Custom Realm Set Security permissions

Elastic Stack Elasticsearch
1

My custom realm x-pack plugin makes an authorization attempt over HTTP to an external user-store. This worked okay in previous versions of x-pack. However, x-pack security permissions may have been re-organized slightly since. I get the following exception:

[2018-04-10T13:36:05,258][DEBUG][o.a.h.i.n.c.InternalHttpAsyncClient] [exchange: 1] Request connection for {}->http://192.168.1.168:8225
[2018-04-10T13:36:05,260][DEBUG][o.a.h.i.n.c.PoolingNHttpClientConnectionManager] Connection request: [route: {}->http://192.168.1.168:8225][total kept alive: 0; route allocated: 0 of 5; total allocated: 0 of 5]
[2018-04-10T13:36:05,269][ERROR][o.a.h.i.n.c.InternalHttpAsyncClient] I/O reactor terminated abnormally
java.security.AccessControlException: access denied ("java.net.SocketPermission" "192.168.1.168:8225" "connect,resolve")
	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) ~[?:1.8.0_161]
	at java.security.AccessController.checkPermission(AccessController.java:884) ~[?:1.8.0_161]
	at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) ~[?:1.8.0_161]
	at java.lang.SecurityManager.checkConnect(SecurityManager.java:1051) ~[?:1.8.0_161]
	at sun.nio.ch.SocketChannelImpl.connect(SocketChannelImpl.java:625) ~[?:?]
	at org.apache.http.impl.nio.reactor.DefaultConnectingIOReactor.processSessionRequests(DefaultConnectingIOReactor.java:273) ~[httpcore-nio-4.4.5.jar:4.4.5]
	at org.apache.http.impl.nio.reactor.DefaultConnectingIOReactor.processEvents(DefaultConnectingIOReactor.java:139) ~[httpcore-nio-4.4.5.jar:4.4.5]
	at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor.execute(AbstractMultiworkerIOReactor.java:348) ~[httpcore-nio-4.4.5.jar:4.4.5]
	at org.apache.http.impl.nio.conn.PoolingNHttpClientConnectionManager.execute(PoolingNHttpClientConnectionManager.java:192) ~[httpasyncclient-4.1.2.jar:4.1.2]
	at org.apache.http.impl.nio.client.CloseableHttpAsyncClientBase$1.run(CloseableHttpAsyncClientBase.java:64) [httpasyncclient-4.1.2.jar:4.1.2]
	at java.lang.Thread.run(Thread.java:748) [?:1.8.0_161]

Do you know how to define permission for this operation? Is it in the x-pack-extension-security.policy bundled with the plugin. Is it on the filesystem at :
/usr/share/elasticsearch/plugins/x-pack/x-pack-security/plugin-security.policy

What should the content of this file be for this request? I'm currently using java 8. Any help would be much appreciated.
Thanks.

1 Like
2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.