Why plugin-security.policy file has no effect?


(thefourtheye) #1

I am trying out a custom plugin with ES-2.2.0 and JDK-1.8. After the zip creation, the plugin-security.policy file is at the root level, and it looks like this

grant {
    permission java.lang.RuntimePermission "getClassLoader";
};

I had to include this, because one of my Service classes does,

InputStream stream = Thread.currentThread()
      .getContextClassLoader()
      .getResourceAsStream("conf/myplugin.properties");

Now, when I install the plugin, I get the message

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

@     WARNING: plugin requires additional permissions     @

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

* java.lang.RuntimePermission getClassLoader
See http://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html
for descriptions of what these permissions allow and the associated risks.

  Continue with installation? [y/N]

I respond with y and then the installation is successful. When I restart the ES, I get the following error in /var/log/elasticsearch.log file

java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "getClassLoader") 
  at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) 
  at java.security.AccessController.checkPermission(AccessController.java:884)   
  at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)         
  at java.lang.ClassLoader.checkClassLoaderPermission(ClassLoader.java:1525)     
  at java.lang.Thread.getContextClassLoader(Thread.java:1436)                    

What could be the probleam and how I can fix this?


(Ddbullfrog) #2

I am facing similar issue, Have you found a solution for it? Thanks, Dong


(Jason Tedor) #3

You need to execute the above code inside a AccessController.doPrivleged block. See also the javadocs for AccessController. Make sure that you understand this stuff very carefully before proceeding, you do not want to get security wrong. This is not for the faint of heart.


(thefourtheye) #4

Thanks. It worked. I think the documentation can be expanded with a working example.


(system) #5