I have written a custom plugin that includes some third-party jars that do magic stuff requiring certain permissions. So I have added them to my plugin-security.policy like this
grant {
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
permission org.elasticsearch.secure_sm.ThreadPermission "modifyArbitraryThreadGroup";
};
I'm also doing all sensitive stuff inside AccessController.doPrivileged and that's fine while only dealing with reflection. However, after adding the thread permission, ES does not even start up. (I'm trying to run it under gradle and the run task fails.)
I have a suspicion what might the cause: There is an org.elasticsearch.bootstrap.PolicyUtil, see here. In line 177 it sets the ALLOWED_PLUGIN_PERMISSIONS. If you look at the elements that are put into this collection, they are quite limited.
Does this mean that I cannot give my plugin jars all the permissions I want them to have? In particular, not the one mentioned above? Or is there a way around this? Can I somehow wrap this policy in my own and pre-empt the validation that is apparently done in method getModulePolicyInfo?
Perhaps I'm way off track here? This is the first time I have to do with a custom plugin, and documentation on plugin security is a bit scarce.