[GRPC] Add accessUnixDomainSocket permission for transport-grpc

[karenyrx]

Description

The Hybrid search gRPC integration test on Windows is failing with:

java.lang.IllegalStateException: failed to create a child event loop
Likely root cause: java.lang.SecurityException: Denied access to: D:\a\neural-search\neural-search\build\testclusters\integTest-0\tmp\socket_1511921991, 
domain ProtectionDomain  (file:/D:/a/neural-search/.../modules/transport-grpc/grpc-netty-shaded-1.75.0.jar <no signer certificates>)
  java.security.Permissions@526c0134 ()

Caused by: org.opensearch.OpenSearchSecurityException: Error while initializing transport SSL layer from PEM
  at java.base/java.nio.file.Files.deleteIfExists(Files.java:1087)
  at java.base/sun.nio.ch.PipeImpl$Initializer$LoopbackConnector.run(PipeImpl.java:160)
  at java.base/sun.nio.ch.PipeImpl$Initializer.init(PipeImpl.java:78)
  at java.base/sun.nio.ch.PipeImpl.<init>(PipeImpl.java:186)
  at java.base/sun.nio.ch.WEPollSelectorImpl.<init>(WEPollSelectorImpl.java:78)
  at java.base/sun.nio.ch.WEPollSelectorProvider.openSelector(WEPollSelectorProvider.java:33)
  at io.grpc.netty.shaded.io.netty.channel.nio.NioEventLoop.openSelector(NioEventLoop.java:177)
  at io.grpc.netty.shaded.io.netty.channel.nio.NioEventLoop.<init>(NioEventLoop.java:146)
  at io.grpc.netty.shaded.io.netty.channel.nio.NioEventLoopGroup.newChild(NioEventLoopGroup.java:183)
  ...
  at org.opensearch.transport.grpc.Netty4GrpcServerTransport.doStart(Netty4GrpcServerTransport.java:320)

Notably the deleteIfExists and D:\a\neural-search\neural-search\build\testclusters\integTest-0\tmp\socket_1511921991 part, which indicates delete permissions are denied for tmp files created by the integration test

This issue is Windows-specific because:

• Linux: Uses EpollSelectorProvider which doesn't create temporary files
• Windows: Uses WEPollSelectorProvider → PipeImpl → creates temp files for IPC

This PR allows Netty to delete temporary socket files in java.io.tmpdir.
Since we havent seen an error for create, read, or write yet, I have not added those in this PR, to follow principle of least privilege, but those could be needed in the future as well.

Related Issues

opensearch-project/neural-search#1723

Check List

• Functionality includes testing.
• API changes companion pull request created, if applicable.
• Public documentation issue/PR created, if applicable.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

• 🔍 Trigger a full review

📝 Walkthrough

Walkthrough

The pull request adds a new security permission in the transport-grpc module's security policy to enable Unix domain socket access, with a corresponding changelog entry documenting this addition.

Changes

Cohort / File(s)	Summary
Documentation and Security Policy CHANGELOG.md, modules/transport-grpc/src/main/plugin-metadata/plugin-security.policy	Added changelog entry for PR #20463 and introduced NetPermission "accessUnixDomainSocket" permission in the security policy to allow Netty on Windows to delete temporary socket files in the transport-grpc module.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description check	✅ Passed	The description provides comprehensive context including the Windows-specific failure, root cause analysis, and explains why only delete permissions are added. However, the checklist items for testing and documentation remain unchecked.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The title accurately describes the main change: adding the accessUnixDomainSocket permission to the transport-grpc security policy for handling temporary socket files.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cwperks]

Looks similar to what I encountered in #18752

@reta in the previous encounter with this we fixed the java agent (#18764). Do you think something similar would be needed for this?

[github-actions]

✅ Gradle check result for dfb1d74: SUCCESS

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.28%. Comparing base (3ba2f37) to head (53adec5).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@             Coverage Diff              @@
##               main   #20463      +/-   ##
============================================
+ Coverage     73.25%   73.28%   +0.03%     
- Complexity    72103    72147      +44     
============================================
  Files          5798     5798              
  Lines        329732   329732              
  Branches      47519    47519              
============================================
+ Hits         241554   241653      +99     
+ Misses        68805    68712      -93     
+ Partials      19373    19367       -6     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[reta]

Looks similar to what I encountered in #18752

@reta in the previous encounter with this we fixed the java agent (#18764). Do you think something similar would be needed for this?

Sincere apologies @cwperks @karenyrx , somehow missed it: yes, we treat java.base/sun.nio.ch.PipeImpl$Initializer.init(PipeImpl.java:78) as UNIX Domain path (and permission), thank you.

[karenyrx]

Thank you @reta @cwperks ! Marked the PR as ready for review when you have a chance to review it.

[github-actions]

❕ Gradle check result for 7d44eed: UNSTABLE

Please review all flaky tests that succeeded after retry and create an issue if one does not already exist to track the flaky failure.

[github-actions]

❗ AI-powered Code-Diff-Analyzer found issues on commit 241ec5a.

Path	Line	Severity	Description
modules/transport-grpc/src/main/plugin-metadata/plugin-security.policy	20	medium	Permission 'accessUnixDomainSocket' granted with inconsistent justification: comment mentions 'Windows' and 'WEPollSelectorImpl' but Unix domain sockets are Unix/Linux features. PR description says 'deleting temporary socket files' but this permission enables full Unix socket access (create/connect/accept), which could enable covert IPC channels. Verify this is necessary for legitimate gRPC functionality.

The table above displays the top 10 most important findings.

Total: 1 | Critical: 0 | High: 0 | Medium: 1 | Low: 0

---

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

---

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

[github-actions]

❗ AI-powered Code-Diff-Analyzer found issues on commit 53adec5.

Path	Line	Severity	Description
modules/transport-grpc/src/main/plugin-metadata/plugin-security.policy	20	medium	Security policy grants accessUnixDomainSocket permission to grpc-netty-shaded. Comment mentions 'Windows' and 'WEPollSelectorImpl' but grants Unix domain socket access. While modern Windows supports Unix sockets and this may be legitimate for Netty/gRPC functionality, the permission allows local inter-process communication that could be abused. Verify this permission is strictly necessary and that grpc-netty-shaded dependency is from trusted source.

The table above displays the top 10 most important findings.

Total: 1 | Critical: 0 | High: 0 | Medium: 1 | Low: 0

---

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

---

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

[github-actions]

❌ Gradle check result for 53adec5: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❕ Gradle check result for 53adec5: UNSTABLE

Please review all flaky tests that succeeded after retry and create an issue if one does not already exist to track the flaky failure.