Add support for -Dbuild.snapshot=true/false and default to building snapshot.

[dblock]

Signed-off-by: dblock [email protected]

opensearch-security pull request intake form

Please provide as much details as possible to get feedback/acceptance on your PR quickly

1. Category: (Enhancement, New feature, Bug fix, Test fix, Refactoring, Maintenance, Documentation)

Maintenance

2. Github Issue # or road-map entry, if available:

#1403

3. Description of changes:

• Default to building a -SNAPSHOT version of this plugin.
• Adds support for passing -Dbuild.snapshot=false to not build a snapshot.

The downside is that the pom.xml is incorrect for -SNAPSHOT build (contains non-snapshot version because pom.xml doesn't know anything about profiles).

4. Why these changes are required?

Building the end-to-end bundle needs the artifacts to be able to build snapshot vs. not snapshot.

5. What is the old behavior before changes and new behavior after changes? (Please add any example/logs/screen-shot if available)

The build could only produce a snapshot version vs. non-snapshot.

6. Testing done: (Please provide details of testing done: Unit testing, integration testing and manual testing)

Snapshot (default)

mvn -B clean package -Padvanced -DskipTests

[INFO] -----------------< org.opensearch:opensearch-security >-----------------
[INFO] Building OpenSearch Security 1.1.0.0-SNAPSHOT
[INFO] --------------------------------[ jar ]---------------------------------

...

[INFO] --- maven-jar-plugin:3.1.1:jar (default-jar) @ opensearch-security ---
[INFO] Building jar: /home/ubuntu/source/opensearch-project/security/dblock-security/target/opensearch-security-1.1.0.0-SNAPSHOT.jar
[INFO]
[INFO] --- git-commit-id-plugin:2.2.6:validateRevision (validate-the-git-infos) @ opensearch-security ---
[INFO]
[INFO] --- maven-jar-plugin:3.1.1:test-jar (default) @ opensearch-security ---
[INFO] Building jar: /home/ubuntu/source/opensearch-project/security/dblock-security/target/opensearch-security-1.1.0.0-SNAPSHOT-tests.jar
[INFO]
[INFO] --- maven-assembly-plugin:3.1.1:single (plugin) @ opensearch-security ---
[INFO] Reading assembly descriptor: /home/ubuntu/source/opensearch-project/security/dblock-security/src/main/assemblies/plugin.xml
[INFO] Building zip: /home/ubuntu/source/opensearch-project/security/dblock-security/target/releases/opensearch-security-1.1.0.0-SNAPSHOT.zip
[INFO] 
[INFO] --- maven-assembly-plugin:3.1.1:single (securityadmin) @ opensearch-security ---
[INFO] Reading assembly descriptor: /home/ubuntu/source/opensearch-project/security/dblock-security/src/main/assemblies/securityadmin-standalone.xml
[WARNING] The following patterns were never triggered in this artifact exclusion filter:
o  'org.opensearch:dlic*'

[INFO] Building zip: /home/ubuntu/source/opensearch-project/security/dblock-security/target/releases/opensearch-security-1.1.0.0-SNAPSHOT-securityadmin-standalone.zip
[WARNING] The following patterns were never triggered in this artifact exclusion filter:
o  'org.opensearch:dlic*'

[INFO] Building tar: /home/ubuntu/source/opensearch-project/security/dblock-security/target/releases/opensearch-security-1.1.0.0-SNAPSHOT-securityadmin-standalone.tar.gz
[INFO] 
[INFO] --- checksum-maven-plugin:1.7.1:files (default) @ opensearch-security ---
[INFO] opensearch-security-1.1.0.0-SNAPSHOT.zip - SHA-512 : e9f9434e058ddfeb3be9468889afcc46cf031c9591b79317fd0cb60cc16e6a5eda5951bfb86a5a1c1551af2b29b1e37f7bff1976c918521bdd987f888bbe73ab
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------

$ unzip -p target/opensearch-security-1.1.0.0-SNAPSHOT.jar META-INF/MANIFEST.MF
Manifest-Version: 1.0
Created-By: Apache Maven 3.6.3
Build-Jdk: 14.0.2
Implementation-Title: OpenSearch Security
Implementation-Version: 1.1.0.0-SNAPSHOT <-------------------------------------------
Implementation-Vendor-Id: org.opensearch
Implementation-URL: https://github.com/opensearch-project/security
Build-Time: 2021-08-30T22:05:33Z
Built-By: Amazon OpenDistro ElasticSearch Security Parent
git-sha1: 7d3518f77f7e614e7bec8523b2c867b34f1b67d6

Not Snapshot

mvn -B clean package -Padvanced -DskipTests -Dbuild.snapshot=false

[INFO] -----------------< org.opensearch:opensearch-security >-----------------
[INFO] Building OpenSearch Security 1.1.0.0
[INFO] --------------------------------[ jar ]---------------------------------

...

