Support for groovy static analysis for groovy scripts

[abhishekbafna]

Github Issue: #14995

Google Doc: https://docs.google.com/document/d/10-j1hevpwOWzaU8q0ndqv3toRBWTiPfOWy6xHojoiL4

It adds the support for static analysis for the groovy functions. Users can configure the allowed receivers, allowed imports, allowed static imports, disallowed method names, toggle method definition allowed in the groovy scripts.

A groovy listener to update the configuration on the server nodes.

• REST APIs for getting the default/sample groovy configuration, update/create groovy configuration and get the current groovy configurations.
• The AST analysis covers for query and table config updates via controller.

Testing

• Unit tests
• Local testing using quickstart setup

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 71.12676% with 41 lines in your changes missing coverage. Please review.

Project coverage is 63.46%. Comparing base (59551e4) to head (79b1c7d).
Report is 1753 commits behind head on master.

Files with missing lines	Patch %	Lines
.../controller/api/resources/PinotClusterConfigs.java	0.00%	31 Missing ⚠️
...sthandler/BaseSingleStageBrokerRequestHandler.java	70.58%	4 Missing and 1 partial ⚠️
...egment/local/function/GroovyFunctionEvaluator.java	91.66%	3 Missing and 1 partial ⚠️
...va/org/apache/pinot/spi/utils/CommonConstants.java	0.00%	1 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##             master   #14844      +/-   ##
============================================
+ Coverage     61.75%   63.46%   +1.71%     
- Complexity      207     1483    +1276     
============================================
  Files          2436     2749     +313     
  Lines        133233   154575   +21342     
  Branches      20636    23823    +3187     
============================================
+ Hits          82274    98097   +15823     
- Misses        44911    49080    +4169     
- Partials       6048     7398    +1350     

Flag	Coverage Δ
custom-integration1	100.00% <ø> (+99.99%)	⬆️
integration	100.00% <ø> (+99.99%)	⬆️
integration1	100.00% <ø> (+99.99%)	⬆️
integration2	0.00% <ø> (ø)
java-11	63.41% <71.12%> (+1.70%)	⬆️
java-21	63.35% <71.12%> (+1.73%)	⬆️
skip-bytebuffers-false	63.43% <71.12%> (+1.69%)	⬆️
skip-bytebuffers-true	63.32% <71.12%> (+35.59%)	⬆️
temurin	63.46% <71.12%> (+1.71%)	⬆️
unittests	63.45% <71.12%> (+1.71%)	⬆️
unittests1	56.08% <81.81%> (+9.19%)	⬆️
unittests2	34.02% <64.78%> (+6.29%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[soumitra-st]

I think the checks are disabled by default. Can you create a doc on various configurations supported by Pinot?

[abhishekbafna]

Github issue link: #14995

[abhishekbafna]

I think the checks are disabled by default. Can you create a doc on various configurations supported by Pinot?

@soumitra-st I have created a github issue and linked the document. Please review it. Thank you.

[soumitra-st]

LGTM

[npawar]

Github Issue: #14995

Google Doc: https://docs.google.com/document/d/10-j1hevpwOWzaU8q0ndqv3toRBWTiPfOWy6xHojoiL4

It adds the support for static analysis for the groovy functions. Users can configure the allowed receivers, allowed imports, allowed static imports, disallowed method names, toggle method definition allowed in the groovy scripts.

• REST APIs for getting the default/sample groovy configuration, update/create groovy configuration and get the current groovy configurations.
• The AST analysis covers for query, ingestion and table config updates via controller.

Testing

• Unit tests
• Local testing using quickstart setup

Please add the new config in the PR description, and call out a) where does it need to be set (server/minion/controller conf or cluster config) b) is restart required when it's changed

[Jackie-Jiang]

Nice! Is this another attempt of #14197?

[Jackie-Jiang]

Since this is static analysis, we should apply the analysis in 2 places:

1. When table config gets created/updated, we want to validate the groovy transforms configured
2. When broker gets a query, we want to validate the groovy transform within it

Take a look at where we block groovy functions right now. We can integrate this logic at the same place.

[abhishekbafna]

Since this is static analysis, we should apply the analysis in 2 places:

1. When table config gets created/updated, we want to validate the groovy transforms configured
2. When broker gets a query, we want to validate the groovy transform within it

Take a look at where we block groovy functions right now. We can integrate this logic at the same place.

The analysis applied at both the suggested places.

1. The groovy expression is validated and blocked (if found containing in-secure code) at the table creation and update stage. This happens in the controller.
2. For the queries, the analysis happens in the server and failure is reported.

[Jackie-Jiang]

I'm not able to find the related change in controller and broker code. Can you point me to the class changed?

[Jackie-Jiang]

Let's clean up the unrelated changes. The metric should be emitted from controller for table config, and broker for query

[abhishekbafna]

I have removed the metric part.

[abhishekbafna]

I'm not able to find the related change in controller and broker code. Can you point me to the class changed?

