Fix issue connecting with prometheus by wrapping with AccessController.doPrivilegedChecked

[cwperks]

Description

This PR fixes an issue connecting to a prometheus connector.

Before:

➜  curl -XPOST localhost:9200/_plugins/_query/_datasources -H 'Content-Type:application/json' --data-binary '{
  "name" : "my_prometheus",
    "connector": "prometheus",
    "properties" : {
      "prometheus.uri" : "http://localhost:9090"
    }
}'
"Created DataSource with name my_prometheus"%
➜  curl http://localhost:9200/_plugins/_directquery/_resources/my_prometheus/api/v1/metadata
{
  "status": 500,
  "error": {
    "type": "SecurityException",
    "reason": "There was internal problem at backend",
    "details": "Denied access to: localhost:9090, domain ProtectionDomain  (file:/usr/share/opensearch/plugins/opensearch-ubi/opensearch-ubi-3.5.0.0.jar \u003cno signer certificates\u003e)\n java.net.URLClassLoader@2a30b0cb\n \u003cno principals\u003e\n java.security.Permissions@420bdb83 (\n)\n\n"
  }
}

After:

➜  curl -XPOST localhost:9200/_plugins/_query/_datasources -H 'Content-Type:application/json' --data-binary '{
  "name" : "my_prometheus",
    "connector": "prometheus",
    "properties" : {
      "prometheus.uri" : "http://localhost:9090"
    }
}'
"Created DataSource with name my_prometheus"%
➜  curl http://localhost:9200/_plugins/_directquery/_resources/my_prometheus/api/v1/metadata
{
  "status": 400,
  "error": {
    "type": "PrometheusClientException",
    "reason": "Invalid Request",
    "details": "Error while getting resources for METADATA: Failed to connect to localhost/[0:0:0:0:0:0:0:1]:9090"
  }
}

Full Stack Trace

opensearch-node1-1       | java.lang.SecurityException: Denied access to: localhost:9090, domain ProtectionDomain  (file:/usr/share/opensearch/plugins/opensearch-ubi/opensearch-ubi-3.5.0.0.jar <no signer certificates>)
opensearch-node1-1       |  java.net.URLClassLoader@2a30b0cb
opensearch-node1-1       |  <no principals>
opensearch-node1-1       |  java.security.Permissions@420bdb83 (
opensearch-node1-1       | )
opensearch-node1-1       |
opensearch-node1-1       |
opensearch-node1-1       | 	at java.base/java.net.Socket.connect(Socket.java:640)
opensearch-node1-1       | 	at okhttp3.internal.platform.Platform.connectSocket(Platform.kt:128)
opensearch-node1-1       | 	at okhttp3.internal.connection.RealConnection.connectSocket(RealConnection.kt:295)
opensearch-node1-1       | 	at okhttp3.internal.connection.RealConnection.connect(RealConnection.kt:207)
opensearch-node1-1       | 	at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.kt:226)
opensearch-node1-1       | 	at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.kt:106)
opensearch-node1-1       | 	at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.kt:74)
opensearch-node1-1       | 	at okhttp3.internal.connection.RealCall.initExchange$okhttp(RealCall.kt:255)
opensearch-node1-1       | 	at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.kt:32)
opensearch-node1-1       | 	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
opensearch-node1-1       | 	at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.kt:95)
opensearch-node1-1       | 	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
opensearch-node1-1       | 	at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.kt:83)
opensearch-node1-1       | 	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
opensearch-node1-1       | 	at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.kt:76)
opensearch-node1-1       | 	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
opensearch-node1-1       | 	at org.opensearch.sql.common.interceptors.URIValidatorInterceptor.intercept(URIValidatorInterceptor.java:33)
opensearch-node1-1       | 	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
opensearch-node1-1       | 	at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(RealCall.kt:201)
opensearch-node1-1       | 	at okhttp3.internal.connection.RealCall.execute(RealCall.kt:154)
opensearch-node1-1       | 	at org.opensearch.sql.prometheus.client.PrometheusClientImpl.getAllMetrics(PrometheusClientImpl.java:178)
opensearch-node1-1       | 	at org.opensearch.sql.prometheus.query.PrometheusQueryHandler.getResources(PrometheusQueryHandler.java:136)
opensearch-node1-1       | 	at org.opensearch.sql.prometheus.query.PrometheusQueryHandler.getResources(PrometheusQueryHandler.java:32)
opensearch-node1-1       | 	at org.opensearch.sql.directquery.DirectQueryExecutorServiceImpl.lambda$getDirectQueryResources$0(DirectQueryExecutorServiceImpl.java:81)
opensearch-node1-1       | 	at java.base/java.util.Optional.map(Optional.java:260)

