From 09ff11812ee07a88a5ef5b551c62b19f43933795 Mon Sep 17 00:00:00 2001 From: Robert Muir Date: Fri, 1 May 2015 14:58:18 -0400 Subject: [PATCH 01/12] add debugging --- .../org/elasticsearch/bootstrap/Security.java | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/src/main/java/org/elasticsearch/bootstrap/Security.java b/src/main/java/org/elasticsearch/bootstrap/Security.java index 67ac531f0e7e3..d5910e36202a5 100644 --- a/src/main/java/org/elasticsearch/bootstrap/Security.java +++ b/src/main/java/org/elasticsearch/bootstrap/Security.java @@ -20,8 +20,10 @@ package org.elasticsearch.bootstrap; import com.google.common.io.ByteStreams; + import org.apache.lucene.util.IOUtils; import org.apache.lucene.util.StringHelper; +import org.elasticsearch.common.SuppressForbidden; import org.elasticsearch.env.Environment; import java.io.*; @@ -29,6 +31,9 @@ import java.nio.file.Files; import java.nio.file.NoSuchFileException; import java.nio.file.Path; +import java.security.NoSuchAlgorithmException; +import java.security.Policy; +import java.security.URIParameter; /** * Initializes securitymanager with necessary permissions. @@ -45,6 +50,7 @@ class Security { * Initializes securitymanager for the environment * Can only happen once! */ + @SuppressForbidden(reason = "just debugging") static void configure(Environment environment) throws IOException { // init lucene random seed. it will use /dev/urandom where available. StringHelper.randomId(); @@ -54,8 +60,19 @@ static void configure(Environment environment) throws IOException { } Path newConfig = processTemplate(config, environment); System.setProperty("java.security.policy", newConfig.toString()); + try { + Policy policy = Policy.getInstance("JavaPolicy", new URIParameter(newConfig.toUri())); + System.out.println(policy.getPermissions(Security.class.getProtectionDomain())); + } catch (NoSuchAlgorithmException e) { + throw new RuntimeException(); + } System.setSecurityManager(new SecurityManager()); - IOUtils.deleteFilesIgnoringExceptions(newConfig); // TODO: maybe log something if it fails? + try { + // don't hide securityexception here, it means java.io.tmpdir is not accessible! + Files.delete(newConfig); + } catch (IOException ignore) { + // e.g. virus scanner on windows + } } // package-private for testing From 6e6949d3f4183f223b2b74553b9400d28e3aaaed Mon Sep 17 00:00:00 2001 From: Robert Muir Date: Fri, 1 May 2015 15:47:50 -0400 Subject: [PATCH 02/12] Add debugging when security init screws up (or at trace level if you wish) --- .../org/elasticsearch/bootstrap/Security.java | 22 +++++++++++++------ 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/src/main/java/org/elasticsearch/bootstrap/Security.java b/src/main/java/org/elasticsearch/bootstrap/Security.java index d5910e36202a5..49c2bccf82732 100644 --- a/src/main/java/org/elasticsearch/bootstrap/Security.java +++ b/src/main/java/org/elasticsearch/bootstrap/Security.java @@ -21,9 +21,9 @@ import com.google.common.io.ByteStreams; -import org.apache.lucene.util.IOUtils; import org.apache.lucene.util.StringHelper; -import org.elasticsearch.common.SuppressForbidden; +import org.elasticsearch.common.logging.ESLogger; +import org.elasticsearch.common.logging.Loggers; import org.elasticsearch.env.Environment; import java.io.*; @@ -32,6 +32,7 @@ import java.nio.file.NoSuchFileException; import java.nio.file.Path; import java.security.NoSuchAlgorithmException; +import java.security.PermissionCollection; import java.security.Policy; import java.security.URIParameter; @@ -50,8 +51,8 @@ class Security { * Initializes securitymanager for the environment * Can only happen once! */ - @SuppressForbidden(reason = "just debugging") static void configure(Environment environment) throws IOException { + ESLogger log = Loggers.getLogger(Security.class); // init lucene random seed. it will use /dev/urandom where available. StringHelper.randomId(); InputStream config = Security.class.getResourceAsStream(POLICY_RESOURCE); @@ -60,16 +61,23 @@ static void configure(Environment environment) throws IOException { } Path newConfig = processTemplate(config, environment); System.setProperty("java.security.policy", newConfig.toString()); + // retrieve the parsed policy we created: its useful if something goes wrong + Policy policy = null; try { - Policy policy = Policy.getInstance("JavaPolicy", new URIParameter(newConfig.toUri())); - System.out.println(policy.getPermissions(Security.class.getProtectionDomain())); - } catch (NoSuchAlgorithmException e) { - throw new RuntimeException(); + policy = Policy.getInstance("JavaPolicy", new URIParameter(newConfig.toUri())); + } catch (NoSuchAlgorithmException impossible) { + throw new RuntimeException(impossible); } + PermissionCollection permissions = policy.getPermissions(Security.class.getProtectionDomain()); + log.trace("generated permissions: {}", permissions); + System.setSecurityManager(new SecurityManager()); try { // don't hide securityexception here, it means java.io.tmpdir is not accessible! Files.delete(newConfig); + } catch (SecurityException broken) { + log.error("unable to properly access temporary files, permissions: {}", permissions); + throw broken; } catch (IOException ignore) { // e.g. virus scanner on windows } From dbcdb40f68c3b85f9dda3c28a5796a7205d70079 Mon Sep 17 00:00:00 2001 From: Robert Muir Date: Fri, 1 May 2015 16:02:00 -0400 Subject: [PATCH 03/12] fix sigar policy line that cannot be really working --- src/main/resources/org/elasticsearch/bootstrap/security.policy | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/resources/org/elasticsearch/bootstrap/security.policy b/src/main/resources/org/elasticsearch/bootstrap/security.policy index ffc0032d4a09a..4b9b9699e80a8 100644 --- a/src/main/resources/org/elasticsearch/bootstrap/security.policy +++ b/src/main/resources/org/elasticsearch/bootstrap/security.policy @@ -34,7 +34,7 @@ grant { // project base directory permission java.io.FilePermission "${project.basedir}${/}target${/}-", "read"; // read permission for lib sigar - permission java.io.FilePermission "${project.basedir}${/}lib/sigar{/}-", "read"; + permission java.io.FilePermission "${project.basedir}${/}lib${/}sigar${/}-", "read"; // mvn custom ./m2/repository for dependency jars permission java.io.FilePermission "${m2.repository}${/}-", "read"; From 50a785c5463e1e810d6cdaf6ab25662579a14024 Mon Sep 17 00:00:00 2001 From: Robert Muir Date: Fri, 1 May 2015 16:41:49 -0400 Subject: [PATCH 04/12] add a hack to see if this fixes windows issues --- src/main/resources/org/elasticsearch/bootstrap/security.policy | 1 + 1 file changed, 1 insertion(+) diff --git a/src/main/resources/org/elasticsearch/bootstrap/security.policy b/src/main/resources/org/elasticsearch/bootstrap/security.policy index 4b9b9699e80a8..0b88aba449de6 100644 --- a/src/main/resources/org/elasticsearch/bootstrap/security.policy +++ b/src/main/resources/org/elasticsearch/bootstrap/security.policy @@ -28,6 +28,7 @@ grant { // temporary files permission java.io.FilePermission "${java.io.tmpdir}", "read,write"; + permission java.io.FilePermission "${java.io.tmpdir}-", "read,write,delete"; permission java.io.FilePermission "${java.io.tmpdir}${/}-", "read,write,delete"; // paths used for running tests From db003a0b32de7dcd499f71a5d15f6accd20b2590 Mon Sep 17 00:00:00 2001 From: Robert Muir Date: Sat, 2 May 2015 10:52:27 -0400 Subject: [PATCH 05/12] remove hack --- src/main/resources/org/elasticsearch/bootstrap/security.policy | 1 - 1 file changed, 1 deletion(-) diff --git a/src/main/resources/org/elasticsearch/bootstrap/security.policy b/src/main/resources/org/elasticsearch/bootstrap/security.policy index 0b88aba449de6..4b9b9699e80a8 100644 --- a/src/main/resources/org/elasticsearch/bootstrap/security.policy +++ b/src/main/resources/org/elasticsearch/bootstrap/security.policy @@ -28,7 +28,6 @@ grant { // temporary files permission java.io.FilePermission "${java.io.tmpdir}", "read,write"; - permission java.io.FilePermission "${java.io.tmpdir}-", "read,write,delete"; permission java.io.FilePermission "${java.io.tmpdir}${/}-", "read,write,delete"; // paths used for running tests From ff44f45af160b5ccdf0a0362c4e0215431f5e1ed Mon Sep 17 00:00:00 2001 From: Robert Muir Date: Sat, 2 May 2015 12:08:46 -0400 Subject: [PATCH 06/12] log this --- src/main/java/org/elasticsearch/bootstrap/Security.java | 1 + 1 file changed, 1 insertion(+) diff --git a/src/main/java/org/elasticsearch/bootstrap/Security.java b/src/main/java/org/elasticsearch/bootstrap/Security.java index 49c2bccf82732..7f3b450cbc043 100644 --- a/src/main/java/org/elasticsearch/bootstrap/Security.java +++ b/src/main/java/org/elasticsearch/bootstrap/Security.java @@ -53,6 +53,7 @@ class Security { */ static void configure(Environment environment) throws IOException { ESLogger log = Loggers.getLogger(Security.class); + log.info("java.io.tmpdir: {}", System.getProperty("java.io.tmpdir")); // init lucene random seed. it will use /dev/urandom where available. StringHelper.randomId(); InputStream config = Security.class.getResourceAsStream(POLICY_RESOURCE); From e1238c5e4c722498b5e6515a932d7cbd8018bd87 Mon Sep 17 00:00:00 2001 From: Robert Muir Date: Sat, 2 May 2015 12:11:33 -0400 Subject: [PATCH 07/12] add 2 more x --- src/main/java/org/elasticsearch/bootstrap/Security.java | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/main/java/org/elasticsearch/bootstrap/Security.java b/src/main/java/org/elasticsearch/bootstrap/Security.java index 7f3b450cbc043..f0181fee2439f 100644 --- a/src/main/java/org/elasticsearch/bootstrap/Security.java +++ b/src/main/java/org/elasticsearch/bootstrap/Security.java @@ -71,12 +71,14 @@ static void configure(Environment environment) throws IOException { } PermissionCollection permissions = policy.getPermissions(Security.class.getProtectionDomain()); log.trace("generated permissions: {}", permissions); - + log.info("java.io.tmpdir: {}", System.getProperty("java.io.tmpdir")); + System.setSecurityManager(new SecurityManager()); try { // don't hide securityexception here, it means java.io.tmpdir is not accessible! Files.delete(newConfig); } catch (SecurityException broken) { + log.info("java.io.tmpdir: {}", System.getProperty("java.io.tmpdir")); log.error("unable to properly access temporary files, permissions: {}", permissions); throw broken; } catch (IOException ignore) { From bdd6d9c705ad0a2176364a7dc06e7af8bcb6cba2 Mon Sep 17 00:00:00 2001 From: Robert Muir Date: Sat, 2 May 2015 12:27:38 -0400 Subject: [PATCH 08/12] heisenbug --- src/main/java/org/elasticsearch/bootstrap/Security.java | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/main/java/org/elasticsearch/bootstrap/Security.java b/src/main/java/org/elasticsearch/bootstrap/Security.java index f0181fee2439f..2a216626c6699 100644 --- a/src/main/java/org/elasticsearch/bootstrap/Security.java +++ b/src/main/java/org/elasticsearch/bootstrap/Security.java @@ -53,7 +53,8 @@ class Security { */ static void configure(Environment environment) throws IOException { ESLogger log = Loggers.getLogger(Security.class); - log.info("java.io.tmpdir: {}", System.getProperty("java.io.tmpdir")); + //String prop = System.getProperty("java.io.tmpdir"); + //log.trace("java.io.tmpdir {}", prop); // init lucene random seed. it will use /dev/urandom where available. StringHelper.randomId(); InputStream config = Security.class.getResourceAsStream(POLICY_RESOURCE); @@ -71,14 +72,12 @@ static void configure(Environment environment) throws IOException { } PermissionCollection permissions = policy.getPermissions(Security.class.getProtectionDomain()); log.trace("generated permissions: {}", permissions); - log.info("java.io.tmpdir: {}", System.getProperty("java.io.tmpdir")); System.setSecurityManager(new SecurityManager()); try { // don't hide securityexception here, it means java.io.tmpdir is not accessible! Files.delete(newConfig); } catch (SecurityException broken) { - log.info("java.io.tmpdir: {}", System.getProperty("java.io.tmpdir")); log.error("unable to properly access temporary files, permissions: {}", permissions); throw broken; } catch (IOException ignore) { From 8c0d03c3ee1b45d3b21c184606d088aca18aa6d4 Mon Sep 17 00:00:00 2001 From: Robert Muir Date: Sat, 2 May 2015 12:41:38 -0400 Subject: [PATCH 09/12] add a hack for windows --- .../org/elasticsearch/bootstrap/Security.java | 23 +++++-------------- 1 file changed, 6 insertions(+), 17 deletions(-) diff --git a/src/main/java/org/elasticsearch/bootstrap/Security.java b/src/main/java/org/elasticsearch/bootstrap/Security.java index 2a216626c6699..536ccd47908e4 100644 --- a/src/main/java/org/elasticsearch/bootstrap/Security.java +++ b/src/main/java/org/elasticsearch/bootstrap/Security.java @@ -31,10 +31,6 @@ import java.nio.file.Files; import java.nio.file.NoSuchFileException; import java.nio.file.Path; -import java.security.NoSuchAlgorithmException; -import java.security.PermissionCollection; -import java.security.Policy; -import java.security.URIParameter; /** * Initializes