Closed KostasTsiounis closed 2 months ago
It would be helpful to have a fuller description here of how users will interact with this change, including what the restrictions are and perhaps some examples.
I removed the isFIPS1402()
method, as it's no longer needed by https://github.com/ibmruntimes/openj9-openjdk-jdk/pull/758
I think the changes are good. Please squash and ensure that the commit message accurately and adequately describes these changes.
Squashed and updated commit message to match issue description.
Jenkins copyright check
Jenkins line endings check
Jenkins test sanity zlinux jdknext
Testing in https://openj9-jenkins.osuosl.org/job/Grinder/3673 failed because a newer version of jtreg is required. See https://github.com/adoptium/TKG/pull/573 and https://github.com/adoptium/ci-jenkins-pipelines/pull/1051 that aim to address that.
In the meantime, you could start back-porting this to jdk23, jdk22, etc.
Merging on the strength of testing results in https://github.com/ibmruntimes/openj9-openjdk-jdk23/pull/2.
RestrictedSecurity
profiles sometimes share a lot of duplicate settings with only minor differences. With these changes the extension, similar to object-orientation, of profiles becomes possible.More specifically, a profile
A
can extend another a profileB
, usingRestrictedSecurity.<profile A name>.extends = RestrictedSecurity.<profile B name>
. This allows profileA
to inherit all of profileB
's properties. One can add additional properties to profileA
, or amend some of the existing ones. That includes overriding, appending or removing from a property (wherever that's applicable).An additional property is introduced. The
RestrictedSecurity.<profile name>.desc.hash = <hash algorithm>:<hash>
is used to ensure the profile hasn't been unintentionally altered. The profile's properties are hashed using the selected<hash algorithm>
, and the result is compared to the<hash>
provided through the property. This property is mandatory for base profiles (i.e., profiles that are not extending anything), and optional for the rest.Signed-off by: Kostas Tsiounis kostas.tsiounis@ibm.com