Using Jackson to parse JSON in an ingest processor


I'm writing an ingest processor that has a JSON string as input. I'm using Jackson library to read that string but it seams that there are some limitation on the usage of the java reflection API. I'm getting the following error :

com.fasterxml.jackson.databind.JsonMappingException: Can not access public com.lingway.xtirp.domain.RootLayerDTO() (from class com.lingway.xtirp.domain.RootLayerDTO; failed to set access: access denied ("java.lang.reflect.ReflectPermission" "suppressAccessChecks")

As you can see the Reflection API tells me that the public empty constructor cannot be accessed due to the ReflectPermission restriction "suppressAccessChecks".

Does Elasticsearch sets those restriction ?
Is there an alternative for JSON parsing in ingest processor ?

Any help would be apreciate. Thanks.


I'm using elasticsearch 5.4.2

Scripts in elasticsearch run in a sandbox with limited privileges. In ES 5.x, you could try using groovy's builtin json parsing (I have not tried this, and it may result in more reflective failures, but it may be worth a try). That assumes you specify the script lang as groovy, which will be removed for 6.0. In 6.0, we are working on adding context specific (eg just for ingest scripts) whitelisting which would allow extra methods like this.

Another interim option is to write a native script plugin, where you could include any library/permissions you want. See

Thank you Ryan,

also I think I had to read

For those who are interested, I found the solution :

1- place a plugin-security.policy file alongside the plugin descriptor file :

grant {
    permission java.lang.RuntimePermission "accessDeclaredMembers";
    permission java.lang.reflect.ReflectPermission "suppressAccessChecks";

2- Encapsulate the code using Jackson with :

AccessController.doPrivileged((PrivilegedAction<RootLayerDTO>) () -> {

Are you using groovy or painless?

I am using Java to write my own ingest processor plugin

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.