securitymanager with necessary permissions. @@ -53,8 +49,6 @@ class Security { */ static void configure(Environment environment) throws IOException { ESLogger log = Loggers.getLogger(Security.class); - //String prop = System.getProperty("java.io.tmpdir"); - //log.trace("java.io.tmpdir {}", prop); // init lucene random seed. it will use /dev/urandom where available. StringHelper.randomId(); InputStream config = Security.class.getResourceAsStream(POLICY_RESOURCE); @@ -63,22 +57,12 @@ static void configure(Environment environment) throws IOException { } Path newConfig = processTemplate(config, environment); System.setProperty("java.security.policy", newConfig.toString()); - // retrieve the parsed policy we created: its useful if something goes wrong - Policy policy = null; - try { - policy = Policy.getInstance("JavaPolicy", new URIParameter(newConfig.toUri())); - } catch (NoSuchAlgorithmException impossible) { - throw new RuntimeException(impossible); - } - PermissionCollection permissions = policy.getPermissions(Security.class.getProtectionDomain()); - log.trace("generated permissions: {}", permissions); - System.setSecurityManager(new SecurityManager()); try { // don't hide securityexception here, it means java.io.tmpdir is not accessible! Files.delete(newConfig); } catch (SecurityException broken) { - log.error("unable to properly access temporary files, permissions: {}", permissions); + log.error("unable to properly access temporary files, run with -Djava.security.debug=policy for more information"); throw broken; } catch (IOException ignore) { // e.g. virus scanner on windows @@ -108,6 +92,11 @@ static Path processTemplate(InputStream template, Environment environment) throw addPath(writer, environment.configFile(), "read,readlink,write,delete"); addPath(writer, environment.logsFile(), "read,readlink,write,delete"); addPath(writer, environment.pluginsFile(), "read,readlink,write,delete"); + + // generate explicit perms for actual temp dir: + // (in case there is java.io.tmpdir sheistiness on windows) + addPath(writer, processed.getParent(), "read,readlink,write,delete"); + for (Path path : environment.dataFiles()) { addPath(writer, path, "read,readlink,write,delete"); } From 86fc8ceac71fbcfe95d6675eeb6b2ffc2cb71d41 Mon Sep 17 00:00:00 2001 From: Robert Muir Date: Sat, 2 May 2015 14:42:06 -0400 Subject: [PATCH 10/12] simplify security rules --- .../org/elasticsearch/bootstrap/Security.java | 137 ++++++++---------- .../bootstrap/SecurityTests.java | 36 ++--- 2 files changed, 78 insertions(+), 95 deletions(-) diff --git a/src/main/java/org/elasticsearch/bootstrap/Security.java b/src/main/java/org/elasticsearch/bootstrap/Security.java index 536ccd47908e4..a9eedb7816a12 100644 --- a/src/main/java/org/elasticsearch/bootstrap/Security.java +++ b/src/main/java/org/elasticsearch/bootstrap/Security.java @@ -19,18 +19,19 @@ package org.elasticsearch.bootstrap; -import com.google.common.io.ByteStreams; - import org.apache.lucene.util.StringHelper; -import org.elasticsearch.common.logging.ESLogger; -import org.elasticsearch.common.logging.Loggers; import org.elasticsearch.env.Environment; import java.io.*; -import java.nio.charset.StandardCharsets; +import java.net.URI; import java.nio.file.Files; -import java.nio.file.NoSuchFileException; import java.nio.file.Path; +import java.security.Permission; +import java.security.PermissionCollection; +import java.security.Permissions; +import java.security.Policy; +import java.security.ProtectionDomain; +import java.security.URIParameter; /** * Initializes securitymanager with necessary permissions. @@ -47,84 +48,74 @@ class Security { * Initializes securitymanager for the environment * Can only happen once! */ - static void configure(Environment environment) throws IOException { - ESLogger log = Loggers.getLogger(Security.class); - // init lucene random seed. it will use /dev/urandom where available. + static void configure(Environment environment) throws Exception { + // init lucene random seed. it will use /dev/urandom where available: StringHelper.randomId(); - InputStream config = Security.class.getResourceAsStream(POLICY_RESOURCE); - if (config == null) { - throw new NoSuchFileException(POLICY_RESOURCE); - } - Path newConfig = processTemplate(config, environment); - System.setProperty("java.security.policy", newConfig.toString()); - System.setSecurityManager(new SecurityManager()); - try { - // don't hide securityexception here, it means java.io.tmpdir is not accessible! - Files.delete(newConfig); - } catch (SecurityException broken) { - log.error("unable to properly access temporary files, run with -Djava.security.debug=policy for more information"); - throw broken; - } catch (IOException ignore) { - // e.g. virus scanner on windows - } - } - - // package-private for testing - static Path processTemplate(InputStream template, Environment environment) throws IOException { - Path processed = Files.createTempFile(null, null); - try (OutputStream output = new BufferedOutputStream(Files.newOutputStream(processed))) { - // copy the template as-is. - try (InputStream in = new BufferedInputStream(template)) { - ByteStreams.copy(in, output); - } - // all policy files are UTF-8: - // https://docs.oracle.com/javase/7/docs/technotes/guides/security/PolicyFiles.html - try (Writer writer = new OutputStreamWriter(output, StandardCharsets.UTF_8)) { - writer.write(System.lineSeparator()); - writer.write("grant {"); - writer.write(System.lineSeparator()); + // enable security policy: union of template and environment-based paths. + URI template = Security.class.getResource(POLICY_RESOURCE).toURI(); + Policy.setPolicy(new ESPolicy(template, createPermissions(environment))); - // add permissions for all configured paths. - // TODO: improve test infra so we can reduce permissions where read/write - // is not really needed... - addPath(writer, environment.homeFile(), "read,readlink,write,delete"); - addPath(writer, environment.configFile(), "read,readlink,write,delete"); - addPath(writer, environment.logsFile(), "read,readlink,write,delete"); - addPath(writer, environment.pluginsFile(), "read,readlink,write,delete"); - - // generate explicit perms for actual temp dir: - // (in case there is java.io.tmpdir sheistiness on windows) - addPath(writer, processed.getParent(), "read,readlink,write,delete"); + // enable security manager + System.setSecurityManager(new SecurityManager()); - for (Path path : environment.dataFiles()) { - addPath(writer, path, "read,readlink,write,delete"); - } - for (Path path : environment.dataWithClusterFiles()) { - addPath(writer, path, "read,readlink,write,delete"); - } + // do some basic tests + selfTest(); + } - writer.write("};"); - writer.write(System.lineSeparator()); - } + /** returns dynamic Permissions to configured paths */ + static Permissions createPermissions(Environment environment) throws IOException { + // TODO: improve test infra so we can reduce permissions where read/write + // is not really needed... + Permissions policy = new Permissions(); + addPath(policy, environment.homeFile(), "read,readlink,write,delete"); + addPath(policy, environment.configFile(), "read,readlink,write,delete"); + addPath(policy, environment.logsFile(), "read,readlink,write,delete"); + addPath(policy, environment.pluginsFile(), "read,readlink,write,delete"); + for (Path path : environment.dataFiles()) { + addPath(policy, path, "read,readlink,write,delete"); } - return processed; + for (Path path : environment.dataWithClusterFiles()) { + addPath(policy, path, "read,readlink,write,delete"); + } + + return policy; } - static void addPath(Writer writer, Path path, String permissions) throws IOException { + /** Add access to path (and all files underneath it */ + static void addPath(Permissions policy, Path path, String permissions) throws IOException { // paths may not exist yet Files.createDirectories(path); // add each path twice: once for itself, again for files underneath it - writer.write("permission java.io.FilePermission \"" + encode(path) + "\", \"" + permissions + "\";"); - writer.write(System.lineSeparator()); - writer.write("permission java.io.FilePermission \"" + encode(path) + "${/}-\", \"" + permissions + "\";"); - writer.write(System.lineSeparator()); + policy.add(new FilePermission(path.toString(), permissions)); + policy.add(new FilePermission(path.toString() + path.getFileSystem().getSeparator() + "-", permissions)); } - - // Any backslashes in paths must be escaped, because it is the escape character when parsing. - // See "Note Regarding File Path Specifications on Windows