[INFO] --- maven-jar-plugin:3.1.1:test-jar (default) @ opensearch-security ---
[INFO] Building jar: /home/ubuntu/source/opensearch-project/security/dblock-security/target/opensearch-security-1.1.0.0-tests.jar
[INFO] 
[INFO] --- maven-assembly-plugin:3.1.1:single (plugin) @ opensearch-security ---
[INFO] Reading assembly descriptor: /home/ubuntu/source/opensearch-project/security/dblock-security/src/main/assemblies/plugin.xml
[INFO] Building zip: /home/ubuntu/source/opensearch-project/security/dblock-security/target/releases/opensearch-security-1.1.0.0.zip
[INFO] 
[INFO] --- maven-assembly-plugin:3.1.1:single (securityadmin) @ opensearch-security ---
[INFO] Reading assembly descriptor: /home/ubuntu/source/opensearch-project/security/dblock-security/src/main/assemblies/securityadmin-standalone.xml
[WARNING] The following patterns were never triggered in this artifact exclusion filter:
o  'org.opensearch:dlic*'

[INFO] Building zip: /home/ubuntu/source/opensearch-project/security/dblock-security/target/releases/opensearch-security-1.1.0.0-securityadmin-standalone.zip
[WARNING] The following patterns were never triggered in this artifact exclusion filter:
o  'org.opensearch:dlic*'

[INFO] Building tar: /home/ubuntu/source/opensearch-project/security/dblock-security/target/releases/opensearch-security-1.1.0.0-securityadmin-standalone.tar.gz
[INFO] 
[INFO] --- checksum-maven-plugin:1.7.1:files (default) @ opensearch-security ---
[INFO] opensearch-security-1.1.0.0.zip - SHA-512 : 57fa1109843795d12f0c56b51e3352b1e50aa9bdaf4dbf05bb17517019c46f6f95774f0e3d020a422a9b7692dc2e4cb9e19d561101dbe0a383f226701dc4ada0
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------

$ unzip -p target/opensearch-security-1.1.0.0.jar META-INF/MANIFEST.MF
Manifest-Version: 1.0
Created-By: Apache Maven 3.6.3
Build-Jdk: 14.0.2
Implementation-Title: OpenSearch Security
Implementation-Version: 1.1.0.0 <------------------------------------------
Implementation-Vendor-Id: org.opensearch
Implementation-URL: https://github.com/opensearch-project/security
Build-Time: 2021-08-30T22:02:25Z
Built-By: Amazon OpenDistro ElasticSearch Security Parent
git-sha1: 7d3518f77f7e614e7bec8523b2c867b34f1b67d6

In a previous iteration of this PR, installed opensearch-security plugin on OpenSearch 1.1.0, and started the cluster.

7. TO-DOs, if any: (Please describe pending items and provide Github issues# for each of them)

Use the profile to depend on OpenSearch 1.1.0-SNAPSHOT as well.

8. Is it backport from main branch? (If yes, please add backport PR # and commits #)

No

By making a contribution to this project, I certify that:

(a) The contribution was created in whole or in part by me and I
have the right to submit it under the open source license
indicated in the file; or

(b) The contribution is based upon previous work that, to the best
of my knowledge, is covered under an appropriate open source
license and I have the right under that license to submit that
work with modifications, whether created in whole or in part
by me, under the same open source license (unless I am
permitted to submit under a different license), as indicated
in the file; or

(c) The contribution was provided directly to me by some other
person who certified (a), (b) or (c) and I have not modified
it.

(d) I understand and agree that this project and the contribution
are public and that a record of the contribution (including all
personal information I submit with it, including my sign-off) is
maintained indefinitely and may be redistributed consistent with
this project or the open source license(s) involved.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[vrozov]

Building SNAPSHOT must be a separate PR from upgrade to OpenSearch 1.1, especially that there is already open PR #1335.

[codecov-commenter]

Codecov Report

Merging #1409 (a0299e6) into main (f66c4bd) will increase coverage by 0.02%.
The diff coverage is n/a.

