java.security.AccessControlException for plugin


(Makeyang) #1

I build a plugin of my own and the plugin layout is below:
${plugin_root}/dict(this is a folder)
${plugin_root}/plugin-descriptor.properties
${plugin_root}/plugin-security.policy
${plugin_root}/a.jar
${plugin_root}/b.jar

and this plugin needs to read/write folder ${plugin_root}/dict. so the content of plugin-security.policy is below:
grant {
permission java.io.FilePermission "-", "read";
permission java.io.FilePermission "-", "write";
};

but when running the plugin, it throw exception below:
java.security.AccessControlException: access denied ("java.io.FilePermission" "${es-root}/plugins/token-lucene/dict" "write")

can anybody help to modified the policy file to pass this security check?


(David Pilato) #2

I don't know TBH but what I did in the past to solve a similar issue was by moving all my files to config/pluginname/ dir.

That might help.

Also another "hack" is to reference the dir you want to use as a path.repo one. Nasty hack but it works for my tests. :smiley:


(Makeyang) #3

@dadoonet
when I move pluginname from pluin folder to config folder, the ES won't fetch this plugin


(David Pilato) #4

That's not what I meant. Sorry if it was unclear.

I was saying that you should put the dict part under config/pluginname/dict for example.
The rest of the plugin should stay under $ES_HOME/plugins.

That should work I think.


(Ryan Ernst) #5

Why are you trying to write something from your plugin per node? Should this instead be stored in the cluster state? Otherwise losing a node, you might lose what was written locally, or have discrepancies between nodes.


(Makeyang) #6

it's a analysis plugin which is responsiable for segmentation. so this read/write is for corpus update/load


(Makeyang) #7

help guys:
this time I try to create class dynamic in plugin and it throws exception below:
Caused by: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "getClassLoader")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) ~[?:1.8.0_111]
at java.security.AccessController.checkPermission(AccessController.java:884) ~[?:1.8.0_111]
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) ~[?:1.8.0_111]
at java.lang.ClassLoader.checkClassLoaderPermission(ClassLoader.java:1528) ~[?:1.8.0_111]
at java.lang.Thread.getContextClassLoader(Thread.java:1440) ~[?:1.8.0_111]
at com.jd.jsf.gd.util.ClassLoaderUtils.getCurrentClassLoader(ClassLoaderUtils.java:43) ~[?:?]
at com.jd.jsf.gd.util.ClassLoaderUtils.forName(ClassLoaderUtils.java:97) ~[?:?]
at com.jd.jsf.gd.util.ClassLoaderUtils.forName(ClassLoaderUtils.java:81) ~[?:?]
at com.jd.jsf.gd.config.AbstractConsumerConfig.getProxyClass(AbstractConsumerConfig.java:215) ~[?:?]
at com.jd.jsf.gd.config.ConsumerConfig.refer(Consu
merConfig.java:91) ~[?:?]

my policy file is below:
grant {
permission java.lang.RuntimePermission "", "";
};


(David Pilato) #8

Please format your code using </> icon as explained in this guide. It will make your post more readable.

Or use markdown style like:

```
CODE
```

Did you read https://www.elastic.co/guide/en/elasticsearch/plugins/current/plugin-authors.html#plugin-authors-jsm and wrapped your code as explained?


(system) #9

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.