Following discussion on https://github.com/opensearch-project/OpenSearch/issues/5504, it is clear that jackson-databind is not an ideal long term solution for both core and plugins. The jackson-databind library contains ObjectMapper, which uses a reflective access permission with no way to mitigate the access. On the other hand, the GSON library allows filters to be placed to limit the reflective access permission. Based on the suggestions in the linked issue and my own research, a combination of GSON for JSON functionality and SnakeYAML for YAML functionality appears to be the best way forward. A proof of concept is needed to provide an example of how to perform this change.
So far, I have removed several occurrences of ObjectMapper from the SQL plugin on a local machine. Following further research and exploration, a PR (maybe draft) will be raised to demonstrate different use cases where ObjectMapper from jackson-databind can be replaced by GSON. This issue will track the progress of the proof of concept.
Following discussion on https://github.com/opensearch-project/OpenSearch/issues/5504, it is clear that jackson-databind is not an ideal long term solution for both core and plugins. The jackson-databind library contains
ObjectMapper, which uses a reflective access permission with no way to mitigate the access. On the other hand, the GSON library allows filters to be placed to limit the reflective access permission. Based on the suggestions in the linked issue and my own research, a combination of GSON for JSON functionality and SnakeYAML for YAML functionality appears to be the best way forward. A proof of concept is needed to provide an example of how to perform this change.So far, I have removed several occurrences of ObjectMapper from the SQL plugin on a local machine. Following further research and exploration, a PR (maybe draft) will be raised to demonstrate different use cases where ObjectMapper from jackson-databind can be replaced by GSON. This issue will track the progress of the proof of concept.