Customize Java security manager settings (provide ability to turn it off)

Polina_Kalinkina · January 20, 2017, 2:44pm

Hello,

I'm writing a plugin that provides authentication for Elasticsearch.
In current version of elasticsearch (5.1.1 and 5.1.2) it's not possible to turn off Security Manager and we have to grand permissions directly (for example in plugin-security.policy file) and wrap code in
> AccessController.doPrivileged( ).

But one of the libraries that I use runs background threads that are causing the security exception (java caffeine cache). So I don't have the ability to change the code causing the error.

Do we still have some workaround to turn off security manager?

There are options to set policies more global, but the problem that background threads don't have permission still stays.

nik9000 · January 20, 2017, 3:11pm

I don't believe we can turn it off, no. I'm not an expert in it, but I think you should be able to get the background thread into the plugin's security context. I think if you create and start the thread within your plugin's doPrivileged block it should run in your plugin's security context.

jasontedor · January 20, 2017, 7:58pm

As I mentioned when you opened #22692 yesterday, you can not disable the security manager. We might be able to provide you guidance if you provide a stack trace for the access control exception.

Polina_Kalinkina · January 23, 2017, 7:25am

Here is the stack trace that I get.
I do know it is only a warning, but the same situation may arise with a library without this exception handling

Jan 19, 2017 3:08:59 PM com.github.benmanes.caffeine.cache.BoundedLocalCache scheduleDrainBuffers
WARNING: Exception thrown when submitting maintenance task
java.lang.Error: java.security.AccessControlException: access denied ("org.elasticsearch.ThreadPermission" "modifyArbitraryThreadGroup")
at java.util.concurrent.ForkJoinWorkerThread$InnocuousForkJoinWorkerThread.createThreadGroup(ForkJoinWorkerThread.java:269)
at java.util.concurrent.ForkJoinWorkerThread$InnocuousForkJoinWorkerThread.(ForkJoinWorkerThread.java:216)
at java.util.concurrent.ForkJoinPool$InnocuousForkJoinWorkerThreadFactory$1.run(ForkJoinPool.java:3471)
at java.util.concurrent.ForkJoinPool$InnocuousForkJoinWorkerThreadFactory$1.run(ForkJoinPool.java:3469)
at java.security.AccessController.doPrivileged(Native Method)
at java.util.concurrent.ForkJoinPool$InnocuousForkJoinWorkerThreadFactory.newThread(ForkJoinPool.java:3468)
at java.util.concurrent.ForkJoinPool.createWorker(ForkJoinPool.java:1485)
at java.util.concurrent.ForkJoinPool.tryAddWorker(ForkJoinPool.java:1517)
at java.util.concurrent.ForkJoinPool.signalWork(ForkJoinPool.java:1634)
at java.util.concurrent.ForkJoinPool.externalSubmit(ForkJoinPool.java:2367)
at java.util.concurrent.ForkJoinPool.externalPush(ForkJoinPool.java:2419)
at java.util.concurrent.ForkJoinPool.execute(ForkJoinPool.java:2648)
at com.github.benmanes.caffeine.cache.BoundedLocalCache.scheduleDrainBuffers(BoundedLocalCache.java:971)
at com.github.benmanes.caffeine.cache.BoundedLocalCache.scheduleAfterWrite(BoundedLocalCache.java:938)
at com.github.benmanes.caffeine.cache.BoundedLocalCache.afterWrite(BoundedLocalCache.java:908)
at com.github.benmanes.caffeine.cache.BoundedLocalCache.putFast(BoundedLocalCache.java:1536)
at com.github.benmanes.caffeine.cache.BoundedLocalCache.put(BoundedLocalCache.java:1474)
at com.github.benmanes.caffeine.cache.LocalManualCache.put(LocalManualCache.java:64)
at com.netcracker.elasticsearch.plugin.authentication.provider.OAuthAuthenticationProvider$2.run(OAuthAuthenticationProvider.java:226)
at com.netcracker.elasticsearch.plugin.authentication.provider.OAuthAuthenticationProvider$2.run(OAuthAuthenticationProvider.java:224)
at java.security.AccessController.doPrivileged(Native Method)
at com.netcracker.elasticsearch.plugin.authentication.provider.OAuthAuthenticationProvider.cacheClient(OAuthAuthenticationProvider.java:224)
at com.netcracker.elasticsearch.plugin.authentication.provider.OAuthAuthenticationProvider.verifyToken(OAuthAuthenticationProvider.java:214)
at com.netcracker.elasticsearch.plugin.authentication.provider.OAuthAuthenticationProvider.authenticate(OAuthAuthenticationProvider.java:152)
at com.netcracker.elasticsearch.plugin.authentication.ProvidedAuthenticationService$1.run(ProvidedAuthenticationService.java:42)
at com.netcracker.elasticsearch.plugin.authentication.ProvidedAuthenticationService$1.run(ProvidedAuthenticationService.java:40)
at java.security.AccessController.doPrivileged(Native Method)
at com.netcracker.elasticsearch.plugin.authentication.ProvidedAuthenticationService.authenticate(ProvidedAuthenticationService.java:40)
at com.netcracker.elasticsearch.plugin.authentication.filter.OAuth2BearerAuthorizationFilter.authenticate(OAuth2BearerAuthorizationFilter.java:110)
at com.netcracker.elasticsearch.plugin.authentication.filter.OAuth2BearerAuthorizationFilter.process(OAuth2BearerAuthorizationFilter.java:87)
at com.netcracker.elasticsearch.plugin.authentication.filter.delegate.RestFilterDelegator.process(RestFilterDelegator.java:33)
at org.elasticsearch.rest.RestController$ControllerFilterChain.continueProcessing(RestController.java:310)
at com.netcracker.elasticsearch.plugin.authentication.filter.HttpBasicAuthenticationFilter.process(HttpBasicAuthenticationFilter.java:93)
at com.netcracker.elasticsearch.plugin.authentication.filter.delegate.RestFilterDelegator.process(RestFilterDelegator.java:33)
at
org.elasticsearch.rest.RestController$ControllerFilterChain.continueProcessing(RestController.java:310)
at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:203)
at org.elasticsearch.http.HttpServer.dispatchRequest(HttpServer.java:113)
at org.elasticsearch.http.netty4.Netty4HttpServerTransport.dispatchRequest(Netty4HttpServerTransport.java:507)
at org.elasticsearch.http.netty4.Netty4HttpRequestHandler.channelRead0(Netty4HttpRequestHandler.java:69)
at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351)
at org.elasticsearch.http.netty4.pipelining.HttpPipeliningHandler.channelRead(HttpPipeliningHandler.java:66)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351)
at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102)
at io.netty.handler.codec.MessageToMessageCodec.channelRead(MessageToMessageCodec.java:111)

jasontedor · January 23, 2017, 4:19pm

Two things here:

We are committed to running Elasticsearch with the security manager, we think it's an important component of securing Elasticsearch from being exploited. We do not consider turning it off a valid use case, especially for a security plugin. As such, the ability to turn off the security manager is intentionally disabled.

Secondly, there's a is an LRU cache implementation in core Elasticsearch (org.elasticsearch.common.cache.Cache); you should just use that and avoid this problem altogether.

system · February 20, 2017, 4:19pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.