Merge branch 'main' into add_skip_factor

Signed-off-by: kkewwei <kewei.11@bytedance.com>

Author: kkewwei

.github/workflows/publish-maven-snapshots.yml

@@ -25,16 +25,16 @@ jobs:
           distribution: temurin
           java-version: 21
 
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4
+      - name: Load secret
+        uses: 1password/load-secrets-action@v2
         with:
-          role-to-assume: ${{ secrets.PUBLISH_SNAPSHOTS_ROLE }}
-          aws-region: us-east-1
+          # Export loaded secrets as environment variables
+          export-env: true
+        env:
+          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+          SONATYPE_USERNAME: op://opensearch-infra-secrets/maven-central-portal-credentials/username
+          SONATYPE_PASSWORD: op://opensearch-infra-secrets/maven-central-portal-credentials/password
 
       - name: Publish snapshots to maven
         run: |
-          export SONATYPE_USERNAME=$(aws secretsmanager get-secret-value --secret-id maven-snapshots-username --query SecretString --output text)
-          export SONATYPE_PASSWORD=$(aws secretsmanager get-secret-value --secret-id maven-snapshots-password --query SecretString --output text)
-          echo "::add-mask::$SONATYPE_USERNAME"
-          echo "::add-mask::$SONATYPE_PASSWORD"
           ./gradlew publishNebulaPublicationToSnapshotsRepository

.github/workflows/trigger-manifest-generation.yml

@@ -0,0 +1,17 @@
+name: Trigger manifest generation workflow
+
+on:
+  workflow_dispatch:
+  push:
+    paths:
+      - buildSrc/version.properties
+
+jobs:
+  trigger-manifest-workflow:
+    if: github.repository == 'opensearch-project/OpenSearch'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Trigger manifest-update workflow
+        run: |
+            echo "Triggering manifest-update workflow at https://build.ci.opensearch.org/job/manifest-update/"
+            curl -f -X POST https://build.ci.opensearch.org/job/manifest-update/build --user ${{ secrets.JENKINS_GITHUB_USER}}:${{ secrets.JENKINS_GITHUB_USER_TOKEN}}

.github/workflows/version.yml

@@ -29,7 +29,7 @@ jobs:
           fi
           CURRENT_VERSION_ARRAY=($(echo "$TAG" | tr . '\n'))
           BASE=$(IFS=. ; echo "${CURRENT_VERSION_ARRAY[*]:0:2}")
-          BASE_X=$(IFS=. ; echo "${CURRENT_VERSION_ARRAY[*]:0:1}.x")
+          MAIN_BRANCH="main"
           CURRENT_VERSION=$(IFS=. ; echo "${CURRENT_VERSION_ARRAY[*]:0:3}")
           CURRENT_VERSION_UNDERSCORE=$(IFS=_ ; echo "V_${CURRENT_VERSION_ARRAY[*]:0:3}")
           CURRENT_VERSION_ARRAY[2]=$((CURRENT_VERSION_ARRAY[2]+1))
@@ -42,7 +42,7 @@ jobs:
           fi
           echo "TAG=$TAG" >> $GITHUB_ENV
           echo "BASE=$BASE" >> $GITHUB_ENV
-          echo "BASE_X=$BASE_X" >> $GITHUB_ENV
+          echo "MAIN_BRANCH=$MAIN_BRANCH" >> $GITHUB_ENV
           echo "CURRENT_VERSION=$CURRENT_VERSION" >> $GITHUB_ENV
           echo "CURRENT_VERSION_UNDERSCORE=$CURRENT_VERSION_UNDERSCORE" >> $GITHUB_ENV
           echo "NEXT_VERSION=$NEXT_VERSION" >> $GITHUB_ENV
@@ -77,33 +77,7 @@ jobs:
 
