Running ES 2.3.3 on openjdk 8u92 with the following policy file (with -Djava.security.policy=java.policy):
grant {
permission org.elasticsearch.script.ClassPermission "*";
};
produces this exception while I try to execute the script:
"caused_by":{"type":"script_exception","reason":"failed to run file script [report] using lang [groovy]","caused_by":{"type":"security_exception","reason":"access denied (\"java.lang.Runtime Permission\" \"accessClassInPackage.sun.misc\")"}}},"status":400}"
This has worked before, but I can't remember whether the openjdk or the ES upgrade made it fail.
Any ideas where should I look? The scripts are stored on local disk, remote scripting is disabled, so I would like to grant all permissions to them.
After downgrading to 8u77, everything works fine again. Can I work this around somehow?
So, OpenJDK 8u77, but still Elasticsearch 2.3.3, and your script execution works?
Yes. Everything else is the same (I hope).
This is a Groovy thing. The mentioned package "sun.misc" is a Java internal API and, hence, subject to any manner of changes even in minor releases, and, unfortunately, Groovy depends on some of those, which, as you can see, it shouldn't.
Issues like this are among the reasons that developers have come up with a new scripting language, "Painless", that will be part of the ESv5.0 release.
In the meantime, maybe you could post your script here in the hopes that someone can identify the part that provokes this issue and suggest an alternative. (e.g. if you are using a closure, you could use a loop instead.)
Is there a way to add a permission for this?
I've already tried:
grant {
permission org.elasticsearch.script.ClassPermission "*";
permission java.lang.RuntimePermission "accessClassInPackage.sun.misc";
};
without success.
Any idea about how this should be enabled?
Thanks,
def deepcopy(orig) { bos = new ByteArrayOutputStream() oos = new ObjectOutputStream(bos) oos.writeObject(orig); oos.flush() bin = new ByteArrayInputStream(bos.toByteArray()) ois = new ObjectInputStream(bin) return ois.readObject() }
This is what I try to use and what fails.