Customize Java security manager settings?

(Li Xu) #1

I'l writing a plugin that calls Jackson to deserialize a json string into a Java object. I understand that in ES 5+ access is pretty much locked down. So is there a way to enable Jackson to do its thing? I'm getting this when submitting a doc:

  "error" : {
    "root_cause" : [
        "type" : "mapper_parsing_exception",
        "reason" : "failed to parse [content.iso639]"
    "type" : "mapper_parsing_exception",
    "reason" : "failed to parse [content.iso639]",
    "caused_by" : {
      "type" : "access_control_exception",
      "reason" : "access denied (\"java.lang.RuntimePermission\" \"accessDeclaredMembers\")"
  "status" : 400

(Li Xu) #2

Just to clarify that I have tried to grant that in plugin's plugin-security.policy file and when installing the plugin I did see the warning, but still it doesn't seem to work ...

from bin/elasticsearch-plugin install:
@ WARNING: plugin requires additional permissions @
* java.lang.RuntimePermission accessDeclaredMembers
for descriptions of what these permissions allow and the associated risks.

(David Pilato) #3

In case it helps:

(Li Xu) #4

I did look at that page and here's my simple policy file:

grant {
    permission java.lang.RuntimePermission "accessDeclaredMembers";

I used --batch argument in installing the plugin which supposedly accepts the security warning.

(David Pilato) #5

Is this file available in your final ZIP file?

Did you also then add:

// ES permission you should check before doPrivileged() blocks
import org.elasticsearch.SpecialPermission;

SecurityManager sm = System.getSecurityManager();
if (sm != null) {
  // unprivileged code such as scripts do not have SpecialPermission
  sm.checkPermission(new SpecialPermission());
  // sensitive operation

In you code?

(Li Xu) #6

Yeah I did.

I just found my problem where I missed ReflectPermission and didn't paid close attention to the error message.

Btw, do you know how to deal with conflicting versions of jackson-core (mine is from a dependency jar which is older than ES's)? Is shading mine the only answer?

(David Pilato) #7

If you can't use the one provided by elasticsearch core as yours is really really old, then yeah, shading is the only option I can see.

My 2 cents

(system) #8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.