Check List

• New functionality includes testing.
• New functionality has been documented.
• New functionality has javadoc added.
• New functionality has a user manual doc added.
• New PPL command checklist all confirmed.
• API changes companion pull request created.
• Commits are signed per the DCO using --signoff or -s.
• Public documentation issue/PR created.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Updated internal security handling for data retrieval operations.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Walkthrough

Added security privilege checking to the HTTP client's metric retrieval operation by wrapping the execution within AccessController.doPrivilegedChecked to ensure the operation executes under controlled privilege context.

Changes

Cohort / File(s)	Summary
Prometheus Client Security Enhancement direct-query-core/src/main/java/org/opensearch/sql/prometheus/client/PrometheusClientImpl.java	Added AccessController import and wrapped HTTP call execution in getAllMetrics method with privilege-checked block for controlled privilege context execution

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title accurately summarizes the main change: wrapping PrometheusClientImpl's HTTP call with AccessController.doPrivilegedChecked to fix a security exception when connecting to Prometheus.
Description check	✅ Passed	The PR description is directly related to the changeset, providing detailed context about the SecurityException issue, before/after behavior comparison, and the stack trace that motivated the fix.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[joshuali925]

thanks

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In
`@direct-query-core/src/main/java/org/opensearch/sql/prometheus/client/PrometheusClientImpl.java`:
- Line 179: Add a centralized helper in PrometheusClientImpl named something
like executePrivileged(Request request, OkHttpClient client) that wraps
AccessController.doPrivilegedChecked(() -> client.newCall(request).execute())
and throws IOException; then replace every direct call to
prometheusHttpClient.newCall(request).execute() and
alertmanagerHttpClient.newCall(request).execute() across methods queryRange,
query, getLabels, getLabel, getAllMetrics, getSeries, queryExemplars, getAlerts,
getRules, getAlertmanagerAlerts, getAlertmanagerAlertGroups,
getAlertmanagerReceivers, getAlertmanagerSilences, and
createAlertmanagerSilences to call executePrivileged(request,
prometheusHttpClient) or executePrivileged(request, alertmanagerHttpClient)
respectively so the security wrapper is applied consistently.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify all HTTP call sites in the file that may need the same fix
echo "=== HTTP calls using prometheusHttpClient ==="
rg -n "prometheusHttpClient\.newCall" direct-query-core/src/main/java/org/opensearch/sql/prometheus/client/PrometheusClientImpl.java

echo ""
echo "=== HTTP calls using alertmanagerHttpClient ==="
rg -n "alertmanagerHttpClient\.newCall" direct-query-core/src/main/java/org/opensearch/sql/prometheus/client/PrometheusClientImpl.java

echo ""
echo "=== Calls already wrapped with doPrivilegedChecked ==="
rg -n "doPrivilegedChecked" direct-query-core/src/main/java/org/opensearch/sql/prometheus/client/PrometheusClientImpl.java

Repository: opensearch-project/sql

Length of output: 1543

---

🏁 Script executed:

#!/bin/bash
# Extract method signatures to confirm they are distinct methods
echo "=== Method signatures at the call sites ==="
rg -B 5 "prometheusHttpClient\.newCall|alertmanagerHttpClient\.newCall" direct-query-core/src/main/java/org/opensearch/sql/prometheus/client/PrometheusClientImpl.java | grep -E "^\s*(public|private)\s+|prometheusHttpClient\.newCall|alertmanagerHttpClient\.newCall" | head -50

