org.elasticsearch.ThreadPermission modifyArbitraryThreadGroup

elzr_celino · March 22, 2017, 2:16am

Hi,

I am trying to develop plugin for elasticsearch 5.2.2.

The idea of the plugin is to listen to a JMS queue then create a document based on the received message from the queue. It will use the Client object passed by Plugin.createComponents method, so it can index documents.

I can not make this work right now because I am having problem with java.security.AccessControlException. I have the following permissions inside my plugin-security.policy.

grant {
	permission java.lang.RuntimePermission "accessClassInPackage.sun.misc";
	permission java.lang.RuntimePermission "getClassLoader";
	permission java.lang.RuntimePermission "setContextClassLoader";
	permission org.elasticsearch.ThreadPermission "modifyArbitraryThreadGroup";
	permission org.elasticsearch.ThreadPermission "modifyArbitraryThread";
};

And I am calling the indexing operation via AccessController.doPrivileged:

private Client client;
public void onMessage(Message messge) {
  AccessController.doPrivileged(new PrivilegedAction<Void>() {
  //perform indexing using the client.
});
}

But still, I am getting an error on java.security.AccessControlException:

org.elasticsearch.transport.RemoteTransportException: [wWaQrVv][127.0.0.1:8300][indices:data/write/index[p]]
Caused by: java.security.AccessControlException: access denied ("org.elasticsearch.ThreadPermission" "modifyArbitraryThreadGroup")
	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) ~[?:1.8.0_112]
	at java.security.AccessController.checkPermission(AccessController.java:884) ~[?:1.8.0_112]
	at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) ~[?:1.8.0_112]
	at org.elasticsearch.SecureSM.checkThreadGroupAccess(SecureSM.java:194) ~[securesm-1.1.jar:5.2.2]
	at org.elasticsearch.SecureSM.checkAccess(SecureSM.java:141) ~[securesm-1.1.jar:5.2.2]
	at java.lang.ThreadGroup.checkAccess(ThreadGroup.java:315) ~[?:1.8.0_112]
	at java.lang.Thread.init(Thread.java:391) ~[?:1.8.0_112]
	at java.lang.Thread.init(Thread.java:349) ~[?:1.8.0_112]
	at java.lang.Thread.<init>(Thread.java:675) ~[?:1.8.0_112]
	at org.elasticsearch.common.util.concurrent.EsExecutors$EsThreadFactory.newThread(EsExecutors.java:173) ~[elasticsearch-5.2.2.jar:5.2.2]
	at java.util.concurrent.ThreadPoolExecutor$Worker.<init>(ThreadPoolExecutor.java:612) ~[?:1.8.0_112]
	at java.util.concurrent.ThreadPoolExecutor.addWorker(ThreadPoolExecutor.java:925) ~[?:1.8.0_112]
	at java.util.concurrent.ThreadPoolExecutor.execute(ThreadPoolExecutor.java:1357) ~[?:1.8.0_112]
	at org.elasticsearch.common.util.concurrent.EsThreadPoolExecutor.doExecute(EsThreadPoolExecutor.java:94) ~[elasticsearch-5.2.2.jar:5.2.2]
	at org.elasticsearch.common.util.concurrent.EsThreadPoolExecutor.execute(EsThreadPoolExecutor.java:89) ~[elasticsearch-5.2.2.jar:5.2.2]
	at org.elasticsearch.transport.TransportService.sendLocalRequest(TransportService.java:606) ~[elasticsearch-5.2.2.jar:5.2.2]
	at org.elasticsearch.transport.TransportService.access$000(TransportService.java:72) ~[elasticsearch-5.2.2.jar:5.2.2]
	at org.elasticsearch.transport.TransportService$3.sendRequest(TransportService.java:131) ~[elasticsearch-5.2.2.jar:5.2.2]
	at org.elasticsearch.transport.TransportService.sendRequestInternal(TransportService.java:554) ~[elasticsearch-5.2.2.jar:5.2.2]
	at org.elasticsearch.transport.TransportService.sendRequest(TransportService.java:485) [elasticsearch-5.2.2.jar:5.2.2]
	at org.elasticsearch.transport.TransportService.sendRequest(TransportService.java:473) [elasticsearch-5.2.2.jar:5.2.2]
	at org.elasticsearch.action.support.replication.TransportReplicationAction$ReroutePhase.performAction(TransportReplicationAction.java:727) [elasticsearch-5.2.2.jar:5.2.2]
	at org.elasticsearch.action.support.replication.TransportReplicationAction$ReroutePhase.performLocalAction(TransportReplicationAction.java:646) [elasticsearch-5.2.2.jar:5.2.2]
	at org.elasticsearch.action.support.replication.TransportReplicationAction$ReroutePhase.doRun(TransportReplicationAction.java:634) [elasticsearch-5.2.2.jar:5.2.2]
	at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) [elasticsearch-5.2.2.jar:5.2.2]
	at org.elasticsearch.action.support.replication.TransportReplicationAction.doExecute(TransportReplicationAction.java:146) [elasticsearch-5.2.2.jar:5.2.2]
	at org.elasticsearch.action.index.TransportIndexAction.innerExecute(TransportIndexAction.java:156) [elasticsearch-5.2.2.jar:5.2.2]
	at org.elasticsearch.action.index.TransportIndexAction.doExecute(TransportIndexAction.java:136) [elasticsearch-5.2.2.jar:5.2.2]
	at org.elasticsearch.action.index.TransportIndexAction.doExecute(TransportIndexAction.java:68) [elasticsearch-5.2.2.jar:5.2.2]
	at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:173) [elasticsearch-5.2.2.jar:5.2.2]
	at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:145) [elasticsearch-5.2.2.jar:5.2.2]
	at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:87) [elasticsearch-5.2.2.jar:5.2.2]
	at org.elasticsearch.client.node.NodeClient.executeLocally(NodeClient.java:75) [elasticsearch-5.2.2.jar:5.2.2]
	at org.elasticsearch.client.node.NodeClient.doExecute(NodeClient.java:64) [elasticsearch-5.2.2.jar:5.2.2]
	at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:403) [elasticsearch-5.2.2.jar:5.2.2]
	at org.elasticsearch.client.support.AbstractClient.index(AbstractClient.java:415) [elasticsearch-5.2.2.jar:5.2.2]
	...
	at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_112]

