Pluggin securyti java

Hello everyone from elastic
I have difficulties in java security to connect to the MSSQLServer database
I have already edited the plugin-security.policy [1] and performed the installation [2], but the error [3] occurs when uploading elasticsearch.
I tested the java code a [4] and java code b [5] but the same error occurs [3].

Best regards,

Alder Pinheiro Ramos

  1. File plugin-security.policy
grant {
    permission java.security.AllPermission;
};
  1. Instalation
PS C:\Alder\ELK\elasticsearch-7.8.1\bin> .\elasticsearch-plugin.bat install file:///C:/Alder/ELK/plugin_elastic/ner-amazoninf-plugin-0.0.2-SNAPSHOT.zip
-> Installing file:///C:/Alder/ELK/plugin_elastic/ner-amazoninf-plugin-0.0.2-SNAPSHOT.zip
-> Downloading file:///C:/Alder/ELK/plugin_elastic/ner-amazoninf-plugin-0.0.2-SNAPSHOT.zip
[=================================================] 100%  
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@     WARNING: plugin requires additional permissions     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
* java.security.AllPermission <all permissions> <all actions>
See http://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html
for descriptions of what these permissions allow and the associated risks.

Continue with installation? [y/N]y
-> Installed ner-amazoninf-plugin
  1. Error log
[2021-04-01T09:08:50,303][ERROR][b.a.p.n.NerAmazoninfService] [node1] Erro ao obter conexao
java.security.AccessControlException: access denied ("java.net.SocketPermission" "192.168.1.15:1433" "connect,resolve")
        at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) ~[?:?]
        at java.security.AccessController.checkPermission(AccessController.java:1036) ~[?:?]
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:408) ~[?:?]
        at java.lang.SecurityManager.checkConnect(SecurityManager.java:910) ~[?:?]
        at com.microsoft.sqlserver.jdbc.SQLServerConnectionSecurityManager.checkConnect(SQLServerConnection.java:6398) ~[mssql-jdbc-7.4.1.jre8.jar:?]
        at com.microsoft.sqlserver.jdbc.ServerPortPlaceHolder.doSecurityCheck(FailOverInfo.java:152) ~[mssql-jdbc-7.4.1.jre8.jar:?]
        at com.microsoft.sqlserver.jdbc.ServerPortPlaceHolder.<init>(FailOverInfo.java:135) ~[mssql-jdbc-7.4.1.jre8.jar:?]
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.primaryPermissionCheck(SQLServerConnection.java:2410) ~[mssql-jdbc-7.4.1.jre8.jar:?]
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:2126) ~[mssql-jdbc-7.4.1.jre8.jar:?]
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectInternal(SQLServerConnection.java:1993) ~[mssql-jdbc-7.4.1.jre8.jar:?]
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:1164) ~[mssql-jdbc-7.4.1.jre8.jar:?]
        at com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(SQLServerDriver.java:760) ~[mssql-jdbc-7.4.1.jre8.jar:?]
        at java.sql.DriverManager.getConnection(DriverManager.java:677) ~[java.sql:?]
        at java.sql.DriverManager.getConnection(DriverManager.java:228) ~[java.sql:?]
        at br.amazoninf.plugin.nlp.ConnectionFactory.getConnection(ConnectionFactory.java:46) [ner-amazoninf-plugin-0.0.2-SNAPSHOT.jar:0.0.2-SNAPSHOT]
        at br.amazoninf.plugin.nlp.ModelDao.getResumo(ModelDao.java:52) [ner-amazoninf-plugin-0.0.2-SNAPSHOT.jar:0.0.2-SNAPSHOT]
        at br.amazoninf.plugin.nlp.NerAmazoninfService.getListNF(NerAmazoninfService.java:132) [ner-amazoninf-plugin-0.0.2-SNAPSHOT.jar:0.0.2-SNAPSHOT]
        at br.amazoninf.plugin.nlp.NerAmazoninfService.<init>(NerAmazoninfService.java:74) [ner-amazoninf-plugin-0.0.2-SNAPSHOT.jar:0.0.2-SNAPSHOT]
        at br.amazoninf.plugin.nlp.NerAmazoninfPlugin.getProcessors(NerAmazoninfPlugin.java:16) [ner-amazoninf-plugin-0.0.2-SNAPSHOT.jar:0.0.2-SNAPSHOT]
        at org.elasticsearch.ingest.IngestService.processorFactories(IngestService.java:117) [elasticsearch-7.8.1.jar:7.8.1]
        at org.elasticsearch.ingest.IngestService.<init>(IngestService.java:99) [elasticsearch-7.8.1.jar:7.8.1]
  1. Java code a
SecurityManager sm = System.getSecurityManager();
		if (sm != null) {
			// unprivileged code such as scripts do not have SpecialPermission
			sm.checkPermission(new SpecialPermission());
		}

