Previously working groovy script fails

Attila_Nagy · July 9, 2016, 1:00pm

Running ES 2.3.3 on openjdk 8u92 with the following policy file (with -Djava.security.policy=java.policy):
grant {
permission org.elasticsearch.script.ClassPermission "*";
};

produces this exception while I try to execute the script:
"caused_by":{"type":"script_exception","reason":"failed to run file script [report] using lang [groovy]","caused_by":{"type":"security_exception","reason":"access denied (\"java.lang.Runtime Permission\" \"accessClassInPackage.sun.misc\")"}}},"status":400}"

This has worked before, but I can't remember whether the openjdk or the ES upgrade made it fail.
Any ideas where should I look? The scripts are stored on local disk, remote scripting is disabled, so I would like to grant all permissions to them.

Attila_Nagy · July 9, 2016, 2:07pm

After downgrading to 8u77, everything works fine again. Can I work this around somehow?

Glen_Smith · July 9, 2016, 4:46pm

So, OpenJDK 8u77, but still Elasticsearch 2.3.3, and your script execution works?

Attila_Nagy · July 9, 2016, 4:47pm

Yes. Everything else is the same (I hope).

Glen_Smith · July 9, 2016, 5:37pm

This is a Groovy thing. The mentioned package "sun.misc" is a Java internal API and, hence, subject to any manner of changes even in minor releases, and, unfortunately, Groovy depends on some of those, which, as you can see, it shouldn't.

Issues like this are among the reasons that developers have come up with a new scripting language, "Painless", that will be part of the ESv5.0 release.

In the meantime, maybe you could post your script here in the hopes that someone can identify the part that provokes this issue and suggest an alternative. (e.g. if you are using a closure, you could use a loop instead.)

Attila_Nagy · July 9, 2016, 5:52pm

Is there a way to add a permission for this?
I've already tried:
grant {
permission org.elasticsearch.script.ClassPermission "*";
permission java.lang.RuntimePermission "accessClassInPackage.sun.misc";
};
without success.

Attila_Nagy · July 12, 2016, 7:44am

Any idea about how this should be enabled?

Thanks,

Attila_Nagy · July 18, 2016, 12:32pm

def deepcopy(orig) { bos = new ByteArrayOutputStream() oos = new ObjectOutputStream(bos) oos.writeObject(orig); oos.flush() bin = new ByteArrayInputStream(bos.toByteArray()) ois = new ObjectInputStream(bin) return ois.readObject() }

This is what I try to use and what fails.