New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add tests for Security Manager #2539
Add tests for Security Manager #2539
Conversation
How to reproduce the issue with
Stack trace
|
This is the
I'm not sure why granting |
Maybe this is because it's relying on the package access permissions ( |
Do you have a suggestion on how the policy can be adapted? |
No, I wasn't familiar with that even, we'll need to see why that is and if it is indeed related to the different permission check route. |
…curity-manager-setup
After a bit of further investigation, it the following policy allows to work around the permission issue. With it, it goes a bit further but we have another issue related to log4j loading. When trying to load the
In the case where the agent is granted all permissions, I think it could be fine to have the agent self-allow itself and bypass the security manager as the user has already granted it the permissions in the policy. In other words, the issue of loading the A better approach though would be to see if there is a way in byte-buddy to reuse the agent protection domain when loading the |
Hi! We just realized that we haven't looked into this issue in a while. We're sorry! We're labeling this issue as |
…curity-manager-setup
The issue described above was resolved through raphw/byte-buddy#1359 (ported to the agent through #2874). It occurs when BB loads a mirror of a JVM class only to get a field’s offset. While doing so, the JVM checks whether the current |
Since this issue is now solved, I think it would be a good idea to move forward with this PR to prevent further regressions:
|
These tests currently pass even when the agent cannot work with security manager, thus they cannot prevent regression in the current form. |
…curity-manager-setup
@SylvainJuge this stayed far behind |
…curity-manager-setup
/test |
void testServiceNameAndVersionFromManifest(String image) { | ||
try (GenericContainer<TestAppContainer> app = testAppWithJavaAgent(image)) { | ||
|
||
app.waitingFor(Wait.forLogMessage(".* Starting Elastic APM .*", 1)) | ||
.start(); | ||
|
||
assertThat(app.getLogs()).contains(" as My Service Name (My Service Version) on "); | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[for reviewer] this was actually tested previously within ServiceTestIT
What does this PR do?
Unsafe
when security manager is enabled.Checklist
Unsafe
, or ignore the test until we can fix this (see comment below Add tests for Security Manager #2539 (comment) for details).refactor runtime attach tests to run in docker with this to make them simpler & more reliable.this will be done in a separate PR if needed later.