2.x plugins using Groovy with NIO are blocked by SecurityManager


(Jörg Prante) #1

I ported my groovy-based web app plugin to 2.0.0-beta1

https://github.com/jprante/elasticsearch-webapp

but the new security manager got in the way because I am using NIO:

Exception in thread "main" java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessClassInPackage.sun.nio.fs")
	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
	at java.security.AccessController.checkPermission(AccessController.java:884)
	at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
	at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1564)
	at java.lang.Class.checkPackageAccess(Class.java:2372)
	at java.lang.Class.checkMemberAccess(Class.java:2351)
	at java.lang.Class.getMethod(Class.java:1783)
	at org.codehaus.groovy.reflection.stdclasses.CachedSAMClass.hasUsableImplementation(CachedSAMClass.java:130)
	at org.codehaus.groovy.reflection.stdclasses.CachedSAMClass.getSAMMethod(CachedSAMClass.java:191)
	at org.codehaus.groovy.reflection.ClassInfo.isSAM(ClassInfo.java:359)
	at org.codehaus.groovy.reflection.ClassInfo.createCachedClass(ClassInfo.java:349)
	at org.codehaus.groovy.reflection.ClassInfo.access$700(ClassInfo.java:41)
	at org.codehaus.groovy.reflection.ClassInfo$LazyCachedClassRef.initValue(ClassInfo.java:497)
	at org.codehaus.groovy.reflection.ClassInfo$LazyCachedClassRef.initValue(ClassInfo.java:488)
	at org.codehaus.groovy.util.LazyReference.getLocked(LazyReference.java:49)
	at org.codehaus.groovy.util.LazyReference.get(LazyReference.java:36)
	at org.codehaus.groovy.reflection.ClassInfo.getCachedClass(ClassInfo.java:111)
	at org.codehaus.groovy.reflection.ReflectionCache.getCachedClass(ReflectionCache.java:110)
	at org.codehaus.groovy.reflection.CachedClass$4.initValue(CachedClass.java:141)
	at org.codehaus.groovy.reflection.CachedClass$4.initValue(CachedClass.java:138)
	at org.codehaus.groovy.util.LazyReference.getLocked(LazyReference.java:49)
	at org.codehaus.groovy.util.LazyReference.get(LazyReference.java:36)
	at org.codehaus.groovy.reflection.CachedClass.getCachedSuperClass(CachedClass.java:248)
	at org.codehaus.groovy.reflection.CachedClass$8.initValue(CachedClass.java:214)
	at org.codehaus.groovy.reflection.CachedClass$8.initValue(CachedClass.java:200)
	at org.codehaus.groovy.util.LazyReference.getLocked(LazyReference.java:49)
	at org.codehaus.groovy.util.LazyReference.get(LazyReference.java:36)
	at org.codehaus.groovy.reflection.CachedClass.getInterfaces(CachedClass.java:252)
	at org.codehaus.groovy.reflection.CachedClass.<init>(CachedClass.java:238)
	at org.codehaus.groovy.reflection.ClassInfo.createCachedClass(ClassInfo.java:352)
	<<<truncated>>>
Refer to the log for complete error details.

This happens because Groovy looks up sun.nio.fs.UnixPath, and for Groovy using NIO networking, file channel access is also prevented.

So I would love to see Groovy-related NIO additions to the ES security policy file

Suggestion:

 permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch";
 permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.fs";

I can work around that with -Dsecurity.manager.enabled=false but I'm not sure if that should be recommended.

Should I open an issue?


(system) #2