ES 5.0 Security Policy for plugin using JNA to load libs


(Teemu Kanstrén) #1

Hi all,

I am trying to upgrade to ElasticSearch 5.0.1. As part of this, I am trying to get the Finnish language analyzer plugin from https://bitbucket.org/evidentsolutions/elasticsearch-analysis-voikko/overview to work with it. I seem to have it otherwise working but the security manager issue mentioned also on that bitbucket URL is giving me some issues. Explain:

I have put the "plugin-security.policy" file in the directory with the rest of the plugin files. Everything else for the plugin seems to be loading fine but the security manager keeps throwing exceptions such as:

java.security.AccessControlException: access denied ("java.io.FilePermission" "/usr/lib/liblibvoikko.so.1.dylib" "read")

the plugin-security.policy has the line

grant {
permission java.io.FilePermission "/usr/lib/liblibvoikko.so.1.dylib", "read";
};

and I invoke the part of the library that leads to trying to access this file with an AccessController.doPrivileged() block.

I am not sure if the plugin policy file is loaded or not, as I do not see any complaints about it on the console. I understood that there would be some message to accept for plugins that ask for extra permissions. So maybe it is not correctly configured even, but I did not find a good way to check. In any case, it is in the same dir as the plugin-descriptor.properties file which loads fine

So again, on the bitbucket page for the plugin there is mention that this has also been an issue for versions 2.X and would be due to the ElasticSearch jars already including JNA and thus not being able to package it with the plugin, which leads to the security policy not being applied to JNA as it is not in the scope of the plugin. The workaround suggested for 2.X was to disable security manager but in 5.X this is no longer supported.

So I finally managed to get it to work by putting all the permissions needed into the JRE java.policy file. After this it seems to work just fine. But I feel this is slightly naughty, and also a bit of work every time. So is there any alternative to fix this to get security policies to work with JNA? Give the policy file as parameter to ES start script? Get the plugin policy file accepted somehow? Anything.. :slight_smile: ?

Thanks,
Teemu


(Jörg Prante) #2

It works with JNA- but, as the authors of the libvoikko plugin correctly analyzed at https://bitbucket.org/evidentsolutions/elasticsearch-analysis-voikko/src, it works for JNA in the scope of Elasticsearch core libs only, not for any plugins that use JNA. Plugins of Elasticsearch are now secondary, no longer first order citizens, i.e plugin-security.policy does not override or modify the security for ES JNA lib :frowning:

You could try to prepare a special libvoikko-enabled ES distribution by unpacking lib/elasticsearch-5.x.y.jar, modify the org/elasticsearch/bootstrap/security.policy file with the additional settings you need, and create a new jar.


(Teemu Kanstrén) #3

OK, thanks for the confirmation and workaround. I will take a look at the ES jar policy file, at least that would be better than putting it in the global JRE list, and using a custom ES jar is hopefully not too difficult..


(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.