https://github.com/opensearch-project/security/pull/2999)) +* Add geospatial ip2geo to the demo configuration system indices and roles ([#3051](https://github.com/opensearch-project/security/pull/3051)) +* Make invalid password message clearer ([#3057](https://github.com/opensearch-project/security/pull/3057)) +* Service Accounts password is randomly generated ([#3077](https://github.com/opensearch-project/security/pull/3077)) +* Exclude sensitive info from the jackson serialization stacktraces ([#3195](https://github.com/opensearch-project/security/pull/3195)) +* Prevent raw request body as output in serialization error messages ([#3205](https://github.com/opensearch-project/security/pull/3205)) +* Command cat/indices will filter results per the Do Not Fail On Forbidden setting ([#3236](https://github.com/opensearch-project/security/pull/3236)) +* Generate new demo certs with IPv6 loopback added to SAN in node certificate ([#3268](https://github.com/opensearch-project/security/pull/3268)) +* System index permissions ([#2887](https://github.com/opensearch-project/security/pull/2887)) + + +### Bug Fixes +* Prevent raw request body as output in serialization error messages ([#3205](https://github.com/opensearch-project/security/pull/3205)) +* Prevent flaky behavior when determining if an request will be executed on the current node. ([#3066](https://github.com/opensearch-project/security/pull/3066)) +* Resolve a class of ConcurrentModificationException from during bulk requests ([#3094](https://github.com/opensearch-project/security/pull/3094)) +* Fix Document GET with DLS terms query ([#3136](https://github.com/opensearch-project/security/pull/3136)) +* Send log messages to log4j systems instead of system out / error ([#3231](https://github.com/opensearch-project/security/pull/3231)) +* Fix roles verification for roles mapping and internal users ([#3278](https://github.com/opensearch-project/security/pull/3278)) +* Prevent raw request body as output in serialization error messages ([#3205](https://github.com/opensearch-project/security/pull/3205)) +* Fix permissions issues while reading keys in PKCS#1 format ([#3289](https://github.com/opensearch-project/security/pull/3289)) + +### Maintenance +* [Build Break] Update imports for files refactored in core PR #8157 ([#3003](https://github.com/opensearch-project/security/pull/3003)) +* [Build Break] Fix build after Lucene upgrade and breaking XContentFactory changes ([#3069](https://github.com/opensearch-project/security/pull/3069)) +* [Build Break] Update CircuitBreakerService and LifecycleComponent after core refactor in #9006 ([#3082](https://github.com/opensearch-project/security/pull/3082)) +* [Build Break] React to changes in ActionListener and ActionResponse from #9082 ([#3153](https://github.com/opensearch-project/security/pull/3153)) +* [Build Break] Disable gradlew build cache to ensure most up-to-date dependencies ([#3186](https://github.com/opensearch-project/security/pull/3186)) +* Bump com.carrotsearch.randomizedtesting:randomizedtesting-runner from 2.7.1 to 2.8.1 ([#3109](https://github.com/opensearch-project/security/pull/3109)) +* Bump com.diffplug.spotless from 6.19.0 to 6.21.0 ([#3108](https://github.com/opensearch-project/security/pull/3108)) +* Bump com.fasterxml.woodstox:woodstox-core from 6.4.0 to 6.5.1 ([#3148](https://github.com/opensearch-project/security/pull/3148)) +* Bump com.github.spotbugs from 5.0.14 to 5.1.3 ([#3251](https://github.com/opensearch-project/security/pull/3251)) +* Bump com.github.wnameless.json:json-base from 2.4.0 to 2.4.2 ([#3062](https://github.com/opensearch-project/security/pull/3062)) +* Bump com.github.wnameless.json:json-flattener from 0.16.4 to 0.16.5 ([#3296](https://github.com/opensearch-project/security/pull/3296)) +* Bump com.google.errorprone:error_prone_annotations from 2.3.4 to 2.20.0 ([#3023](https://github.com/opensearch-project/security/pull/3023)) +* Bump com.google.guava:guava from 32.1.1-jre to 32.1.2-jre ([#3149](https://github.com/opensearch-project/security/pull/3149)) +* Bump commons-io:commons-io from 2.11.0 to 2.13.0 ([#3074](https://github.com/opensearch-project/security/pull/3074)) +* Bump com.netflix.nebula.ospackage from 11.1.0 to 11.3.0 ([#3023](https://github.com/opensearch-project/security/pull/3023)) +* Bump com.nulab-inc:zxcvbn from 1.7.0 to 1.8.0 ([#3023](https://github.com/opensearch-project/security/pull/3023)) +* Bump com.unboundid:unboundid-ldapsdk from 4.0.9 to 4.0.14 ([#3143](https://github.com/opensearch-project/security/pull/3143)) +* Bump io.dropwizard.metrics:metrics-core from 3.1.2 to 4.2.19 ([#3073](https://github.com/opensearch-project/security/pull/3073)) +* Bump kafka_version from 3.5.0 to 3.5.1 ([#3041](https://github.com/opensearch-project/security/pull/3041)) +* Bump net.minidev:json-smart from 2.4.11 to 2.5.0 ([#3120](https://github.com/opensearch-project/security/pull/3120)) +* Bump org.apache.camel:camel-xmlsecurity from 3.14.2 to 3.21.0 ([#3023](https://github.com/opensearch-project/security/pull/3023)) +* Bump org.apache.santuario:xmlsec from 2.2.3 to 2.3.3 ([#3210](https://github.com/opensearch-project/security/pull/3210)) +* Bump org.checkerframework:checker-qual from 3.5.0 to 3.36.0 ([#3023](https://github.com/opensearch-project/security/pull/3023)) +* Bump org.cryptacular:cryptacular from 1.2.4 to 1.2.5 ([#3071](https://github.com/opensearch-project/security/pull/3071)) +* Bump org.gradle.test-retry from 1.5.2 to 1.5.4 ([#3072](https://github.com/opensearch-project/security/pull/3072)) +* Bump org.junit.jupiter:junit-jupiter from 5.8.2 to 5.10.0 ([#3146](https://github.com/opensearch-project/security/pull/3146)) +* Bump org.ow2.asm:asm from 9.1 to 9.5 ([#3121](https://github.com/opensearch-project/security/pull/3121)) +* Bump org.scala-lang:scala-library from 2.13.9 to 2.13.11 ([#3119](https://github.com/opensearch-project/security/pull/3119)) +* Bump org.slf4j:slf4j-api from 1.7.30 to 1.7.36 ([#3249](https://github.com/opensearch-project/security/pull/3249)) +* Bump org.xerial.snappy:snappy-java from 1.1.10.1 to 1.1.10.3 ([#3106](https://github.com/opensearch-project/security/pull/3106)) +* Bump actions/create-release from 1.0.0 to 1.1.4 ([#3141](https://github.com/opensearch-project/security/pull/3141)) +* Bump actions/setup-java from 1 to 3 ([#3142](https://github.com/opensearch-project/security/pull/3142)) +* Bump actions/upload-release-asset from 1.0.1 to 1.0.2 ([#3144](https://github.com/opensearch-project/security/pull/3144)) +* Bump fernandrone/linelint from 0.0.4 to 0.0.6 ([#3211](https://github.com/opensearch-project/security/pull/3211)) +* Bump tibdex/github-app-token from 1.5.0 to 1.8.0 ([#3147](https://github.com/opensearch-project/security/pull/3147)) +* Remove log spam for files that are cleaned up ([#3118](https://github.com/opensearch-project/security/pull/3118)) +* Updates integTestRemote task to dynamically fetch common-utils version from build.gradle ([#3122](https://github.com/opensearch-project/security/pull/3122)) +* Switch CodeQL to assemble artifacts using the same build as the rest of CI ([#3132](https://github.com/opensearch-project/security/pull/3132)) +* Only run the backport job on merged pull