		AccessController.doPrivileged(new PrivilegedAction<Connection>() {

			@Override
			public Connection run() {
				try {
					DriverManager.registerDriver(new SQLServerDriver());
					conn = DriverManager.getConnection("jdbc:sqlserver://192.168.1.15;databaseName=Aizon2", "sa",
							"@aizon@1234?");

				} catch (Exception e) {
					logger.error("Erro ao obter conexao", e);
				}

				return conn;
			}
		});
		

  1. Java code b
		try {
			DriverManager.registerDriver(new SQLServerDriver());
			conn = DriverManager.getConnection("jdbc:sqlserver://192.168.1.15;databaseName=Aizon2", "sa",
					"@aizon@1234?");

		} catch (Exception e) {
			logger.error("Erro ao obter conexao", e);
		}

I solved part of the problem by editing the plugin-security.policy file

grant {
  permission java.net.SocketPermission "*", "accept,connect";
};

Now I'm having problems reading files from the tmp directory, I edited the plugin-security.policy file again

grant {
  permission java.net.SocketPermission "*", "accept,connect";
};

grant {
    permission java.io.FilePermission "*.*", "read,write";
};

But it didn't solve the error.

This execution can be on different operating systems, the path must cover all files.

I found this link about java.io.FilePermission
https://www.gitmemory.com/issue/elastic/elasticsearch/69464/787130704

In the future, a custom plugin will no longer be able to read/write files?

My version of elasic is 7.8.1

I tried disable security.
And edited the jvm.options file including the line below:

-Dsecurity.manager.enabled = false

But the same error occurs

[2021-04-08T08:54:38,430][INFO ][o.e.p.PluginsService     ] [node1] loaded plugin [ner-amazoninf-plugin]
[2021-04-08T08:54:38,860][INFO ][o.e.e.NodeEnvironment    ] [node1] using [1] data paths, mounts [[(C:)]], net usable_space [165.5gb], net total_space [446.5gb], types [NTFS]
[2021-04-08T08:54:38,861][INFO ][o.e.e.NodeEnvironment    ] [node1] heap size [5.9gb], compressed ordinary object pointers [true]
[2021-04-08T08:54:39,689][INFO ][o.e.n.Node               ] [node1] node name [node1], node ID [dqzy1XyUTyixfzW7J8Rh6g], cluster name [elasticsearch]
[2021-04-08T08:54:46,934][ERROR][b.a.p.n.NerAmazoninfService] [node1] Erro ao obter stream 
java.security.AccessControlException: access denied ("java.io.FilePermission" "C:\Users\Administrator\AppData\Local\Temp\2\D95484C5-B6EB-4CEB-ABBC-8BAF8D8F83C2.bin" "read")
	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) ~[?:?]
	at java.security.AccessController.checkPermission(AccessController.java:1036) ~[?:?]
	at java.lang.SecurityManager.checkPermission(SecurityManager.java:408) ~[?:?]
	at java.lang.SecurityManager.checkRead(SecurityManager.java:747) ~[?:?]
	at java.io.File.exists(File.java:815) ~[?:?]
	at br.amazoninf.plugin.nlp.NerAmazoninfService.getStream(NerAmazoninfService.java:213) [ner-amazoninf-plugin-0.0.2-SNAPSHOT.jar:0.0.2-SNAPSHOT]
	at br.amazoninf.plugin.nlp.NerAmazoninfService.getListNF(NerAmazoninfService.java:140) [ner-amazoninf-plugin-0.0.2-SNAPSHOT.jar:0.0.2-SNAPSHOT]

Sorry for the amount of messages but I need help and I am not finding solutions on the internet.

The answer from @rjernst is (emphasis is mine):

Thanks again for the report. I've restored the ability to grant FilePermission read from plugins for now. We will restrict this again in the future, as I described above, so I suggest you do switch to using a symlink, and then the FilePermission in your own policy can just disappear in the future when that change occurs.

I think (and hope) that you can't do that. Disabling security protections seems to be a bad idea in general IMHO.

I think that the code you wrote in 4 looks correct.

So that looks ok now.

I'm not sure but I don't think you can read from any dir on the file system. I believe that if you can read something, that should be only inside the config dir and subdirs IMHO. But hopefully @rjernst might tell...

1 Like