Initial trivial hello-world entitlements agent #113112
Conversation
elasticsearchmachine
added
Team:Core/Infra
|
Pinging @elastic/es-core-infra (Team:Core/Infra) |
|
|
||
| test { | ||
| dependsOn(jar) | ||
| jvmArgs "-javaagent:${jar.archiveFile.get().asFile}" |
There was a problem hiding this comment.
I don't think this will work. The string interpolation will happen at gradle configuration time, but it needs to be delayed to runtime. In the past I've done hacks with GString like "${-> '-javaagent:' + jar.archiveFile.get().asFile}, but I'm sure @mark-vieira has a better way to do that lazy evaluation now.
There was a problem hiding this comment.
Is this supposed to start ES with the agent? If so, how we would do that?
I think it's a good idea to add a minimal README.md (just a few lines atm with the basic purpose of this entitlements-agent project and how to launch it).
There was a problem hiding this comment.
Does it need to be delayed to runtime if it's only for the agent's own unit tests?
There was a problem hiding this comment.
@rjernst - can I merge it like this? Or does it need to be changed?
There was a problem hiding this comment.
@breskeby - is this something you know about?
There was a problem hiding this comment.
you applied my suggestion and I verified the fix locally seeing the agent is correctly applied to the tests and we didn't break task avoidance: https://gradle-enterprise.elastic.co/s/q7l56qcrj2cbm/performance/configuration/by-project?openProjects=WyJwcm9qZWN0LTpkaXN0cmlidXRpb246dG9vbHM6ZW50aXRsZW1lbnQtYWdlbnQiXQ#project-:distribution:tools:entitlement-agent
👍
There was a problem hiding this comment.
can I merge it like this? Or does it need to be changed?
Two jars seem like an unnecessary distinction to me. But I'm ok with merging as-is and debating that separately.
| public class EntitlementChecks { | ||
| static boolean agentSaidHello = false; | ||
|
|
||
| public static void helloFromAgent() { |
There was a problem hiding this comment.
can we make this not public? It should be an impl detail?
I also would prefer it not be "hello" (sounds like a toy project), but something that can go into production like "agent booted".
There was a problem hiding this comment.
If I selectively export it to the agent, then public is ok, right?
|
@rjernst - The idea was to separate the agent code from the runtime permission-checking code. The latter is always required to be present in a running Elasticsearch process, even if we do ahead-of-time instrumentation, but the former is only required if we're using an agent. |
|
|
||
| test { | ||
| dependsOn(jar) | ||
| jvmArgs "-javaagent:${jar.archiveFile.get().asFile}" |
There was a problem hiding this comment.
Is this supposed to start ES with the agent? If so, how we would do that?
I think it's a good idea to add a minimal README.md (just a few lines atm with the basic purpose of this entitlements-agent project and how to launch it).
|
@ldematte - no, that makes the agent module start its own unit tests with the agent attached. I don't have a test for ES booting with the agent. |
I was referring more at a |
|
(I'm OK with adding that in a follow up PR too - I'd prefer slightly to do it now so this PR is nice and well-contained, but either way works for me. Same for the IT test(s), I have a slight preference to have them added now but you can raise another PR later). |
...ution/tools/entitlements-agent/src/main/java/org/elasticsearch/entitlements/agent/Agent.java
Outdated
Show resolved
Hide resolved
|
Just writing this down here so we don't forget: besides an option to run it manually, it would be great if we can have a flag or something to run the whole CI tests with the agent enable. Of course, optionally! |
|
It won't be long before we want our agent always running in all tests, and even in production. |
Co-authored-by: Rene Groeschke <rene@breskeby.com>
Co-authored-by: Rene Groeschke <rene@breskeby.com>
Co-authored-by: Rene Groeschke <rene@breskeby.com>
Co-authored-by: Rene Groeschke <rene@breskeby.com>
* Initial hello-world entitlements agent
* Respond to Ryan's comments
* License header
* Fix forbidden APIs setup
* Rename EntitlementAgent
* Automated refactor missed one
* Automated rename really let me down here
* Very serious test name
* README files for the new modules
* Use "tasks.named('jar')"
Co-authored-by: Rene Groeschke <rene@breskeby.com>
* Use 'tasks.named('test')'
Co-authored-by: Rene Groeschke <rene@breskeby.com>
* More deferral of gradle tasks
Co-authored-by: Rene Groeschke <rene@breskeby.com>
* Even more deferral
Co-authored-by: Rene Groeschke <rene@breskeby.com>
* FIx gradle syntax for javaagent arg
---------
Co-authored-by: Rene Groeschke <rene@breskeby.com>
* Initial trivial hello-world entitlements agent (#113112) * Initial hello-world entitlements agent * Respond to Ryan's comments * License header * Fix forbidden APIs setup * Rename EntitlementAgent * Automated refactor missed one * Automated rename really let me down here * Very serious test name * README files for the new modules * Use "tasks.named('jar')" Co-authored-by: Rene Groeschke <rene@breskeby.com> * Use 'tasks.named('test')' Co-authored-by: Rene Groeschke <rene@breskeby.com> * More deferral of gradle tasks Co-authored-by: Rene Groeschke <rene@breskeby.com> * Even more deferral Co-authored-by: Rene Groeschke <rene@breskeby.com> * FIx gradle syntax for javaagent arg --------- Co-authored-by: Rene Groeschke <rene@breskeby.com> * Entitlements for System.exit (#114015) * Entitlements for System.exit * Respond to Simon's comments * Rename trampoline -> bridge * Require exactly one bridge jar * Use Type helpers to generate descriptor strings * Various cleanup from PR comments * Remove null "receiver" for static methods * Use List<Type> instead of voidDescriptor * Clarifying comment * Whoops, getMethod * SuppressForbidden System.exit * Spotless * Use embedded provider plugin to keep ASM off classpath * Oops... forgot the punchline * Move ASM license to impl * Use ProviderLocator and simplify bridgeJar logic * Avoid eager resolution of configurations during task configuration * Remove compile-time dependency agent->bridge --------- Co-authored-by: Mark Vieira <portugee@gmail.com> * Initial InstrumenterTests (#114422) * Initial InstrumenterTests * Assert on instrumentation method arguments --------- Co-authored-by: Rene Groeschke <rene@breskeby.com> Co-authored-by: Mark Vieira <portugee@gmail.com>
The agent just calls a method to announce it has booted.