Customize Java security manager settings?

I'l writing a plugin that calls Jackson to deserialize a json string into a Java object. I understand that in ES 5+ access is pretty much locked down. So is there a way to enable Jackson to do its thing? I'm getting this when submitting a doc:

{
  "error" : {
    "root_cause" : [
      {
        "type" : "mapper_parsing_exception",
        "reason" : "failed to parse [content.iso639]"
      }
    ],
    "type" : "mapper_parsing_exception",
    "reason" : "failed to parse [content.iso639]",
    "caused_by" : {
      "type" : "access_control_exception",
      "reason" : "access denied (\"java.lang.RuntimePermission\" \"accessDeclaredMembers\")"
    }
  },
  "status" : 400
}

Just to clarify that I have tried to grant that in plugin's plugin-security.policy file and when installing the plugin I did see the warning, but still it doesn't seem to work ...

from bin/elasticsearch-plugin install:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: plugin requires additional permissions @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
* java.lang.RuntimePermission accessDeclaredMembers
See http://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html
for descriptions of what these permissions allow and the associated risks.

In case it helps:

https://www.elastic.co/guide/en/elasticsearch/plugins/current/plugin-authors.html#_java_security_permissions

I did look at that page and here's my simple policy file:

grant {
    permission java.lang.RuntimePermission "accessDeclaredMembers";
};

I used --batch argument in installing the plugin which supposedly accepts the security warning.

Is this file available in your final ZIP file?

Did you also then add:

// ES permission you should check before doPrivileged() blocks
import org.elasticsearch.SpecialPermission;

SecurityManager sm = System.getSecurityManager();
if (sm != null) {
  // unprivileged code such as scripts do not have SpecialPermission
  sm.checkPermission(new SpecialPermission());
}
AccessController.doPrivileged(
  // sensitive operation
);

In you code?

Yeah I did.

I just found my problem where I missed ReflectPermission and didn't paid close attention to the error message.

Btw, do you know how to deal with conflicting versions of jackson-core (mine is from a dependency jar which is older than ES's)? Is shading mine the only answer?

If you can't use the one provided by elasticsearch core as yours is really really old, then yeah, shading is the only option I can see.

My 2 cents

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.