ywelsch · March 24, 2017, 9:24am

Why are you doing the indexing operation in a doPrivileged block?

elzr_celino · March 28, 2017, 2:21am

I thought that would fix my issue with AccessControlException. But still, I get the same problem. Any thoughts on how I could fix this?

    [2017-03-28T10:15:35,506][WARN ][o.h.j.client             ] HQ122001: Unhandled exception thrown from onMessage
java.security.AccessControlException: access denied ("org.elasticsearch.ThreadPermission" "modifyArbitraryThreadGroup")
	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) ~[?:1.8.0_112]
	at java.security.AccessController.checkPermission(AccessController.java:884) ~[?:1.8.0_112]
	at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) ~[?:1.8.0_112]
	at org.elasticsearch.SecureSM.checkThreadGroupAccess(SecureSM.java:194) ~[securesm-1.1.jar:5.2.2]
	at org.elasticsearch.SecureSM.checkAccess(SecureSM.java:141) ~[securesm-1.1.jar:5.2.2]
	at java.lang.ThreadGroup.checkAccess(ThreadGroup.java:315) ~[?:1.8.0_112]
	at java.lang.Thread.init(Thread.java:391) ~[?:1.8.0_112]
	at java.lang.Thread.init(Thread.java:349) ~[?:1.8.0_112]
	at java.lang.Thread.<init>(Thread.java:675) ~[?:1.8.0_112]
	at org.elasticsearch.common.util.concurrent.EsExecutors$EsThreadFactory.newThread(EsExecutors.java:173) ~[elasticsearch-5.2.2.jar:5.2.2]

ywelsch · March 28, 2017, 2:50pm

you need to provide additional context here. A plugin that uses the client to index a document does not require to do this in a doPrivileged block (see e.g. Reindex plugin/module).

system · April 25, 2017, 2:50pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Cannot give custom plugin permission org.elasticsearch.secure_sm.ThreadPermission "modifyArbitraryThreadGroup" Elasticsearch	1	305	January 4, 2023
Security Policy: AccessControlException Elasticsearch	5	3201	September 5, 2017
Permission denied error in plugin for ES 2.2.0 Elasticsearch	6	6488	July 5, 2017
AccessControlException while using a custom caching library in x-pack plugin Elasticsearch	9	2286	October 2, 2018
Plugin jars security policy Elasticsearch	9	3682	July 5, 2017

org.elasticsearch.ThreadPermission modifyArbitraryThreadGroup

Related topics