For both table creation/update and querying, the groovy static analysis is applied during the script parse step. This happens when the GroovyFunctionEvaluator object is initialised.
_script = createSafeShell(_binding, groovyStaticAnalyzerConfig).parse(scriptText);

For the table create/update it happens in the controller and for query is happens in the server nodes. Attaching screenshots.

The GroovyStaticAnalyzerConfig is a static parameter which init during the service start using configureGroovySecurity method.

When the groovy security config is updated, the update happens through the controller API so controller set it using GroovyFunctionEvaluator.setConfig(groovyConfig); using the POST API call.

For the server, updates are applied using the config change listener GroovyConfigChangeListener.

Query:

Controller:

[Jackie-Jiang]

Currently we apply groovy check in 2 places:

1. In TableConfigUtils (see the usage of _disableGroovy field)
2. In BaseSingleStageBrokerRequestHandler (see the usage of _disableGroovy field)

Can we apply the static analysis at the same place? Applying it during ingestion/query execution might already be too late.

[Jackie-Jiang]

Do you anticipate performance overhead for the safe shell?

[abhishekbafna]

No. There should not be any performance impact. The CompilerConfiguration is created only once and reused. It is updated everytime static analyzer config is updated.

[abhishekbafna]

Currently we apply groovy check in 2 places:

1. In TableConfigUtils (see the usage of _disableGroovy field)
2. In BaseSingleStageBrokerRequestHandler (see the usage of _disableGroovy field)

Can we apply the static analysis at the same place? Applying it during ingestion/query execution might already be too late.

Now the static analysis for both ingestion and query is applied along with the disableGroovy checks.

For the ingestion, it happens in the TableConfigUtils#validateIngestionConfig when FunctionEvaluatorFactory.getExpressionEvaluator(filterFunction) is called for the groovy scripts.

For the query, added a new method groovySecureAnalysis that would execute when groovy is enabled. Any changes to the configuration would require restart of the broker nodes.

[Jackie-Jiang]

I don't see the change in org.apache.pinot.segment.local.utils.TableConfigUtils. That is needed for the ingestion groovy validation

[Jackie-Jiang]

Suggest renaming it to validateGroovy

[Jackie-Jiang]

This shouldn't be added as top level config. We need this config for both controller and broker, and they can potentially be different (one is for ingestion, and one is for query). Take a look at the subclass Controller and Broker within this class.
We can also consider adding a common one to be used when there is no controller/broker specific config

[abhishekbafna]

OKay. As a single configuration, it was added at the top level. I will create separate configuration for controller (ingestion) and broker (query).

For ingestion, under Controller subclass: pinot.ingestion.groovy.static.analyzer
For query, under Broker subclass: pinot.query.groovy.static.analyzer
Common configuration, as top level config in the CommonConstants class: pinot.groovy.static.analyzer

[abhishekbafna]

I will use service name only and not use case specific name like pinot.broker.* and 'pinot.controller.*` to continue the existing pattern.

[abhishekbafna]

With this, I think, we can avoid the specific REST APIs too for the groovy config and use POST /cluster/configs API to configure the groovy static analyzer.

[Jackie-Jiang]

Sounds good. Since we are not keeping the instance type prefix, we can put them in the top level, or add a subclass Groovy. Let's not put it in the beginning of the file, and also add some documentation for them.

Regarding the REST API, the ser/de of this config is not easy, so I'd suggest keeping the REST API, but add a type param which can be ingestion, query or all. Same for the GET request, where we perform the same fallback logic based on the type asked

[abhishekbafna]

I don't see the change in org.apache.pinot.segment.local.utils.TableConfigUtils. That is needed for the ingestion groovy validation

The ingestion (table create and update) path is already covered as part of the TableConfigUtils#validateIngestionConfig when GroovyFunctionEvaluator object is initialized, the parsing and validation happens.

This happens when FunctionEvaluatorFactory.getExpressionEvaluator(filterFunction) is called in the validate ingestion config method. I attached a screenshot as well earlier show the same.

[vrajat]

The docs mention that security is required in Minions as well. However I dont see the security apparatus setup in Minions. Is that required ?

[Jackie-Jiang]

@vrajat Minion should be fine because it pulls the table config which is already validated on the controller

[Jackie-Jiang]

Sounds good. Since we are not keeping the instance type prefix, we can put them in the top level, or add a subclass Groovy. Let's not put it in the beginning of the file, and also add some documentation for them.

Regarding the REST API, the ser/de of this config is not easy, so I'd suggest keeping the REST API, but add a type param which can be ingestion, query or all. Same for the GET request, where we perform the same fallback logic based on the type asked

[abhishekbafna]

@vrajat Minion should be fine because it pulls the table config which is already validated on the controller

@Jackie-Jiang one thing to note is, the controller config would be applied on the table update and creation. It would not apply on any existing ingestion config. For that it need to be init the config in minion and other external jobs (hadoop, spark etc).