How to customize plugin-security.policy for custom realm


(Kelly Davis) #1

I have a custom realm that uses OkHttpClient. When it is instantiated, it calls ProxySelector.getDefault() which requires 'permission java.net.NetPermission "getProxySelector"'. This is not granted to x-pack, so it breaks the realm. I tried editing the plugin policy for x-pack after the fact and it sort of works. Is that the best approach? When I try to do this using a customized Elasticsearch docker image, it fails (I have a Dockerfile that installs the x-pack, the realm, and then updates the x-pack plugin policy). If I run the custom image without starting up docker and then start it manually, it seems to pick up the change.


Custom Realm: read properties from customRealm.yml
(Jay Modi) #2

You can add a custom policy for your custom realm at the same directory level as the descriptor properties file. It needs to have the file name x-pack-extension-security.policy. We will work on updating the example realm to include an example of this


(Kelly Davis) #3

Ok, great. Thanks for the quick answer. I assume this isn't in the docs anywhere yet, right?


(Jay Modi) #4

Correct, it is not in the docs yet either.


(Kelly Davis) #5

So, now, after installing the custom realm extension I have a file named
x-pack-extension-security.policy in
/usr/share/elasticsearch/plugins/x-pack/extensions/mycustomrealm.

The contents of the file is:

grant {
permission java.net.NetPermission "getProxySelector";
};

I am still getting an error: java.security.AccessControlException: access
denied ("java.net.NetPermission" "getProxySelector") when the client is
instantiated. Any ideas? This is with 5.1.1.


Custom Realm and JarHell
(Jay Modi) #6

Is the code that is calling the OkHttp code that needs additional privileges wrapped in a doPrivileged block?

AccessController.doPrivileged((PrivilegedAction<Void>) () -> {
     // privileged code goes here
    return null;
});

(Kelly Davis) #7

Thank you. That was the problem. I am not to familiar with the Java SecurityManager so this is new to me.


(system) #8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.