The org.opensearch.bootstrap.Security should support codebase for JAR files with classifiers

[reta]

Description

The issue came out while integration OpenSearch test scaffolding with security plugin. The org.opensearch.bootstrap.Security analyzes the classpath and injects the codebase.* system property for each JAR entry found (so it could be referenced in security policy files), for example:

...

grant codeBase "${codebase.zstd-jni}" {
  permission java.lang.RuntimePermission "loadLibrary.*";
};

grant codeBase "${codebase.jna}" {
  // for registering native methods
  permission java.lang.RuntimePermission "accessDeclaredMembers";
};

...

The codebase.* suffix is constructed from the JAR file name by stripping the version (and .jar extension). However, it causes the issues when there same artifacts with classifiers referenced, for example:

• netty-tcnative-boringssl-static-2.0.61.Final-linux-x86_64.jar and netty-tcnative-boringssl-static-2.0.61.Final.jar
• kafka-server-common-3.6.1-test.jar and kafka-server-common-3.6.1.jar

Although different, these artifacts are folded into same codebase suffix, causing the bootstrap process to fail.

The pull request adds support for artifacts (JARs) with classifiers so they could be distinguished (and also referenced in security policy): codebase.*@. For example:

grant codeBase "${codebase.netty-tcnative-boringssl-static@linux-x86_64}" {
  ...
};

grant codeBase "${codebase.kafka-server-common@test}" {
  ...
};

Related Issues

Closes #12581

Check List

• New functionality includes testing.
  • All tests pass
• New functionality has been documented.
  • New functionality has javadoc added
• Failing checks are inspected and point to the corresponding known issue(s) (See: Troubleshooting Failing Builds)
• Commits are signed per the DCO using --signoff
• Commit changes are listed out in CHANGELOG.md file (See: Changelog)
• Public documentation issue/PR created

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[github-actions]

Compatibility status:

Checks if related components are compatible with change bc7b424

Incompatible components

Skipped components

Compatible components

Compatible components: [https://github.com/opensearch-project/custom-codecs.git, https://github.com/opensearch-project/flow-framework.git, https://github.com/opensearch-project/neural-search.git, https://github.com/opensearch-project/cross-cluster-replication.git, https://github.com/opensearch-project/opensearch-oci-object-storage.git, https://github.com/opensearch-project/security-analytics.git, https://github.com/opensearch-project/job-scheduler.git, https://github.com/opensearch-project/observability.git, https://github.com/opensearch-project/geospatial.git, https://github.com/opensearch-project/notifications.git, https://github.com/opensearch-project/k-nn.git, https://github.com/opensearch-project/asynchronous-search.git, https://github.com/opensearch-project/reporting.git, https://github.com/opensearch-project/ml-commons.git, https://github.com/opensearch-project/sql.git, https://github.com/opensearch-project/common-utils.git, https://github.com/opensearch-project/performance-analyzer-rca.git, https://github.com/opensearch-project/index-management.git, https://github.com/opensearch-project/anomaly-detection.git, https://github.com/opensearch-project/security.git, https://github.com/opensearch-project/alerting.git, https://github.com/opensearch-project/performance-analyzer.git]

[github-actions]

✅ Gradle check result for 3c0613b: SUCCESS

[codecov]

Codecov Report

Attention: Patch coverage is 80.00000% with 6 lines in your changes are missing coverage. Please review.

Project coverage is 71.41%. Comparing base (b15cb0c) to head (bc7b424).
Report is 6 commits behind head on main.

Files	Patch %	Lines
...c/main/java/org/opensearch/bootstrap/Security.java	80.00%	4 Missing and 2 partials ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##               main   #12586      +/-   ##
============================================
- Coverage     71.42%   71.41%   -0.01%     
+ Complexity    59978    59969       -9     
============================================
  Files          4985     4985              
  Lines        282275   282295      +20     
  Branches      40946    40949       +3     
============================================
- Hits         201603   201598       -5     
+ Misses        63999    63990       -9     
- Partials      16673    16707      +34     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[github-actions]

❌ Gradle check result for 9befa6e: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for c15169d: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❕ Gradle check result for bc7b424: UNSTABLE

• TEST FAILURES:

      1 org.opensearch.cluster.allocation.ClusterRerouteIT.testDelayWithALargeAmountOfShards

Please review all flaky tests that succeeded after retry and create an issue if one does not already exist to track the flaky failure.

[reta]

@andrross @dblock @peternied folks mind taking a look please? thank you!

[opensearch-trigger-bot]

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 128

To backport manually, run these commands in your terminal:

# Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/OpenSearch/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/OpenSearch/backport-2.x
# Create a new branch
git switch --create backport/backport-12586-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 07e79e3bec7732cc347bf36d934631e6f87a8216
# Push it to GitHub
git push --set-upstream origin backport/backport-12586-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/OpenSearch/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport/backport-12586-to-2.x.