I'm writing a plugin that provides authentication for Elasticsearch.
In current version of elasticsearch (5.1.1 and 5.1.2) it's not possible to turn off Security Manager and we have to grand permissions directly (for example in plugin-security.policy file) and wrap code in
> AccessController.doPrivileged( ).
But one of the libraries that I use runs background threads that are causing the security exception (java caffeine cache). So I don't have the ability to change the code causing the error.
Do we still have some workaround to turn off security manager?
There are options to set policies more global, but the problem that background threads don't have permission still stays.
I don't believe we can turn it off, no. I'm not an expert in it, but I think you should be able to get the background thread into the plugin's security context. I think if you create and start the thread within your plugin's doPrivileged block it should run in your plugin's security context.
As I mentioned when you opened #22692 yesterday, you can not disable the security manager. We might be able to provide you guidance if you provide a stack trace for the access control exception.
Here is the stack trace that I get.
I do know it is only a warning, but the same situation may arise with a library without this exception handling
Jan 19, 2017 3:08:59 PM com.github.benmanes.caffeine.cache.BoundedLocalCache scheduleDrainBuffers
WARNING: Exception thrown when submitting maintenance task
java.lang.Error: java.security.AccessControlException: access denied ("org.elasticsearch.ThreadPermission" "modifyArbitraryThreadGroup")
at java.util.concurrent.ForkJoinWorkerThread$InnocuousForkJoinWorkerThread.createThreadGroup(ForkJoinWorkerThread.java:269)
at java.util.concurrent.ForkJoinWorkerThread$InnocuousForkJoinWorkerThread.(ForkJoinWorkerThread.java:216)
at java.util.concurrent.ForkJoinPool$InnocuousForkJoinWorkerThreadFactory$1.run(ForkJoinPool.java:3471)
at java.util.concurrent.ForkJoinPool$InnocuousForkJoinWorkerThreadFactory$1.run(ForkJoinPool.java:3469)
at java.security.AccessController.doPrivileged(Native Method)
at java.util.concurrent.ForkJoinPool$InnocuousForkJoinWorkerThreadFactory.newThread(ForkJoinPool.java:3468)
at java.util.concurrent.ForkJoinPool.createWorker(ForkJoinPool.java:1485)
at java.util.concurrent.ForkJoinPool.tryAddWorker(ForkJoinPool.java:1517)
at java.util.concurrent.ForkJoinPool.signalWork(ForkJoinPool.java:1634)
at java.util.concurrent.ForkJoinPool.externalSubmit(ForkJoinPool.java:2367)
at java.util.concurrent.ForkJoinPool.externalPush(ForkJoinPool.java:2419)
at java.util.concurrent.ForkJoinPool.execute(ForkJoinPool.java:2648)
at com.github.benmanes.caffeine.cache.BoundedLocalCache.scheduleDrainBuffers(BoundedLocalCache.java:971)
at com.github.benmanes.caffeine.cache.BoundedLocalCache.scheduleAfterWrite(BoundedLocalCache.java:938)
at com.github.benmanes.caffeine.cache.BoundedLocalCache.afterWrite(BoundedLocalCache.java:908)
at com.github.benmanes.caffeine.cache.BoundedLocalCache.putFast(BoundedLocalCache.java:1536)
at com.github.benmanes.caffeine.cache.BoundedLocalCache.put(BoundedLocalCache.java:1474)
at com.github.benmanes.caffeine.cache.LocalManualCache.put(LocalManualCache.java:64)
at com.netcracker.elasticsearch.plugin.authentication.provider.OAuthAuthenticationProvider$2.run(OAuthAuthenticationProvider.java:226)
at com.netcracker.elasticsearch.plugin.authentication.provider.OAuthAuthenticationProvider$2.run(OAuthAuthenticationProvider.java:224)
at java.security.AccessController.doPrivileged(Native Method)
at com.netcracker.elasticsearch.plugin.authentication.provider.OAuthAuthenticationProvider.cacheClient(OAuthAuthenticationProvider.java:224)
at com.netcracker.elasticsearch.plugin.authentication.provider.OAuthAuthenticationProvider.verifyToken(OAuthAuthenticationProvider.java:214)
at com.netcracker.elasticsearch.plugin.authentication.provider.OAuthAuthenticationProvider.authenticate(OAuthAuthenticationProvider.java:152)
at com.netcracker.elasticsearch.plugin.authentication.ProvidedAuthenticationService$1.run(ProvidedAuthenticationService.java:42)
at com.netcracker.elasticsearch.plugin.authentication.ProvidedAuthenticationService$1.run(ProvidedAuthenticationService.java:40)
at java.security.AccessController.doPrivileged(Native Method)
at com.netcracker.elasticsearch.plugin.authentication.ProvidedAuthenticationService.authenticate(ProvidedAuthenticationService.java:40)
at com.netcracker.elasticsearch.plugin.authentication.filter.OAuth2BearerAuthorizationFilter.authenticate(OAuth2BearerAuthorizationFilter.java:110)
at com.netcracker.elasticsearch.plugin.authentication.filter.OAuth2BearerAuthorizationFilter.process(OAuth2BearerAuthorizationFilter.java:87)
at com.netcracker.elasticsearch.plugin.authentication.filter.delegate.RestFilterDelegator.process(RestFilterDelegator.java:33)
at org.elasticsearch.rest.RestController$ControllerFilterChain.continueProcessing(RestController.java:310)
at com.netcracker.elasticsearch.plugin.authentication.filter.HttpBasicAuthenticationFilter.process(HttpBasicAuthenticationFilter.java:93)
at com.netcracker.elasticsearch.plugin.authentication.filter.delegate.RestFilterDelegator.process(RestFilterDelegator.java:33)
at
org.elasticsearch.rest.RestController$ControllerFilterChain.continueProcessing(RestController.java:310)
at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:203)
at org.elasticsearch.http.HttpServer.dispatchRequest(HttpServer.java:113)
at org.elasticsearch.http.netty4.Netty4HttpServerTransport.dispatchRequest(Netty4HttpServerTransport.java:507)
at org.elasticsearch.http.netty4.Netty4HttpRequestHandler.channelRead0(Netty4HttpRequestHandler.java:69)
at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351)
at org.elasticsearch.http.netty4.pipelining.HttpPipeliningHandler.channelRead(HttpPipeliningHandler.java:66)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351)
at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102)
at io.netty.handler.codec.MessageToMessageCodec.channelRead(MessageToMessageCodec.java:111)
We are committed to running Elasticsearch with the security manager, we think it's an important component of securing Elasticsearch from being exploited. We do not consider turning it off a valid use case, especially for a security plugin. As such, the ability to turn off the security manager is intentionally disabled.
Secondly, there's a is an LRU cache implementation in core Elasticsearch (org.elasticsearch.common.cache.Cache); you should just use that and avoid this problem altogether.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.