search

opensearch-project / OpenSearch

🔎 Open source distributed and RESTful search engine.
https://opensearch.org/docs/latest/opensearch/index/
Apache License 2.0
9.87k stars 1.84k forks source link

Make cacheEntry.getIndexInput() privileged when fetching blobs from remote snapshot #16544

Closed finnegancarroll closed 3 weeks ago

finnegancarroll commented 3 weeks ago

Description

See comment.

The transfer manager needs elevated permissions when calling getIndexInput() on the cache entry such that it can do disk io necessary to download new blobs from the remote snapshot store. These additional permissions are only required in the case of scripted queries, which run in a different security context.

Related Issues

Resolves #[Issue number to be closed when this PR is merged]

16542

Check List

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check here.

github-actions[bot] commented 3 weeks ago

:x: Gradle check result for 98858d8728a8208f10243cc4de453dfa47174ebe: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

github-actions[bot] commented 3 weeks ago

:x: Gradle check result for b60f0581170e28d0659bb6520c896d17ac432ad4: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

github-actions[bot] commented 3 weeks ago

:x: Gradle check result for 1fdfb53d2cf384c47c4e0e11eb3a08ab4a7720df: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

github-actions[bot] commented 3 weeks ago

:white_check_mark: Gradle check result for 7978e4e928d025d2140c9605c05d523c0af75d4b: SUCCESS

codecov[bot] commented 3 weeks ago

Codecov Report

Attention: Patch coverage is 68.75000% with 5 lines in your changes missing coverage. Please review.

Project coverage is 72.07%. Comparing base (0363aa7) to head (7978e4e). Report is 8 commits behind head on main.

Files with missing lines Patch % Lines
...arch/index/store/remote/utils/TransferManager.java 68.75% 3 Missing and 2 partials :warning:
Additional details and impacted files ```diff @@ Coverage Diff @@ ## main #16544 +/- ## ============================================ + Coverage 72.00% 72.07% +0.06% - Complexity 65038 65106 +68 ============================================ Files 5313 5314 +1 Lines 303454 303541 +87 Branches 43910 43921 +11 ============================================ + Hits 218510 218762 +252 + Misses 67040 66908 -132 + Partials 17904 17871 -33 ```

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

opensearch-trigger-bot[bot] commented 3 weeks ago

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 128

To backport manually, run these commands in your terminal:

# Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/OpenSearch/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/OpenSearch/backport-2.x
# Create a new branch
git switch --create backport/backport-16544-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 4213cc27305c37ea71e5b5a5addd17e5383e8029
# Push it to GitHub
git push --set-upstream origin backport/backport-16544-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/OpenSearch/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport/backport-16544-to-2.x.