[GRPC] Add accessUnixDomainSocket permission for transport-grpc

[reta]

Description

Add accessUnixDomainSocket permission for transport-grpc, followup on #20463

Related Issues

See please https://github.com/opensearch-project/neural-search/actions/runs/22081425842/job/63807427263?pr=1734

Check List

• Functionality includes testing.
• API changes companion pull request created, if applicable.
• Public documentation issue/PR created, if applicable.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0bbea60 and cca827e.

📒 Files selected for processing (2)

• CHANGELOG.md
• modules/transport-grpc/src/main/plugin-metadata/plugin-security.policy

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: assemble (25, macos-15)
• GitHub Check: detect-breaking-change
• GitHub Check: precommit (21, windows-2025, true)
• GitHub Check: precommit (25, windows-latest)
• GitHub Check: precommit (21, windows-latest)
• GitHub Check: precommit (25, macos-15-intel)
• GitHub Check: precommit (25, macos-15)
• GitHub Check: verify-changelog

🔇 Additional comments (2)

CHANGELOG.md (1)

11-11: Changelog update looks good.

The added PR reference keeps the entry aligned with the follow-up work.

modules/transport-grpc/src/main/plugin-metadata/plugin-security.policy (1)

9-20: [Rewritten review comment]
[Classification tag]

---

📝 Walkthrough

Walkthrough

The security policy in the transport-grpc module is updated to remove codebase scoping, broadening permission applicability from grpc-netty-shaded to all code. The changelog is updated to reference the related PR.

Changes

Cohort / File(s)	Summary
Security Policy & Documentation CHANGELOG.md, modules/transport-grpc/src/main/plugin-metadata/plugin-security.policy	Removed codeBase scoping from security grant block, expanding policy scope to all code instead of grpc-netty-shaded only. Changelog updated with PR reference.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Possibly related PRs

• #20463: Modifies the same security policy file to add accessUnixDomainSocket permission within a codeBase-scoped grant, directly related to scope changes in this PR.

Suggested labels

Clients

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The description provides purpose and related context, but the 'Functionality includes testing' checkbox remains unchecked and no explanation is provided about test coverage.	Either check the testing checkbox and provide test details, or explain why testing is not applicable for this security policy change.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding accessUnixDomainSocket permission for transport-grpc module.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

❗ AI-powered Code-Diff-Analyzer found issues on commit a9cfadc.

Path	Line	Severity	Description
modules/transport-grpc/src/main/plugin-metadata/plugin-security.policy	9	high	Security policy weakening: Removed codeBase restriction from permission grant, changing from scoped grant to 'grant codeBase "${codebase.grpc-netty-shaded}"' to unrestricted 'grant'. This violates principle of least privilege by allowing ALL code to access the permission instead of only the trusted grpc-netty-shaded library. Could be a deliberate backdoor to enable privilege escalation or unauthorized system access.

The table above displays the top 10 most important findings.

Total: 1 | Critical: 0 | High: 1 | Medium: 0 | Low: 0

---

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

---

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

[reta]

@karenyrx @cwperks I believe this should fix an issue here

[github-actions]

❗ AI-powered Code-Diff-Analyzer found issues on commit cca827e.

Path	Line	Severity	Description
modules/transport-grpc/src/main/plugin-metadata/plugin-security.policy	9	high	Privilege escalation: Java security policy modified to remove codeBase restriction. Permission originally scoped to 'grpc-netty-shaded' now granted to ALL code in JVM. This weakens security boundaries by allowing any code to read /proc/sys/net/core/somaxconn, not just the intended library. Pattern indicates deliberate security constraint removal.

The table above displays the top 10 most important findings.

Total: 1 | Critical: 0 | High: 1 | Medium: 0 | Low: 0

---

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

---

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

[github-actions]

✅ Gradle check result for cca827e: SUCCESS

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.31%. Comparing base (db0a16d) to head (cca827e).
⚠️ Report is 7 commits behind head on main.

Additional details and impacted files

@@             Coverage Diff              @@
##               main   #20649      +/-   ##
============================================
+ Coverage     73.19%   73.31%   +0.12%     
- Complexity    71924    71990      +66     
============================================
  Files          5781     5781              
  Lines        329292   329393     +101     
  Branches      47514    47525      +11     
============================================
+ Hits         241026   241498     +472     
+ Misses        68925    68518     -407     
- Partials      19341    19377      +36     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.