Static groovy script and java security access control issue

elkonaut · April 27, 2016, 8:11am

Hi,

I want to use a groovy script:
1.) to calculate a value (this works) and
2.) to add the newly calculated value to the document using the update API

The script is stored in /etc/elasticsearch/scripts and I understood that in this case I do not have to think about the Java Security Manager. Is this right?

The first part of the script is working fine. However things are not working when I add the second part of the script:

def url = "http://elk:9200/testindex/testdocument/" + doc['id'] + "/_update"
def json = '{ "doc": { "testvalue":"999" } }'
def response = ["curl", "-X", "POST", "-H", "Content-Type: application/json", "-d", "${json}", "${url}"].execute().text

Executing the script I get following error message:
1.)Output from script

"reason": {
"caused_by": {
"reason": "access denied ("java.io.FilePermission" "<>" "execute")",
"type": "access_control_exception"
},
"reason": "failed to run file script [vm_lifetime_deleted] using lang [groovy]",
"type": "script_exception"

2.) In /var/log/elasticsearch/elasticsearch.log

[2016-04-27 10:05:12,435][DEBUG][action.search ] [elk] [8] Failed to execute fetch phase
RemoteTransportException[[elk][192.168.100.29:9300][indices:data/read/search[phase/fetch/id]]]; nested: ScriptException[failed to run file script [vm_lifetime_deleted] using lang [groovy]]; nested: AccessControlException[access denied ("java.io.FilePermission" "<>" "execute")];
Caused by: ScriptException[failed to run file script [vm_lifetime_deleted] using lang [groovy]]; nested: AccessControlException[access denied ("java.io.FilePermission" "<>" "execute")];
at org.elasticsearch.script.groovy.GroovyScriptEngineService$GroovyScript.run(GroovyScriptEngineService.java:320)
at org.elasticsearch.search.fetch.script.ScriptFieldsFetchSubPhase.hitExecute(ScriptFieldsFetchSubPhase.java:85)
at org.elasticsearch.search.fetch.FetchPhase.execute(FetchPhase.java:188)
at org.elasticsearch.search.SearchService.executeFetchPhase(SearchService.java:592)
at org.elasticsearch.search.action.SearchServiceTransportAction$FetchByIdTransportHandler.messageReceived(SearchServiceTransportAction.java:408)
at org.elasticsearch.search.action.SearchServiceTransportAction$FetchByIdTransportHandler.messageReceived(SearchServiceTransportAction.java:405)
at org.elasticsearch.transport.TransportRequestHandler.messageReceived(TransportRequestHandler.java:33)
at org.elasticsearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:75)
at org.elasticsearch.transport.TransportService$4.doRun(TransportService.java:376)
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.security.AccessControlException: access denied ("java.io.FilePermission" "<>" "execute")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at java.security.AccessController.checkPermission(AccessController.java:884)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.SecurityManager.checkExec(SecurityManager.java:799)
at java.lang.ProcessBuilder.start(ProcessBuilder.java:1018)
at java.lang.Runtime.exec(Runtime.java:620)
at java.lang.Runtime.exec(Runtime.java:485)
at org.codehaus.groovy.runtime.ProcessGroovyMethods.execute(ProcessGroovyMethods.java:595)
at org.codehaus.groovy.runtime.ProcessGroovyMethods.execute(ProcessGroovyMethods.java:662)
at org.codehaus.groovy.runtime.dgm$895.doMethodInvoke(Unknown Source)
at org.codehaus.groovy.vmplugin.v7.IndyInterface.selectMethod(IndyInterface.java:228)
at 4aa35ba4549f50461ab4f8d973c9bf622b1510ec.run(4aa35ba4549f50461ab4f8d973c9bf622b1510ec:13)
at org.elasticsearch.script.groovy.GroovyScriptEngineService$GroovyScript$1.run(GroovyScriptEngineService.java:313)
at java.security.AccessController.doPrivileged(Native Method)
at org.elasticsearch.script.groovy.GroovyScriptEngineService$GroovyScript.run(GroovyScriptEngineService.java:310)

The same script works fine If I run it from within groovyConsole. In addtion, I tried to define a java.policy which grants all permissions (although this is not needed to my understanding).

$JAVA_HOME/lib/security/java.policy:

grant {
permission java.security.AllPermission;
};

But I still get the error message.

I highly appreciate any help.

Cheers

dakrone · April 27, 2016, 5:14pm

Can you post your script (and perhaps an example document) so we can try to reproduce this?

elkonaut · April 28, 2016, 3:55pm

Yes, following you can see the query, the script and an example document.

Query:
{
"query" : {
"query_string" : {
"query": "vm_state:deleted OR vm_state:active",
}
},
"script_fields": {
"lifetime": {
"script": {
"file": "vm_lifetime_deleted"
}
}
},
}

The script:

if(doc['vm_state'].value == "deleted") {
l1 = (doc['deleted_at'].value - doc['created_at'].value) / (1000 * 3600 * 24)
} else if(doc['vm_state'].value == "active") {
def d1 = new Date()
l1 = (d1.getTime() - doc['created_at']) / (1000 * 3600 * 24)
}

def url = "http://elk:9200/openstack/openstack/" + doc['id'] + "/_update"
def json = '{ "doc": { "lifetime":"$l1" } }'
def response = ["curl", "-X", "POST", "-H", "Content-Type: application/json", "-d", "${json}", "${url}"].execute().text

lifetime = Math.round(l1 *100)/100.0

And finally, one document:

{
"_id": "123",
"_index": "openstack",
"_source": {
"@timestamp": "2016-04-28T15:52:00.131Z",
"@version": "1",
"created_at": "2015-04-23T09:51:14.000Z",
"deleted": 123,
"deleted_at": "2015-04-23T14:16:28.000Z",
"id": 123,
"lifetime": 0,
"memory_mb": 4096,
"vm_state": "deleted"
},
"_type": "openstack",
"_version": 205,
"found": true
}

dakrone · April 28, 2016, 10:36pm

Wait, it looks like you are trying to execute a curl command from within the groovy script itself? Is this correct? If so, this is definitely not something we want to encourage! This is probably something best left to logic outside of the groovy scripting in Elasticsearch, or perhaps inplemented as a native script (see: https://github.com/imotov/elasticsearch-native-script-example/)

elkonaut · April 29, 2016, 7:46am

Ok, I'll take a look at the script linked.

Thanks