How to customize plugin-security.policy for custom realm

(Kelly Davis) #1

I have a custom realm that uses OkHttpClient. When it is instantiated, it calls ProxySelector.getDefault() which requires 'permission "getProxySelector"'. This is not granted to x-pack, so it breaks the realm. I tried editing the plugin policy for x-pack after the fact and it sort of works. Is that the best approach? When I try to do this using a customized Elasticsearch docker image, it fails (I have a Dockerfile that installs the x-pack, the realm, and then updates the x-pack plugin policy). If I run the custom image without starting up docker and then start it manually, it seems to pick up the change.

Custom Realm: read properties from customRealm.yml
(Jay Modi) #2

You can add a custom policy for your custom realm at the same directory level as the descriptor properties file. It needs to have the file name x-pack-extension-security.policy. We will work on updating the example realm to include an example of this

(Kelly Davis) #3

Ok, great. Thanks for the quick answer. I assume this isn't in the docs anywhere yet, right?

(Jay Modi) #4

Correct, it is not in the docs yet either.

(Kelly Davis) #5

So, now, after installing the custom realm extension I have a file named
x-pack-extension-security.policy in

The contents of the file is:

grant {
permission "getProxySelector";

I am still getting an error: access
denied ("" "getProxySelector") when the client is
instantiated. Any ideas? This is with 5.1.1.

Custom Realm and JarHell
(Jay Modi) #6

Is the code that is calling the OkHttp code that needs additional privileges wrapped in a doPrivileged block?

AccessController.doPrivileged((PrivilegedAction<Void>) () -> {
     // privileged code goes here
    return null;

(Kelly Davis) #7

Thank you. That was the problem. I am not to familiar with the Java SecurityManager so this is new to me.

(system) #8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.