Repository: opensearch-project/sql

Length of output: 1308

---

🏁 Script executed:

#!/bin/bash
# Extract method signatures more clearly
echo "=== Method signatures with line numbers ==="
rg -B 10 "prometheusHttpClient\.newCall|alertmanagerHttpClient\.newCall" \
  direct-query-core/src/main/java/org/opensearch/sql/prometheus/client/PrometheusClientImpl.java \
  | grep -E "^\s*[0-9]+-\s*(public|private)" | head -20

Repository: opensearch-project/sql

Length of output: 109

---

🏁 Script executed:

#!/bin/bash
# Read the file with line numbers to see the method context
head -330 direct-query-core/src/main/java/org/opensearch/sql/prometheus/client/PrometheusClientImpl.java | tail -150 | cat -n

Repository: opensearch-project/sql

Length of output: 7759

---

🏁 Script executed:

#!/bin/bash
# Read the first part of the file to see queryRange and other methods
head -200 direct-query-core/src/main/java/org/opensearch/sql/prometheus/client/PrometheusClientImpl.java | cat -n

Repository: opensearch-project/sql

Length of output: 9152

---

🏁 Script executed:

#!/bin/bash
# Check context around line 179 for any comments explaining the wrapper
sed -n '168,183p' direct-query-core/src/main/java/org/opensearch/sql/prometheus/client/PrometheusClientImpl.java | cat -n

Repository: opensearch-project/sql

Length of output: 993

---

Inconsistent application of the security fix across HTTP call sites.

The AccessController.doPrivilegedChecked wrapper is applied only to getAllMetrics (line 179), but 13 other methods in this class make HTTP calls using the same pattern (prometheusHttpClient.newCall(request).execute() or alertmanagerHttpClient.newCall(request).execute()). If the SecurityException is triggered by socket connections in getAllMetrics, it will likely occur in other methods making identical HTTP calls:

• queryRange (line 95)
• query (line 130)
• getLabels (line 150)
• getLabel (line 165)
• getSeries (line 198)
• queryExemplars (line 215)
• getAlerts (line 226)
• getRules (line 239)
• getAlertmanagerAlerts (line 252)
• getAlertmanagerAlertGroups (line 265)
• getAlertmanagerReceivers (line 277)
• getAlertmanagerSilences (line 289)
• createAlertmanagerSilences (line 305)

Extract a helper method to centralize the privileged execution and apply it consistently:

Suggested approach

private Response executePrivileged(Request request, OkHttpClient client) throws IOException {
    return AccessController.doPrivilegedChecked(() -> client.newCall(request).execute());
}

Then use it consistently across all HTTP call sites:

-Response response = this.prometheusHttpClient.newCall(request).execute();
+Response response = executePrivileged(request, this.prometheusHttpClient);

🤖 Prompt for AI Agents

In
`@direct-query-core/src/main/java/org/opensearch/sql/prometheus/client/PrometheusClientImpl.java`
at line 179, Add a centralized helper in PrometheusClientImpl named something
like executePrivileged(Request request, OkHttpClient client) that wraps
AccessController.doPrivilegedChecked(() -> client.newCall(request).execute())
and throws IOException; then replace every direct call to
prometheusHttpClient.newCall(request).execute() and
alertmanagerHttpClient.newCall(request).execute() across methods queryRange,
query, getLabels, getLabel, getAllMetrics, getSeries, queryExemplars, getAlerts,
getRules, getAlertmanagerAlerts, getAlertmanagerAlertGroups,
getAlertmanagerReceivers, getAlertmanagerSilences, and
createAlertmanagerSilences to call executePrivileged(request,
prometheusHttpClient) or executePrivileged(request, alertmanagerHttpClient)
respectively so the security wrapper is applied consistently.

[RyanL1997]

Thanks for the change. The change itself looks good to me, however, I'm also curious the following:

• among all these components in the above list, why only the Prometheus got impacted?
• why this just be spotted by now?

cc @cwperks @joshuali925 @lezzago

[LantaoJin]

@Swiddis can you help to review this? I remember you had a PR to remove all privilegedcheck wrappers in 3.x branch. Is the current fixing valid?