       - uses: actions/checkout@v4
         with:
-          ref: ${{ env.BASE_X }}
-
-      - name: Add Patch Version on Major.X branch
-        uses: peternied/opensearch-core-version-updater@v1
-        with:
-          previous-version: ${{ env.CURRENT_VERSION }}
-          new-version: ${{ env.NEXT_VERSION }}
-          update-current: false
-
-      - name: Create PR for BASE_X
-        id: base_x_pr
-        uses: peter-evans/create-pull-request@v7
-        with:
-          base: ${{ env.BASE_X }}
-          branch: 'create-pull-request/patch-${{ env.BASE_X }}'
-          commit-message: Add bwc version ${{ env.NEXT_VERSION }}
-          signoff: true
-          delete-branch: true
-          labels: |
-            autocut
-          title: '[AUTO] [${{ env.BASE_X }}] Add bwc version ${{ env.NEXT_VERSION }}.'
-          body: |
-            I've noticed that a new tag ${{ env.TAG }} was pushed, and added a bwc version ${{ env.NEXT_VERSION }}.
-
-      - uses: actions/checkout@v4
-        with:
-          ref: main
+          ref: ${{ env.MAIN_BRANCH }}
 
       - name: Add Patch Version on main branch
         uses: peternied/opensearch-core-version-updater@v1
@@ -112,18 +86,18 @@ jobs:
           new-version: ${{ env.NEXT_VERSION }}
           update-current: false
 
-      - name: Create PR for main
-        id: main_pr
+      - name: Create PR for MAIN_BRANCH
+        id: main_branch_pr
         uses: peter-evans/create-pull-request@v7
         with:
-          base: main
-          branch: 'create-pull-request/patch-main'
+          base: ${{ env.MAIN_BRANCH }}
+          branch: 'create-pull-request/patch-${{ env.MAIN_BRANCH }}'
           commit-message: Add bwc version ${{ env.NEXT_VERSION }}
           signoff: true
           delete-branch: true
           labels: |
             autocut
-          title: '[AUTO] [main] Add bwc version ${{ env.NEXT_VERSION }}.'
+          title: '[AUTO] [${{ env.MAIN_BRANCH }}] Add bwc version ${{ env.NEXT_VERSION }}.'
           body: |
             I've noticed that a new tag ${{ env.TAG }} was pushed, and added a bwc version ${{ env.NEXT_VERSION }}.
 
@@ -139,8 +113,7 @@ jobs:
              ### Exit Criteria
              Review and merged the following pull requests
              - [ ] ${{ steps.base_pr.outputs.pull-request-url }}
-             - [ ] ${{ steps.base_x_pr.outputs.pull-request-url }}
-             - [ ] ${{ steps.main_pr.outputs.pull-request-url }}
+             - [ ] ${{ steps.main_branch_pr.outputs.pull-request-url }}
 
              ### Additional Context
              See project wide guidance on branching and versions [[link]](https://github.com/opensearch-project/.github/blob/main/RELEASING.md).

CHANGELOG.md

@@ -7,19 +7,39 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 ### Added
 - Add support for Warm Indices Write Block on Flood Watermark breach ([#18375](https://github.com/opensearch-project/OpenSearch/pull/18375))
 - Ability to run Code Coverage with Gradle and produce the jacoco reports locally ([#18509](https://github.com/opensearch-project/OpenSearch/issues/18509))
+- Add NodeResourceUsageStats to ClusterInfo ([#18480](https://github.com/opensearch-project/OpenSearch/issues/18472))
+- Introduce SecureHttpTransportParameters experimental API (to complement SecureTransportParameters counterpart) ([#18572](https://github.com/opensearch-project/OpenSearch/issues/18572))
+- Create equivalents of JSM's AccessController in the java agent ([#18346](https://github.com/opensearch-project/OpenSearch/issues/18346))
+- Introduced a new cluster-level API to fetch remote store metadata (segments and translogs) for each shard of an index. ([#18257](https://github.com/opensearch-project/OpenSearch/pull/18257))
+- Add last index request timestamp columns to the `_cat/indices` API. ([10766](https://github.com/opensearch-project/OpenSearch/issues/10766))
+- Introduce a new pull-based ingestion plugin for file-based indexing (for local testing) ([#18591](https://github.com/opensearch-project/OpenSearch/pull/18591))
+- Add support for search pipeline in search and msearch template ([#18564](https://github.com/opensearch-project/OpenSearch/pull/18564))
+- Add BooleanQuery rewrite moving constant-scoring must clauses to filter clauses ([#18510](https://github.com/opensearch-project/OpenSearch/issues/18510))
 - Add a dynamic setting to change skip_cache_factor and min_frequency for querycache ([#18351](https://github.com/opensearch-project/OpenSearch/issues/18351))
 
