New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
steps to remove dangerous security permissions #11898
Conversation
unfortunately finds a crab in pluginmanager
improving...
I just love this idea. If we won't never use hot reload, that's just a fantastic simplification.
Big +1. I really like to have unit tests in plugins and not (less) integration tests |
@rmuir even though that this is not perfect this is a massive step in the right direction. Before I say anything else this LGTM and should go in as it is. We can move secure mock in our codebase on core even to make things simpler? For PluginManager I think we should make classpath handling fixes a blocker for 2.0 and fix it the right way but lets move on here... I am leaning towards making the pluginmanager a sep module anyway but that is a different story. |
fully agree with @s1monw here... would love to see the secure mock in core! +1 on a blocker for fixing the plugin manager. Just as a side note... moving to CP building on the script level would be great, we just need to make sure all works well with all the packages as well (deb, rpm, etc..) |
I'll spin off a separate issue for the mocking, and then come back to this one. |
steps to remove dangerous security permissions
These two "unsafe-like" permissions (
sun.misc
andreflectionFactoryAccess
) should be more contained. Removing any of these permissions is like climbing mount everest, but I think we can make some progress on it.This patch:
sun.misc
access specifically to lucene-core.jar and jsr166e.jar.reflectionFactoryAccess
and grant only to mockito (see below)Caveats:
sun.misc
completely. 4 plugin tests fail, this is because PluginManager currently does evil hacks to add jars directly to the system classloader. This should be avoided (instead elasticsearch.bat/sh should simply setup correct classpath, keep this immutable!!!). But this patch is progress, because there is now just that one thing left to fix.