requests ([#3134](https://github.com/opensearch-project/security/pull/3134)) +* Add code coverage exclusions on false positives ([#3196](https://github.com/opensearch-project/security/pull/3196)) +* Enable jarhell check ([#3227](https://github.com/opensearch-project/security/pull/3227)) +* Retry code coverage upload on failure ([#3242](https://github.com/opensearch-project/security/pull/3242)) +* [Refactor] Adopt request builder patterns for SecurityRestApiActions for consistency and clarity ([#3123](https://github.com/opensearch-project/security/pull/3123)) +* [Refactor] Remove json-path from deps and use JsonPointer instead ([#3262](https://github.com/opensearch-project/security/pull/3262)) +* Use version of org.apache.commons:commons-lang3 defined in core ([#3306](https://github.com/opensearch-project/security/pull/3306)) +* Fix checkstyle #3283 +* Demo Configuration changes ([#3330](https://github.com/opensearch-project/security/pull/3330)) \ No newline at end of file From ba0a15b2139166f0922dfb28a4d4a41142bf4138 Mon Sep 17 00:00:00 2001 From: Andriy Redko Date: Mon, 25 Sep 2023 09:49:33 -0400 Subject: [PATCH 12/18] [Backport] [2.x] dependabot: bump tibdex/github-app-token from 2.0.0 to 2.1.0 (#3395) (#3401) Backport of https://github.com/opensearch-project/security/pull/3395 to `2.x` Signed-off-by: dependabot[bot] Signed-off-by: Andriy Redko Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/auto-release.yml | 2 +- .github/workflows/backport.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml index 4f37d6918f..402914c169 100644 --- a/.github/workflows/auto-release.yml +++ b/.github/workflows/auto-release.yml @@ -13,7 +13,7 @@ jobs: steps: - name: GitHub App token id: github_app_token - uses: tibdex/github-app-token@v1.8.0 + uses: tibdex/github-app-token@v2.1.0 with: app_id: ${{ secrets.APP_ID }} private_key: ${{ secrets.APP_PRIVATE_KEY }} diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml index 2dd9b224c9..aa64c7e58a 100644 --- a/.github/workflows/backport.yml +++ b/.github/workflows/backport.yml @@ -15,7 +15,7 @@ jobs: steps: - name: GitHub App token id: github_app_token - uses: tibdex/github-app-token@v1.8.0 + uses: tibdex/github-app-token@v2.1.0 with: app_id: ${{ secrets.APP_ID }} private_key: ${{ secrets.APP_PRIVATE_KEY }} From d297b8d89063b6d38298c6b37a83a8a5a33505b7 Mon Sep 17 00:00:00 2001 From: Andrey Pleskach Date: Mon, 25 Sep 2023 15:50:18 +0200 Subject: [PATCH 13/18] [Backport 2.x] dependabot: bump org.springframework:spring-core from 5.3.29 to 5.3.30 (#3398) Backport https://github.com/opensearch-project/security/commit/b52e762bc449f67d5332a9702040c0f18b2eb986 from https://github.com/opensearch-project/security/pull/3390 Signed-off-by: Andrey Pleskach --- build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index f1fce0161f..ce5547ca7c 100644 --- a/build.gradle +++ b/build.gradle @@ -607,7 +607,7 @@ dependencies { testCompileOnly 'org.apiguardian:apiguardian-api:1.1.2' // Kafka test execution testRuntimeOnly 'org.springframework.retry:spring-retry:1.3.3' - testRuntimeOnly ('org.springframework:spring-core:5.3.27') { + testRuntimeOnly ('org.springframework:spring-core:5.3.30') { exclude(group:'org.springframework', module: 'spring-jcl' ) } testRuntimeOnly 'org.scala-lang:scala-library:2.13.11' From f88115be96035a477ff52d02d54732c8b9557c2a Mon Sep 17 00:00:00 2001 From: Andrey Pleskach Date: Mon, 25 Sep 2023 15:50:38 +0200 Subject: [PATCH 14/18] [Backport 2.x] dependabot: bump org.gradle.test-retry from 1.5.4 to 1.5.5 (#3399) Backport https://github.com/opensearch-project/security/commit/9caa098a52c1e155889d70a80127f92b25ac8a35 