Using Jackson to parse JSON in an ingest processor

pdesoyres · June 27, 2017, 8:15am

Hello,

I'm writing an ingest processor that has a JSON string as input. I'm using Jackson library to read that string but it seams that there are some limitation on the usage of the java reflection API. I'm getting the following error :

com.fasterxml.jackson.databind.JsonMappingException: Can not access public com.lingway.xtirp.domain.RootLayerDTO() (from class com.lingway.xtirp.domain.RootLayerDTO; failed to set access: access denied ("java.lang.reflect.ReflectPermission" "suppressAccessChecks")

As you can see the Reflection API tells me that the public empty constructor cannot be accessed due to the ReflectPermission restriction "suppressAccessChecks".

Does Elasticsearch sets those restriction ?
Is there an alternative for JSON parsing in ingest processor ?

Any help would be apreciate. Thanks.

Pierre

I'm using elasticsearch 5.4.2

rjernst · June 27, 2017, 10:24pm

Scripts in elasticsearch run in a sandbox with limited privileges. In ES 5.x, you could try using groovy's builtin json parsing (I have not tried this, and it may result in more reflective failures, but it may be worth a try). That assumes you specify the script lang as groovy, which will be removed for 6.0. In 6.0, we are working on adding context specific (eg just for ingest scripts) whitelisting which would allow extra methods like this.

rjernst · June 27, 2017, 10:25pm

Another interim option is to write a native script plugin, where you could include any library/permissions you want. See https://www.elastic.co/guide/en/elasticsearch/reference/master/modules-scripting-engine.html.

pdesoyres · June 28, 2017, 7:15am

Thank you Ryan,

also I think I had to read https://www.elastic.co/guide/en/elasticsearch/plugins/5.4/plugin-authors.html#plugin-authors-jsm

pdesoyres · June 28, 2017, 9:18am

For those who are interested, I found the solution :

1- place a plugin-security.policy file alongside the plugin descriptor file :

grant {
    permission java.lang.RuntimePermission "accessDeclaredMembers";
    permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
};

2- Encapsulate the code using Jackson with java.security.AccessController.doPrivileged :

AccessController.doPrivileged((PrivilegedAction<RootLayerDTO>) () -> {
    ...
});

rjernst · June 28, 2017, 9:39pm

Are you using groovy or painless?

pdesoyres · June 28, 2017, 10:15pm

I am using Java to write my own ingest processor plugin

system · July 26, 2017, 10:15pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.