❗ Current head a0299e6 differs from pull request most recent head 4fa717e. Consider uploading reports for the commit 4fa717e to get more accurate results

@@             Coverage Diff              @@
##               main    #1409      +/-   ##
============================================
+ Coverage     64.79%   64.81%   +0.02%     
  Complexity     3214     3214              
============================================
  Files           247      247              
  Lines         17264    17264              
  Branches       3053     3053              
============================================
+ Hits          11186    11190       +4     
+ Misses         4529     4525       -4     
  Partials       1549     1549              

Impacted Files	Coverage Δ
...security/configuration/DlsFlsFilterLeafReader.java	59.76% <0.00%> (-0.71%)	⬇️
...org/opensearch/security/rest/TenantInfoAction.java	88.23% <0.00%> (+10.29%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update cd47f31...4fa717e. Read the comment docs.

[dblock]

I'll be happy to rebase this on top of #1335 when it's merged.

[dblock]

There's probably some more that can be done here to make plugin-descriptor.properties auto-populate these versions.

[cliu123]

@dblock With this PR merged, the main branch now support OpenSearch 1.1. Please rebase this branch against main branch.

[dblock]

This is ready to review @vrozov @cliu123.

[cliu123]

This is security plugin version, not the OpenSearch version. If the goal of this PR is to add -SNAPSHOT suffix in the OpenSearch version, this line doesn't need to be changed.

[dblock]

The plugin version needs to be incremented because we're building OpenSearch 1.1. Every other plugin says it's version 1.1.0.0-SNAPSHOT.

[vrozov]

I would expect 1.1.0.0-SNAPSHOT, not 1.1.0.0. If it is not snapshot, version should not be changed.

[dblock]

This properties file by default has a number without snapshot. Then, with a profile, we change it to be -SNAPSHOT unless -Dbuild.snapshot=false. You can't have the logical condition the other way around if you want the default to be -Dbuild.snapshot=false.

[cliu123]

This is referenced on the line 37 that is security plugin version. Same as this comment, doesn't seem to need a change at here. If yes, this is the example PR to bump plugin version.

[dblock]

It had to move to properties or you cannot set it via a profile.

[cliu123]

Why are we removing the tag here?

[dblock]

What is the purpose of it here? I believe it's unused.

[vrozov]

<url>, <connection> and <developerConnection> are not used either. It is there mostly for historical reasons. I don't see a good reason to remove <tag> only.

[cliu123]

Looks like this PR is bumping security version from 1.0.1.0 to 1.1.0.0. If that's the case, is that the case?

[dblock]

Yes, this is the case, I updated the description of the PR.

[vrozov]

Must be consistent with plugin-descriptor.properties, I don't see how this can be done using profiles.

[dblock]

Update: by default the version comes from plugin.properties and is set to 1.1.0.0. This sets the version to 1.1.0.0-SNAPSHOT unless you specify -Dbuild.snapshot=false. Meaning it sets it by default. This effectively enables building both, snapshot or not snapshot, with snapshot by default.

If you put 1.1.0.0-SNAPSHOT in the properties file, then this profile condition would have to be inverted. But then the default can't be snapshot=true.

[cliu123]

Tested the following cases:

• Built security plugin on OpenSearch 1.1.0-SNAPSHOT. The build reproduces opensearch-security-1.1.0.0-SNAPSHOT.zip
• Installed opensearch-security plugin on OpenSearch 1.1.0, and started the cluster.
• CD run

[dblock]

Ready to re-review.

[vrozov]

This changes version of OpenSearch and not the security plugin to -SNAPSHOT. It was supposed to be part of #1335. @cliu123 I'd prefer to have a separate PR that changes OpenSearch dependency version to -SNAPSHOT

[dblock]

It does both at build time.

[vrozov]

CD runs for release and should not use SNAPSHOT version of OpenSearch.

[vrozov]

CD runs for release and should not produce SNAPSHOT versions of .rpm and .deb packages.

[vrozov]

I would expect 1.1.0.0-SNAPSHOT, not 1.1.0.0. If it is not snapshot, version should not be changed.

[vrozov]

OpenSearch version change should be part of another PR.

[vrozov]

<url>, <connection> and <developerConnection> are not used either. It is there mostly for historical reasons. I don't see a good reason to remove <tag> only.

[vrozov]

Must be consistent with plugin-descriptor.properties, I don't see how this can be done using profiles.

[dblock]

@vrozov

We failed at having a scalable mechanism to distribute maven credentials across 15 plugins, so whereas OpenSearch bundle build 1.0 picked up output from security plugin CD, it will not for 1.1. Bundle will build from the top, including opensearch-min and security plugin, from source. Given that, this change ensures that security CD doesn't build an artifact that can be accidentally promoted to a release, i.e. always depend on a snapshot version of OpenSearch and produce a snapshot version of security plugin. The change in profiles does that, defaults to snapshot build unless you explicitly specify -Dbuild.snapshot=false, this is net new.

