java.security.AccessControlException: access denied ("org.joda.time.JodaTimePermission" "DateTimeZone.setDefault")

poitevinpm · December 18, 2018, 6:37pm

Hi all, hope someone can help me with a permission issue

I can't seem to get access for permission: "org.joda.time.JodaTimePermission" "DateTimeZone.setDefault" in the plugin I am developing.

I have a plugin-security.policy (the other permissions granted work fine)

grant {
  permission java.lang.RuntimePermission "accessClassInPackage.sun.misc";
  permission java.lang.RuntimePermission "accessDeclaredMembers";
  permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
  permission org.joda.time.JodaTimePermission "DateTimeZone.setDefault";
};

All the code is included in the snippet

    SecurityManager sm = System.getSecurityManager();
    if (sm != null) {
      sm.checkPermission(new SpecialPermission());
      sm.checkPermission(
          new SpecialPermission("org.joda.time.JodaTimePermission","DateTimeZone.setDefault"));
    }
    myObject = AccessController.doPrivileged(new PrivilegedAction<MyObject>() {
      public MyObject run() {
        // privileged code goes here
        logger.info("getScriptEngine() privileged");
        return MyObject.getInstance();
      }
    });

Also, I have excluded the joda-time library from the plugin jar, because it was creating a jar hell issue during installation, but I don't think it is related.

rjernst · December 18, 2018, 7:16pm

What is the actual stacktrace you receive? And why are you using SpecialPermission? That class is intended to reduce permissions of script invocations. By doing a check for it outside a doPrivileged, you would not have the permission granted. Finally, while I'm not sure what you are doing with DateTimeZone, be aware that we are removing joda time from Elasticsearch in 7.0 (and moving to the Java 8 time api).

poitevinpm · December 18, 2018, 7:57pm

Thank you for your response.

I was using a special permission by taking example on https://www.elastic.co/guide/en/elasticsearch/plugins/6.0/plugin-authors.html
I am using elasticsearch 6.0.1 at the moment (This is the version for the plugin), thanks for the heads up regarding java time api.

This is the stack trace:

search-6_1                            | [2018-12-18T19:44:54,520][ERROR][o.e.b.ElasticsearchUncaughtExceptionHandler] [] fatal error in thread [main], exiting
search-6_1                            | java.lang.ExceptionInInitializerError: null
search-6_1                            | 	[…]
search-6_1                            | 	at com.poitevinpm.elasticsearch.plugin.elasticsearch.Plugin$1.run(Plugin.java:46) ~[?:?]
search-6_1                            | 	at com.poitevinpm.elasticsearch.plugin.elasticsearch.Plugin$1.run(Plugin.java:40) ~[?:?]
search-6_1                            | 	at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_151]
search-6_1                            | 	at com.poitevinpm.elasticsearch.plugin.elasticsearch.Plugin.getScriptEngine(Plugin.java:40) ~[?:?]
search-6_1                            | 	at org.elasticsearch.script.ScriptModule.<init>(ScriptModule.java:66) ~[elasticsearch-6.0.1.jar:6.0.1]
search-6_1                            | 	at org.elasticsearch.node.Node.<init>(Node.java:326) ~[elasticsearch-6.0.1.jar:6.0.1]
search-6_1                            | 	at org.elasticsearch.node.Node.<init>(Node.java:245) ~[elasticsearch-6.0.1.jar:6.0.1]
search-6_1                            | 	at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:212) ~[elasticsearch-6.0.1.jar:6.0.1]
search-6_1                            | 	at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:212) ~[elasticsearch-6.0.1.jar:6.0.1]
search-6_1                            | 	at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:322) ~[elasticsearch-6.0.1.jar:6.0.1]
search-6_1                            | 	at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:130) ~[elasticsearch-6.0.1.jar:6.0.1]
search-6_1                            | 	at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:121) ~[elasticsearch-6.0.1.jar:6.0.1]
search-6_1                            | 	at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:69) ~[elasticsearch-6.0.1.jar:6.0.1]
search-6_1                            | 	at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:134) ~[elasticsearch-6.0.1.jar:6.0.1]
search-6_1                            | 	at org.elasticsearch.cli.Command.main(Command.java:90) ~[elasticsearch-6.0.1.jar:6.0.1]
search-6_1                            | 	at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92) ~[elasticsearch-6.0.1.jar:6.0.1]
search-6_1                            | 	at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:85) ~[elasticsearch-6.0.1.jar:6.0.1]
search-6_1                            | Caused by: java.security.AccessControlException: access denied ("org.joda.time.JodaTimePermission" "DateTimeZone.setDefault")
search-6_1                            | 	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) ~[?:1.8.0_151]
search-6_1                            | 	at java.security.AccessController.checkPermission(AccessController.java:884) ~[?:1.8.0_151]
search-6_1                            | 	at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) ~[?:1.8.0_151]
search-6_1                            | 	at org.joda.time.DateTimeZone.setDefault(DateTimeZone.java:184) ~[joda-time-2.9.5.jar:2.9.5]
search-6_1                            | 	at com.poitevinpm.AppObjectMapper.<init>(AppObjectMapper.java:21) ~[?:?]
search-6_1                            | 	at com.poitevinpm.AppObjectMapper.<clinit>(AppObjectMapper.java:14) ~[?:?]
search-6_1                            | 	... 22 more
search-6_1 exited with code 1

rjernst · December 18, 2018, 8:15pm

This is as I expected. Don't do the check on special permission.

poitevinpm · December 18, 2018, 8:28pm

The logs I put were the ones I got when removing the SpecialPermission check. It fails at runtime because somewhere in my code there is:

DateTimeZone.setDefault(DateTimeZone.UTC);

rjernst · December 18, 2018, 8:57pm

Ok, I don't think this can work because the joda jar is provided by elasticsearch server. The permission is only granted to your plugin jar and the dependencies it provides.

Taking a step back, why are you trying to force the timezone programmatically? This could be done through java system properties by passing -Duser.timezone=UTC.

system · January 15, 2019, 8:57pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
org.elasticsearch.ThreadPermission modifyArbitraryThreadGroup Elasticsearch	4	1497	April 25, 2017
AccessControlException Despite plugin-security.policy Elasticsearch	1	1093	October 31, 2017
Plugin-security.policy has not effect Elasticsearch	10	3638	February 21, 2019
Exception while retrieving instance list from AWS API Elasticsearch	6	1771	April 7, 2018
Access denied ("java.lang.RuntimePermission" "accessDeclaredMembers") Elasticsearch	3	3254	December 15, 2017

java.security.AccessControlException: access denied ("org.joda.time.JodaTimePermission" "DateTimeZone.setDefault")

Related topics