from https://github.com/opensearch-project/security/pull/3391 Signed-off-by: Andrey Pleskach --- build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index ce5547ca7c..a51f1cc61c 100644 --- a/build.gradle +++ b/build.gradle @@ -64,7 +64,7 @@ plugins { id 'com.diffplug.spotless' version '6.21.0' id 'checkstyle' id 'com.netflix.nebula.ospackage' version "11.3.0" - id "org.gradle.test-retry" version "1.5.4" + id "org.gradle.test-retry" version "1.5.5" id 'eclipse' id "com.github.spotbugs" version "5.1.3" id "com.google.osdetector" version "1.7.3" From 44373ec6cdb210dacc3f42421b45e0f53c44db4f Mon Sep 17 00:00:00 2001 From: "opensearch-trigger-bot[bot]" <98922864+opensearch-trigger-bot[bot]@users.noreply.github.com> Date: Mon, 25 Sep 2023 09:51:20 -0400 Subject: [PATCH 15/18] [Backport 2.x] dependabot: bump org.passay:passay from 1.6.3 to 1.6.4 (#3397) Backport 55fe7cb7403f525dcf8414fd94c23faad2890697 from #3394. Signed-off-by: dependabot[bot] Signed-off-by: github-actions[bot] Co-authored-by: github-actions[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index a51f1cc61c..2f078cd421 100644 --- a/build.gradle +++ b/build.gradle @@ -507,7 +507,7 @@ dependencies { implementation 'org.apache.commons:commons-collections4:4.4' //Password generation - implementation 'org.passay:passay:1.6.3' + implementation 'org.passay:passay:1.6.4' implementation "org.apache.kafka:kafka-clients:${kafka_version}" From 8b03022d9f204223c684e98857e4db067933797b Mon Sep 17 00:00:00 2001 From: "opensearch-trigger-bot[bot]" <98922864+opensearch-trigger-bot[bot]@users.noreply.github.com> Date: Mon, 25 Sep 2023 20:35:51 +0200 Subject: [PATCH 16/18] [Backport 2.x] removing opendistro-job-scheduler-lock from list of protected indices (#3405) Backport f09a6aa65fcf363d36052b386c95019719211c07 from #3383. Signed-off-by: Joshua Palis Signed-off-by: github-actions[bot] Co-authored-by: github-actions[bot] --- tools/install_demo_configuration.bat | 2 +- tools/install_demo_configuration.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/install_demo_configuration.bat b/tools/install_demo_configuration.bat index 6bb115fb3e..b08c3bdfae 100755 --- a/tools/install_demo_configuration.bat +++ b/tools/install_demo_configuration.bat @@ -317,7 +317,7 @@ echo plugins.security.enable_snapshot_restore_privilege: true >> "%OPENSEARCH_CO echo plugins.security.check_snapshot_restore_write_privileges: true >> "%OPENSEARCH_CONF_FILE%" echo plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"] >> "%OPENSEARCH_CONF_FILE%" echo plugins.security.system_indices.enabled: true >> "%OPENSEARCH_CONF_FILE%" -echo plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".plugins-ml-conversation-meta", ".plugins-ml-conversation-interactions", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models", ".geospatial-ip2geo-data*", ".opendistro-job-scheduler-lock"] >> "%OPENSEARCH_CONF_FILE%" +echo plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".plugins-ml-conversation-meta", ".plugins-ml-conversation-interactions", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models", ".geospatial-ip2geo-data*"] >> "%OPENSEARCH_CONF_FILE%" :: network.host >nul findstr /b /c:"network.host" "%OPENSEARCH_CONF_FILE%" && ( diff --git a/tools/install_demo_configuration.sh b/tools/install_demo_configuration.sh index 7428ea7b14..9fce14aee9 100755 --- a/tools/install_demo_configuration.sh +++ b/tools/install_demo_configuration.sh @@ -385,7 +385,7 @@ echo "plugins.security.enable_snapshot_restore_privilege: true" | $SUDO_CMD tee echo "plugins.security.check_snapshot_restore_write_privileges: true" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null echo 'plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null echo 'plugins.security.system_indices.enabled: true' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null -echo 'plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".plugins-ml-conversation-meta", ".plugins-ml-conversation-interactions", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models", ".geospatial-ip2geo-data*", ".opendistro-job-scheduler-lock"]' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null +echo 'plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".plugins-ml-conversation-meta", ".plugins-ml-conversation-interactions", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models", ".geospatial-ip2geo-data*"]' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null #network.host if $SUDO_CMD grep --quiet -i "^network.host" "$OPENSEARCH_CONF_FILE"; then From 1b87cd4ed953be63eaecb4e227888d49127ca4dc Mon Sep 17 00:00:00 2001 From: Andrey Pleskach Date: Mon, 25 Sep 2023 23:11:54 +0200 Subject: [PATCH 17/18] [Backport 2.x] dependabot: bump com.google.errorprone:error_prone_annotations from 2.21.1 to 2.22.0 (#3400) Backport https://github.com/opensearch-project/security/commit/826bdebc8c1c017868f5226191e9ff419e42642f from https://github.com/opensearch-project/security/pull/3393 Signed-off-by: Andrey Pleskach --- build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index 2f078cd421..7fb040b599 100644 --- a/build.gradle +++ b/build.gradle @@ -524,7 +524,7 @@ dependencies { runtimeOnly 'com.eclipsesource.minimal-json:minimal-json:0.9.5' runtimeOnly 'commons-codec:commons-codec:1.16.0' runtimeOnly 'org.cryptacular:cryptacular:1.2.5' - runtimeOnly 'com.google.errorprone:error_prone_annotations:2.20.0' + runtimeOnly 'com.google.errorprone:error_prone_annotations:2.22.0' runtimeOnly 'com.sun.istack:istack-commons-runtime:4.2.0' runtimeOnly 'jakarta.xml.bind:jakarta.xml.bind-api:4.0.0' runtimeOnly 'org.ow2.asm:asm:9.5' From 3841f146d0d5388bbbb68ed34de7f403b27dfe01 Mon Sep 17 00:00:00 2001 From: "opensearch-trigger-bot[bot]" <98922864+opensearch-trigger-bot[bot]@users.noreply.github.com> Date: Mon, 25 Sep 2023 16:12:04 -0500 Subject: [PATCH 18/18] [Backport 2.x] dependabot: bump org.xerial.snappy:snappy-java from 1.1.10.3 to 1.1.10.4 (#3396) Backport dfecc00dbcf16c8fe462c1b1c9b8794988b2fd12 from #3392. Signed-off-by: dependabot[bot] Signed-off-by: github-actions[bot] Co-authored-by: github-actions[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- build.gradle | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/build.gradle b/build.gradle index 7fb040b599..e8580a3fb5 100644 --- a/build.gradle +++ b/build.gradle @@ -432,7 +432,7 @@ configurations { force "io.netty:netty-transport-native-unix-common:${versions.netty}" force "org.apache.bcel:bcel:6.7.0" // This line should be removed once Spotbugs is upgraded to 4.7.4 force "com.github.luben:zstd-jni:${versions.zstd}" - force "org.xerial.snappy:snappy-java:1.1.10.3" + force "org.xerial.snappy:snappy-java:1.1.10.4" force "com.google.guava:guava:${guava_version}" } } @@ -562,7 +562,7 @@ dependencies { runtimeOnly 'io.dropwizard.metrics:metrics-core:4.2.19' runtimeOnly 'org.slf4j:slf4j-api:1.7.36' runtimeOnly "org.apache.logging.log4j:log4j-slf4j-impl:${versions.log4j}" - runtimeOnly 'org.xerial.snappy:snappy-java:1.1.10.3' + runtimeOnly 'org.xerial.snappy:snappy-java:1.1.10.4' runtimeOnly 'org.codehaus.woodstox:stax2-api:4.2.1' runtimeOnly "org.glassfish.jaxb:txw2:${jaxb_version}" runtimeOnly 'com.fasterxml.woodstox:woodstox-core:6.5.1'