The plugin built in bundle is version 1.1, not 1.0.1. Unlike in ODFE or 1.0, plugins are now aligning with OpenSearch: when development starts on version X in a branch 'X', the version in that branch is incremented to X.

Given that, what do you need me to change in this PR to get this in?

[vrozov]

@dblock

• Security plugin CD pipeline does not publish anything to maven, it creates github draft release.
• Plugin version matches OpenSearch version in the first 3 digits. The last digit can be independently changed by the plugin.
• Changing dependency on OpenSearch from 1.1.0 to 1.1.0-SNAPSHOT is a self contained change similar to how version was changed from 1.0.0 to 1.1.0 in Upgrade OpenSearch version to 1.1.0 #1335. Prerequisite of building OpenSearch locally or in CI/CD introduces lots of confusion and is error prone ([BUG] Plugin does not build #1400).
• I don't quite understand how profile can be used to switch between SNAPSHOT and release. That will allow to use any random commit to build release version that is not supposed to be the release version. Additionally, maven profile has no impact on plugin-descriptor.properties, so profile solution is not complete.

[dblock]

@dblock

• Security plugin CD pipeline does not publish anything to maven, it creates github draft release.

I was trying to explain how we ended up here. The CD pipeline output is not used by anyone other than dev at this point, and thus should be a snapshot build that depends on OpenSearch snapshot.

• Plugin version matches OpenSearch version in the first 3 digits. The last digit can be independently changed by the plugin.

Yes.

• Changing dependency on OpenSearch from 1.1.0 to 1.1.0-SNAPSHOT is a self contained change similar to how version was changed from 1.0.0 to 1.1.0 in Upgrade OpenSearch version to 1.1.0 #1335. Prerequisite of building OpenSearch locally or in CI/CD introduces lots of confusion and is error prone ([BUG] Plugin does not build #1400).

I am not trying to change dependency from OpenSearch 1.1.0 to 1.1.0-SNAPSHOT. I am trying to make security plugin build against 1.1.0-SNAPSHOT by default, and 1.1.0 if -Dbuild.snapshot=false is specified. I can split these commits if it helps, but it will hide this fact. Just tell me what to do.

The pre-requisite of building OpenSearch locally will go away with opensearch-project/opensearch-build#20.

• I don't quite understand how profile can be used to switch between SNAPSHOT and release. That will allow to use any random commit to build release version that is not supposed to be the release version. Additionally, maven profile has no impact on plugin-descriptor.properties, so profile solution is not complete.

A released version is one that is tested as part of the bundle, signed and uploaded to opensearch.org. Every daily build can be a release candidate and is "declared" release by signing and publishing. Are you proposing to manually change 1.1.0-SNAPSHOT to 1.1.0 when "we are ready"? That seems like a ton of busy work.

We have two pipelines:

• CI in this repo, needs to build snapshot
• Bundle pipeline, needs to build release

Plugins have had -Dbuild.snapshot=true/false forever, except security plugin. How do you propose we accomplish this for the security plugin?

I will deal with plugin-descriptor.properties when we settle simpler questions.

[vrozov]

Plugins have had -Dbuild.snapshot=true/false forever, except security plugin. How do you propose we accomplish this for the security plugin?

Other plugins had this option as they utilize OpenSearch gradle extension. Security plugin is not built with gradle, it is built with maven and never supported -Dbuild.snapshot. I still don't see how that can be done in maven due to dependency issue and impact on plugin-descriptor.properties.

[vrozov]

I was trying to explain how we ended up here. The CD pipeline output is not used by anyone other than dev at this point, and thus should be a snapshot build that depends on OpenSearch snapshot.

While CD pipeline is no longer used to publish to maven and to S3 to produce distribution bundle, it is used to create release draft on github. There is no usage of CD pipeline outside of release build. For PR and builds on main CI is used.

[dblock]

Extracted version increment into #1429.

[dblock]

A hacky-er alternative, opensearch-project/opensearch-build#356.

[vrozov]

Maven does not support using the same pom.xml to describe artifacts with two different versions (for example 1.1.0.0 and 1.1.0.0-SNAPSHOT). The proposed solution only works to generate .jar and .zip artifacts during the build. AFAIK, such pom.xml with dual versions will be invalid should it be installed into local and/or remote maven repository.

@dblock I would vote for the other solution that you proposed opensearch-project/opensearch-build#356

[dblock]

I agree, closing in favor of opensearch-project/opensearch-build#356.