Customize Java security manager settings?


(Li Xu) #1

I'l writing a plugin that calls Jackson to deserialize a json string into a Java object. I understand that in ES 5+ access is pretty much locked down. So is there a way to enable Jackson to do its thing? I'm getting this when submitting a doc:

{
  "error" : {
    "root_cause" : [
      {
        "type" : "mapper_parsing_exception",
        "reason" : "failed to parse [content.iso639]"
      }
    ],
    "type" : "mapper_parsing_exception",
    "reason" : "failed to parse [content.iso639]",
    "caused_by" : {
      "type" : "access_control_exception",
      "reason" : "access denied (\"java.lang.RuntimePermission\" \"accessDeclaredMembers\")"
    }
  },
  "status" : 400
}

(Li Xu) #2

Just to clarify that I have tried to grant that in plugin's plugin-security.policy file and when installing the plugin I did see the warning, but still it doesn't seem to work ...

from bin/elasticsearch-plugin install:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: plugin requires additional permissions @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
* java.lang.RuntimePermission accessDeclaredMembers
See http://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html
for descriptions of what these permissions allow and the associated risks.


(David Pilato) #3

In case it helps:

https://www.elastic.co/guide/en/elasticsearch/plugins/current/plugin-authors.html#_java_security_permissions


(Li Xu) #4

I did look at that page and here's my simple policy file:

grant {
    permission java.lang.RuntimePermission "accessDeclaredMembers";
};

I used --batch argument in installing the plugin which supposedly accepts the security warning.


(David Pilato) #5

Is this file available in your final ZIP file?

Did you also then add:

// ES permission you should check before doPrivileged() blocks
import org.elasticsearch.SpecialPermission;

SecurityManager sm = System.getSecurityManager();
if (sm != null) {
  // unprivileged code such as scripts do not have SpecialPermission
  sm.checkPermission(new SpecialPermission());
}
AccessController.doPrivileged(
  // sensitive operation
);

In you code?


(Li Xu) #6

Yeah I did.

I just found my problem where I missed ReflectPermission and didn't paid close attention to the error message.

Btw, do you know how to deal with conflicting versions of jackson-core (mine is from a dependency jar which is older than ES's)? Is shading mine the only answer?


(David Pilato) #7

If you can't use the one provided by elasticsearch core as yours is really really old, then yeah, shading is the only option I can see.

My 2 cents


(system) #8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.