java.security.AccessControlException: access denied ("org.joda.time.JodaTimePermission" "DateTimeZone.setDefault")

Elastic Stack Elasticsearch
1

Hi all, hope someone can help me with a permission issue

I can't seem to get access for permission: "org.joda.time.JodaTimePermission" "DateTimeZone.setDefault" in the plugin I am developing.

I have a plugin-security.policy (the other permissions granted work fine)

grant {
  permission java.lang.RuntimePermission "accessClassInPackage.sun.misc";
  permission java.lang.RuntimePermission "accessDeclaredMembers";
  permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
  permission org.joda.time.JodaTimePermission "DateTimeZone.setDefault";
};

All the code is included in the snippet

    SecurityManager sm = System.getSecurityManager();
    if (sm != null) {
      sm.checkPermission(new SpecialPermission());
      sm.checkPermission(
          new SpecialPermission("org.joda.time.JodaTimePermission","DateTimeZone.setDefault"));
    }
    myObject = AccessController.doPrivileged(new PrivilegedAction<MyObject>() {
      public MyObject run() {
        // privileged code goes here
        logger.info("getScriptEngine() privileged");
        return MyObject.getInstance();
      }
    });

Also, I have excluded the joda-time library from the plugin jar, because it was creating a jar hell issue during installation, but I don't think it is related.

2

What is the actual stacktrace you receive? And why are you using SpecialPermission? That class is intended to reduce permissions of script invocations. By doing a check for it outside a doPrivileged, you would not have the permission granted. Finally, while I'm not sure what you are doing with DateTimeZone, be aware that we are removing joda time from Elasticsearch in 7.0 (and moving to the Java 8 time api).

3

Thank you for your response.

I was using a special permission by taking example on https://www.elastic.co/guide/en/elasticsearch/plugins/6.0/plugin-authors.html
I am using elasticsearch 6.0.1 at the moment (This is the version for the plugin), thanks for the heads up regarding java time api.

This is the stack trace:

search-6_1                            | [2018-12-18T19:44:54,520][ERROR][o.e.b.ElasticsearchUncaughtExceptionHandler] [] fatal error in thread [main], exiting
search-6_1                            | java.lang.ExceptionInInitializerError: null
search-6_1                            | 	[…]
search-6_1                            | 	at com.poitevinpm.elasticsearch.plugin.elasticsearch.Plugin$1.run(Plugin.java:46) ~[?:?]
search-6_1                            | 	at com.poitevinpm.elasticsearch.plugin.elasticsearch.Plugin$1.run(Plugin.java:40) ~[?:?]
search-6_1                            | 	at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_151]
search-6_1                            | 	at com.poitevinpm.elasticsearch.plugin.elasticsearch.Plugin.getScriptEngine(Plugin.java:40) ~[?:?]
search-6_1                            | 	at org.elasticsearch.script.ScriptModule.<init>(ScriptModule.java:66) ~[elasticsearch-6.0.1.jar:6.0.1]
search-6_1                            | 	at org.elasticsearch.node.Node.<init>(Node.java:326) ~[elasticsearch-6.0.1.jar:6.0.1]
search-6_1                            | 	at org.elasticsearch.node.Node.<init>(Node.java:245) ~[elasticsearch-6.0.1.jar:6.0.1]
search-6_1                            | 	at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:212) ~[elasticsearch-6.0.1.jar:6.0.1]
search-6_1                            | 	at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:212) ~[elasticsearch-6.0.1.jar:6.0.1]
search-6_1                            | 	at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:322) ~[elasticsearch-6.0.1.jar:6.0.1]
search-6_1                            | 	at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:130) ~[elasticsearch-6.0.1.jar:6.0.1]
search-6_1                            | 	at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:121) ~[elasticsearch-6.0.1.jar:6.0.1]
search-6_1                            | 	at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:69) ~[elasticsearch-6.0.1.jar:6.0.1]
search-6_1                            | 	at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:134) ~[elasticsearch-6.0.1.jar:6.0.1]
search-6_1                            | 	at org.elasticsearch.cli.Command.main(Command.java:90) ~[elasticsearch-6.0.1.jar:6.0.1]
search-6_1                            | 	at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92) ~[elasticsearch-6.0.1.jar:6.0.1]
search-6_1                            | 	at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:85) ~[elasticsearch-6.0.1.jar:6.0.1]
search-6_1                            | Caused by: java.security.AccessControlException: access denied ("org.joda.time.JodaTimePermission" "DateTimeZone.setDefault")
search-6_1                            | 	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) ~[?:1.8.0_151]
search-6_1                            | 	at java.security.AccessController.checkPermission(AccessController.java:884) ~[?:1.8.0_151]
search-6_1                            | 	at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) ~[?:1.8.0_151]
search-6_1                            | 	at org.joda.time.DateTimeZone.setDefault(DateTimeZone.java:184) ~[joda-time-2.9.5.jar:2.9.5]
search-6_1                            | 	at com.poitevinpm.AppObjectMapper.<init>(AppObjectMapper.java:21) ~[?:?]
search-6_1                            | 	at com.poitevinpm.AppObjectMapper.<clinit>(AppObjectMapper.java:14) ~[?:?]
search-6_1                            | 	... 22 more
search-6_1 exited with code 1
4

This is as I expected. Don't do the check on special permission.

5

The logs I put were the ones I got when removing the SpecialPermission check. It fails at runtime because somewhere in my code there is:

DateTimeZone.setDefault(DateTimeZone.UTC);
6

Ok, I don't think this can work because the joda jar is provided by elasticsearch server. The permission is only granted to your plugin jar and the dependencies it provides.

Taking a step back, why are you trying to force the timezone programmatically? This could be done through java system properties by passing -Duser.timezone=UTC.

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.