I have a custom realm that uses OkHttpClient. When it is instantiated, it calls ProxySelector.getDefault() which requires 'permission java.net.NetPermission "getProxySelector"'. This is not granted to x-pack, so it breaks the realm. I tried editing the plugin policy for x-pack after the fact and it sort of works. Is that the best approach? When I try to do this using a customized Elasticsearch docker image, it fails (I have a Dockerfile that installs the x-pack, the realm, and then updates the x-pack plugin policy). If I run the custom image without starting up docker and then start it manually, it seems to pick up the change.
You can add a custom policy for your custom realm at the same directory level as the descriptor properties file. It needs to have the file name x-pack-extension-security.policy
. We will work on updating the example realm to include an example of this
Ok, great. Thanks for the quick answer. I assume this isn't in the docs anywhere yet, right?
Correct, it is not in the docs yet either.
So, now, after installing the custom realm extension I have a file named
x-pack-extension-security.policy in
/usr/share/elasticsearch/plugins/x-pack/extensions/mycustomrealm.
The contents of the file is:
grant {
permission java.net.NetPermission "getProxySelector";
};
I am still getting an error: java.security.AccessControlException: access
denied ("java.net.NetPermission" "getProxySelector") when the client is
instantiated. Any ideas? This is with 5.1.1.
Is the code that is calling the OkHttp code that needs additional privileges wrapped in a doPrivileged block?
AccessController.doPrivileged((PrivilegedAction<Void>) () -> {
// privileged code goes here
return null;
});
Thank you. That was the problem. I am not to familiar with the Java SecurityManager so this is new to me.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.