Groovy scripting security issue since 2.2.0


#1

Since Elastic version 2.2.0 my Groovy script that is using JsonSlurper no longer works due to permission checking.

I found no way of getting it running except with disabling the new security policy checking with the deprecated key --security.manager.enabled false

I've tried to run the following simple test script:
import groovy.json.JsonSlurper;
def jsonSlurper = new JsonSlurper();
def message = jsonSlurper.parseText(_json);

with these policy settings without success:
grant {
permission java.util.PropertyPermission "groovy.json.internKeys", "read";
permission org.elasticsearch.script.ClassPermission "java.lang.Class";
permission org.elasticsearch.script.ClassPermission "groovy.json.JsonSlurper";
permission org.elasticsearch.script.ClassPermission "groovy.json.internal.";
permission org.elasticsearch.script.ClassPermission "groovy.json.internal.JsonParserCharArray";
permission org.elasticsearch.script.ClassPermission "org.elasticsearch.common.logging.
";
};

When first trying to run the script, I get SecurityException[access denied ("java.util.PropertyPermission" "groovy.json.internKeys" "read") .

Every successive attempt to execute the script then gives NoClassDefFoundError[Could not initialize class groovy.json.internal.JsonParserCharArray];

Can anybody help me getting JsonSlurper to work with security checking enabled?

Thanks.


(Jason Tedor) #2

Thanks for reporting. I opened #16808 to address which we can get into a maintenance release.


(system) #3