 ### Changed
+- Update Subject interface to use CheckedRunnable ([#18570](https://github.com/opensearch-project/OpenSearch/issues/18570))
+- Update SecureAuxTransportSettingsProvider to distinguish between aux transport types ([#18616](https://github.com/opensearch-project/OpenSearch/pull/18616))
 
 ### Dependencies
 - Bump `stefanzweifel/git-auto-commit-action` from 5 to 6 ([#18524](https://github.com/opensearch-project/OpenSearch/pull/18524))
+- Bump Apache Lucene to 10.2.2 ([#18573](https://github.com/opensearch-project/OpenSearch/pull/18573))
+- Bump `org.apache.logging.log4j:log4j-core` from 2.24.3 to 2.25.0 ([#18589](https://github.com/opensearch-project/OpenSearch/pull/18589))
+- Bump `com.google.code.gson:gson` from 2.13.0 to 2.13.1 ([#18585](https://github.com/opensearch-project/OpenSearch/pull/18585))
+- Bump `com.azure:azure-core-http-netty` from 1.15.11 to 1.15.12 ([#18586](https://github.com/opensearch-project/OpenSearch/pull/18586))
+- Bump `com.squareup.okio:okio` from 3.13.0 to 3.14.0 ([#18645](https://github.com/opensearch-project/OpenSearch/pull/18645))
 
 ### Deprecated
 
 ### Removed
 
 ### Fixed
 - Add task cancellation checks in aggregators ([#18426](https://github.com/opensearch-project/OpenSearch/pull/18426))
+- Fix concurrent timings in profiler ([#18540](https://github.com/opensearch-project/OpenSearch/pull/18540))
+- Fix regex query from query string query to work with field alias ([#18215](https://github.com/opensearch-project/OpenSearch/issues/18215))
+- [Autotagging] Fix delete rule event consumption in InMemoryRuleProcessingService ([#18628](https://github.com/opensearch-project/OpenSearch/pull/18628))
+- Cannot communicate with HTTP/2 when reactor-netty is enabled ([#18599](https://github.com/opensearch-project/OpenSearch/pull/18599))
+- Fix the visit of sub queries for HasParentQuery and HasChildQuery ([#18621](https://github.com/opensearch-project/OpenSearch/pull/18621))
 
 ### Security
 

build.gradle

@@ -118,7 +118,7 @@ subprojects {
         }
         maven {
           name = 'Snapshots'
-          url = 'https://aws.oss.sonatype.org/content/repositories/snapshots'
+          url = 'https://central.sonatype.com/repository/maven-snapshots/'
           credentials {
             username = "$System.env.SONATYPE_USERNAME"
             password = "$System.env.SONATYPE_PASSWORD"

buildSrc/src/testKit/thirdPartyAudit/sample_jars/build.gradle

@@ -17,7 +17,7 @@ repositories {
 }
 
 dependencies {
-  implementation "org.apache.logging.log4j:log4j-core:2.24.3"
+  implementation "org.apache.logging.log4j:log4j-core:2.25.0"
 }
 
 ["0.0.1", "0.0.2"].forEach { v ->

client/rest-high-level/src/test/java/org/opensearch/client/RequestConvertersTests.java

@@ -1367,6 +1367,7 @@ public void testSearchTemplate() throws Exception {
         scriptParams.put("field", "name");
         scriptParams.put("value", "soren");
         searchTemplateRequest.setScriptParams(scriptParams);
+        searchTemplateRequest.setSearchPipeline("pipeline");
 
         // Verify that the resulting REST request looks as expected.
         Request request = RequestConverters.searchTemplate(searchTemplateRequest);
@@ -1391,6 +1392,7 @@ public void testRenderSearchTemplate() throws Exception {
         searchTemplateRequest.setScript("template1");
         searchTemplateRequest.setScriptType(ScriptType.STORED);
         searchTemplateRequest.setProfile(randomBoolean());
+        searchTemplateRequest.setSearchPipeline("pipeline");
 
         Map<String, Object> scriptParams = new HashMap<>();
         scriptParams.put("field", "name");
@@ -1431,6 +1433,7 @@ public void testMultiSearchTemplate() throws Exception {
             searchTemplateRequest.setScript("{\"query\": { \"match\" : { \"{{field}}\" : \"{{value}}\" }}}");
             searchTemplateRequest.setScriptType(ScriptType.INLINE);
             searchTemplateRequest.setProfile(randomBoolean());
+            searchTemplateRequest.setSearchPipeline("pipeline");
 
