Skip to content

Add security provider earlier in bootstrap process #5749

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Oct 29, 2025
Merged

Add security provider earlier in bootstrap process #5749

merged 8 commits into from
Oct 29, 2025
+15 −15

Conversation

@terryquigleysas
Copy link
Contributor

@terryquigleysas terryquigleysas commented Oct 28, 2025
edited
Loading

Description

[Describe what this change achieves]

  • Category
    Bug fix, Refactoring
  • Why these changes are required?
    To aid the use of BCFKS using more JDKs the loading of the BCFIPS provider is moved earlier in the bootstrap process to ensure it is present before loading SSL settings
  • What is the old behavior before changes and new behavior after changes?
    Using BCFKS as the default keystore can fail

Related Issues

#3420
opensearch-project/documentation-website#11412

Is this a backport? If so, please add backport PR # and/or commits #, and remove backport-failed label from the original PR.

Do these changes introduce new permission(s) to be displayed in the static dropdown on the front-end? If so, please open a draft PR in the security dashboards plugin and link the draft PR here

Testing

Ran the Bulk Integration Test action - all tests passing.
Tested custom build of Security plugin with the change on local deployment.

Check List

  • New functionality includes testing
  • New functionality has been documented
  • New Roles/Permissions have a corresponding security dashboards plugin PR
  • API changes companion pull request created
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@terryquigleysas
Add security provider earlier in the bootstrap process
3a452fa 
Signed-off-by: Terry Quigley <[email protected]>
@terryquigleysas
spotless
d3a9f1e 
Signed-off-by: Terry Quigley <[email protected]>
@terryquigleysas
spotless
2f9a09b 
Signed-off-by: Terry Quigley <[email protected]>
@terryquigleysas
Add changelog entry
9a9a812 
Signed-off-by: Terry Quigley <[email protected]>
terryquigleysas and others added 2 commits October 28, 2025 11:04
@codecov
Copy link

codecov bot commented Oct 28, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.03%. Comparing base (da520a0) to head (22c9cfe).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #5749      +/-   ##
==========================================
- Coverage   73.12%   73.03%   -0.10%     
==========================================
  Files         435      435              
  Lines       26665    26665              
  Branches     3999     3999              
==========================================
- Hits        19499    19475      -24     
- Misses       5249     5275      +26     
+ Partials     1917     1915       -2
Files with missing lines Coverage Δ
.../opensearch/security/OpenSearchSecurityPlugin.java 85.27% <ø> (-0.13%) ⬇️
...arch/security/ssl/OpenSearchSecuritySSLPlugin.java 84.06% <100.00%> (+0.45%) ⬆️

... and 8 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@terryquigleysas
remove warning suppression
7d21db9 
Signed-off-by: Terry Quigley <[email protected]>
@terryquigleysas
reduce number of calls
22c9cfe 
Signed-off-by: Terry Quigley <[email protected]>
@terryquigleysas
Copy link
Contributor Author

terryquigleysas commented Oct 29, 2025

@cwperks Is it possible to have this backported to the next 3.3.x release?

@cwperks
Copy link
Member

cwperks commented Oct 29, 2025

@cwperks Is it possible to have this backported to the next 3.3.x release?

@peterzhuamazon can this be included?

@cwperks cwperks merged commit 6f2b39a into opensearch-project:main Oct 29, 2025
120 of 125 checks passed
@opensearch-trigger-bot
Copy link
Contributor

opensearch-trigger-bot bot commented Oct 29, 2025

The backport to 3.3 failed:

The process '/usr/bin/git' failed with exit code 128

To backport manually, run these commands in your terminal:

# Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/security/backport-3.3 3.3
# Navigate to the new working tree
pushd ../.worktrees/security/backport-3.3
# Create a new branch
git switch --create backport/backport-5749-to-3.3
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 6f2b39a6bfd826622289afd4c3728adcc4bcfa49
# Push it to GitHub
git push --set-upstream origin backport/backport-5749-to-3.3
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/security/backport-3.3

Then, create a pull request where the base branch is 3.3 and the compare/head branch is backport/backport-5749-to-3.3.

@peterzhuamazon
Copy link
Member

peterzhuamazon commented Oct 29, 2025

Need manual backport and this will be the last PR to catch 3.3.2 release train as we need time to integTests.

@peterzhuamazon peterzhuamazon mentioned this pull request Oct 29, 2025
Closed
65 tasks
@cwperks cwperks mentioned this pull request Oct 29, 2025
Merged
5 tasks
@terryquigleysas terryquigleysas deleted the add-provider-earlier branch October 29, 2025 18:00
cwperks added a commit that referenced this pull request Oct 29, 2025
@cwperks @terryquigleysas @DarshitChanpura
[Backport 3.3] Add security provider earlier in bootstrap process (#5749
2fac622 
) (#5756)

Signed-off-by: Terry Quigley <[email protected]>
Signed-off-by: Terry Quigley <[email protected]>
Signed-off-by: Craig Perkins <[email protected]>
Co-authored-by: Terry Quigley <[email protected]>
Co-authored-by: Darshit Chanpura <[email protected]>
@terryquigleysas
Copy link
Contributor Author

terryquigleysas commented Oct 29, 2025

I can confirm that the last changes we retested as stated originally and the reran Bulk Integration Test action - all tests passing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cwperks cwperks cwperks approved these changes

@RyanL1997 RyanL1997 RyanL1997 approved these changes

@DarshitChanpura DarshitChanpura Awaiting requested review from DarshitChanpura DarshitChanpura is a code owner

@derek-ho derek-ho Awaiting requested review from derek-ho derek-ho is a code owner

@nibix nibix Awaiting requested review from nibix nibix is a code owner

@peternied peternied Awaiting requested review from peternied

@reta reta Awaiting requested review from reta reta is a code owner

@shikharj05 shikharj05 Awaiting requested review from shikharj05 shikharj05 is a code owner

@willyborankin willyborankin Awaiting requested review from willyborankin willyborankin is a code owner

Assignees

No one assigned

Labels

backport 3.3 backport-failed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@terryquigleysas @cwperks @peterzhuamazon @RyanL1997