-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make cacheEntry.getIndexInput() privileged when fetching blobs from remote snapshot #16544
Conversation
❌ Gradle check result for 98858d8: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
c6592a3
to
b60f058
Compare
❌ Gradle check result for b60f058: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
server/src/main/java/org/opensearch/index/store/remote/utils/TransferManager.java
Outdated
Show resolved
Hide resolved
❌ Gradle check result for 1fdfb53: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
server/src/main/java/org/opensearch/index/store/remote/utils/TransferManager.java
Outdated
Show resolved
Hide resolved
…emote store Signed-off-by: Finn Carroll <[email protected]>
Signed-off-by: Finn Carroll <[email protected]>
Signed-off-by: Finn Carroll <[email protected]>
Signed-off-by: Finn Carroll <[email protected]>
Signed-off-by: Finn Carroll <[email protected]>
…tion. Signed-off-by: Finn Carroll <[email protected]>
Signed-off-by: Finn Carroll <[email protected]>
b033248
to
bcd13ff
Compare
server/src/main/java/org/opensearch/index/store/remote/utils/TransferManager.java
Outdated
Show resolved
Hide resolved
…ransferManager.java Co-authored-by: Andriy Redko <[email protected]> Signed-off-by: Finn <[email protected]>
Signed-off-by: Finn Carroll <[email protected]>
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #16544 +/- ##
============================================
+ Coverage 72.00% 72.07% +0.06%
- Complexity 65038 65106 +68
============================================
Files 5313 5314 +1
Lines 303454 303541 +87
Branches 43910 43921 +11
============================================
+ Hits 218510 218762 +252
+ Misses 67040 66908 -132
+ Partials 17904 17871 -33 ☔ View full report in Codecov by Sentry. |
The backport to
To backport manually, run these commands in your terminal: # Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/OpenSearch/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/OpenSearch/backport-2.x
# Create a new branch
git switch --create backport/backport-16544-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 4213cc27305c37ea71e5b5a5addd17e5383e8029
# Push it to GitHub
git push --set-upstream origin backport/backport-16544-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/OpenSearch/backport-2.x Then, create a pull request where the |
…emote snapshot (#16544) * Make cacheEntry.getIndexInput() privileged when fetching blobs from remote store Signed-off-by: Finn Carroll <[email protected]> * Rebase Signed-off-by: Finn Carroll <[email protected]> * Spotless apply Signed-off-by: Finn Carroll <[email protected]> * Clean up doPrivileged calls Signed-off-by: Finn Carroll <[email protected]> * Comment Signed-off-by: Finn Carroll <[email protected]> * Move fetchBlob to PrivilegedExceptionAction. Catch and unwrap IOException. Signed-off-by: Finn Carroll <[email protected]> * Unused import Signed-off-by: Finn Carroll <[email protected]> * Update server/src/main/java/org/opensearch/index/store/remote/utils/TransferManager.java Co-authored-by: Andriy Redko <[email protected]> Signed-off-by: Finn <[email protected]> * Typo 'thrown'. Catch and throw unknown exception as IOException. Signed-off-by: Finn Carroll <[email protected]> --------- Signed-off-by: Finn Carroll <[email protected]> Signed-off-by: Finn <[email protected]> Co-authored-by: Andriy Redko <[email protected]> (cherry picked from commit 4213cc2) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
…emote snapshot (#16544) (#16582) * Make cacheEntry.getIndexInput() privileged when fetching blobs from remote store * Rebase * Spotless apply * Clean up doPrivileged calls * Comment * Move fetchBlob to PrivilegedExceptionAction. Catch and unwrap IOException. * Unused import * Update server/src/main/java/org/opensearch/index/store/remote/utils/TransferManager.java * Typo 'thrown'. Catch and throw unknown exception as IOException. --------- (cherry picked from commit 4213cc2) Signed-off-by: Finn Carroll <[email protected]> Signed-off-by: Finn <[email protected]> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Andriy Redko <[email protected]>
Description
See comment.
The transfer manager needs elevated permissions when calling
getIndexInput()
on the cache entry such that it can do disk io necessary to download new blobs from the remote snapshot store. These additional permissions are only required in the case of scripted queries, which run in a different security context.Related Issues
Resolves #[Issue number to be closed when this PR is merged]
#16542
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.