             Map<String, Object> scriptParams = new HashMap<>();
             scriptParams.put("field", "name");

gradle/libs.versions.toml

@@ -1,6 +1,6 @@
 [versions]
 opensearch        = "3.2.0"
-lucene            = "10.2.1"
+lucene            = "10.2.2"
 
 bundled_jdk_vendor = "adoptium"
 bundled_jdk = "24.0.1+9"

libs/agent-sm/agent-policy/src/main/java/org/opensearch/secure_sm/AccessController.java

@@ -0,0 +1,129 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.secure_sm;
+
+import java.util.concurrent.Callable;
+import java.util.function.Supplier;
+
+/**
+ * A utility class that provides methods to perform actions in a privileged context.
+ *
+ * This class is a replacement for Java's {@code java.security.AccessController} functionality which is marked for
+ * removal. All new code should use this class instead of the JDK's {@code AccessController}.
+ *
+ * Running code in a privileged context will ensure that the code has the necessary permissions
+ * without traversing through the entire call stack. See {@code org.opensearch.javaagent.StackCallerProtectionDomainChainExtractor}
+ *
+ * Example usages:
+ * <pre>
+ * {@code
+ * AccessController.doPrivileged(() -> {
+ *     // code that requires privileges
+ * });
+ * }
+ * </pre>
+ *
+ * Example usage with a return value and checked exception:
+ *
+ * <pre>
+ * {@code
+ * T something = AccessController.doPrivilegedChecked(() -> {
+ *     // code that requires privileges and may throw a checked exception
+ *     return something;
+ *     // or
+ *     throw new Exception();
+ * });
+ * }
+ * </pre>
+ */
+public final class AccessController {
+    /**
+     * Don't allow instantiation an {@code AccessController}
+     */
+    private AccessController() {}
+
+    /**
+     * Performs the specified action in a privileged block.
+     *
+     * <p> If the action's {@code run} method throws an (unchecked)
+     * exception, it will propagate through this method.
+     *
+     * @param action the action to be performed
+     */
+    public static void doPrivileged(Runnable action) {
+        action.run();
+    }
+
+    /**
+     * Performs the specified action.
+     *
+     * <p> If the action's {@code run} method throws an <i>unchecked</i>
+     * exception, it will propagate through this method.
+     *
+     * @param <T> the type of the value returned by the
+     *                  PrivilegedExceptionAction's {@code run} method
+     *
+     * @param action the action to be performed
+     *
+     * @return the value returned by the action's {@code run} method
+     */
+    public static <T> T doPrivileged(Supplier<T> action) {
+        return action.get();
+    }
+
+    /**
+     * Performs the specified action.
+     *
+     * <p> If the action's {@code run} method throws an <i>unchecked</i>
+     * exception, it will propagate through this method.
+     *
+     * @param <T> the type of the value returned by the
+     *                  PrivilegedExceptionAction's {@code run} method
+     *
+     * @param action the action to be performed
+     *
+     * @return the value returned by the action's {@code run} method
+     *
+     * @throws Exception if the specified action's
+     *         {@code call} method threw a <i>checked</i> exception
+     */
+    public static <T> T doPrivilegedChecked(Callable<T> action) throws Exception {
+        return action.call();
+    }
+
+    /**
+     * Performs the specified action in a privileged block.
+     *
+     * <p> If the action's {@code run} method throws an (unchecked)
+     * exception, it will propagate through this method.
+     *
+     * @param action the action to be performed
+     *
+     * @throws T if the specified action's
+     *         {@code call} method threw a <i>checked</i> exception
+     */
+    public static <T extends Exception> void doPrivilegedChecked(CheckedRunnable<T> action) throws T {
+        action.run();
+    }
+
+    /**
+     * A functional interface that represents a runnable action that can throw a checked exception.
+     *
+     * @param <E> the type of the exception that can be thrown
+     */
+    public interface CheckedRunnable<E extends Exception> {
+
+        /**
+         * Executes the action.
+         *
+         * @throws E
+         */
+        void run() throws E;
+    }
+}

libs/agent-sm/agent-policy/src/main/java/org/opensearch/secure_sm/package-info.java

@@ -0,0 +1,12 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+/**
+ * Classes for running code in a privileged context
+ */
+package org.opensearch.secure_sm;