Systems". - // https://docs.oracle.com/javase/7/docs/technotes/guides/security/PolicyFiles.html - static String encode(Path path) { - return path.toString().replace("\\", "\\\\"); + + /** Simple checks that everything is ok */ + static void selfTest() { + // check we can manipulate temporary files + try { + Files.delete(Files.createTempFile(null, null)); + } catch (IOException ignored) { + // potentially virus scanner + } catch (SecurityException problem) { + throw new SecurityException("Security misconfiguration: cannot access java.io.tmpdir", problem); + } + } + + /** custom policy for union of static and dynamic permissions */ + static class ESPolicy extends Policy { + final Policy template; + final PermissionCollection dynamic; + + ESPolicy(URI template, PermissionCollection dynamic) throws Exception { + this.template = Policy.getInstance("JavaPolicy", new URIParameter(template)); + this.dynamic = dynamic; + } + + @Override + public boolean implies(ProtectionDomain domain, Permission permission) { + return template.implies(domain, permission) || dynamic.implies(permission); + } } } diff --git a/src/test/java/org/elasticsearch/bootstrap/SecurityTests.java b/src/test/java/org/elasticsearch/bootstrap/SecurityTests.java index 4c2ddcd47eb4e..edbcafdddbd96 100644 --- a/src/test/java/org/elasticsearch/bootstrap/SecurityTests.java +++ b/src/test/java/org/elasticsearch/bootstrap/SecurityTests.java @@ -24,12 +24,9 @@ import org.elasticsearch.env.Environment; import org.elasticsearch.test.ElasticsearchTestCase; -import java.io.ByteArrayInputStream; import java.io.FilePermission; import java.nio.file.Path; -import java.security.Policy; -import java.security.ProtectionDomain; -import java.security.URIParameter; +import java.security.Permissions; public class SecurityTests extends ElasticsearchTestCase { @@ -42,17 +39,15 @@ public void testGeneratedPermissions() throws Exception { settingsBuilder.put("path.home", esHome.toString()); Settings settings = settingsBuilder.build(); - Environment environment = new Environment(settings); - Path policyFile = Security.processTemplate(new ByteArrayInputStream(new byte[0]), environment); + Environment environment = new Environment(settings); + Permissions permissions = Security.createPermissions(environment); - ProtectionDomain domain = getClass().getProtectionDomain(); - Policy policy = Policy.getInstance("JavaPolicy", new URIParameter(policyFile.toUri())); // the fake es home - assertTrue(policy.implies(domain, new FilePermission(esHome.toString(), "read"))); + assertTrue(permissions.implies(new FilePermission(esHome.toString(), "read"))); // its parent - assertFalse(policy.implies(domain, new FilePermission(path.toString(), "read"))); + assertFalse(permissions.implies(new FilePermission(path.toString(), "read"))); // some other sibling - assertFalse(policy.implies(domain, new FilePermission(path.resolve("other").toString(), "read"))); + assertFalse(permissions.implies(new FilePermission(path.resolve("other").toString(), "read"))); } /** test generated permissions for all configured paths */ @@ -67,29 +62,26 @@ public void testEnvironmentPaths() throws Exception { settingsBuilder.put("path.logs", path.resolve("logs").toString()); Settings settings = settingsBuilder.build(); - Environment environment = new Environment(settings); - Path policyFile = Security.processTemplate(new ByteArrayInputStream(new byte[0]), environment); - - ProtectionDomain domain = getClass().getProtectionDomain(); - Policy policy = Policy.getInstance("JavaPolicy", new URIParameter(policyFile.toUri())); + Environment environment = new Environment(settings); + Permissions permissions = Security.createPermissions(environment); // check that all directories got permissions: // homefile: this is needed unless we break out rules for "lib" dir. // TODO: make read-only - assertTrue(policy.implies(domain, new FilePermission(environment.homeFile().toString(), "read,readlink,write,delete"))); + assertTrue(permissions.implies(new FilePermission(environment.homeFile().toString(), "read,readlink,write,delete"))); // config file // TODO: make read-only - assertTrue(policy.implies(domain, new FilePermission(environment.configFile().toString(), "read,readlink,write,delete"))); + assertTrue(permissions.implies(new FilePermission(environment.configFile().toString(), "read,readlink,write,delete"))); // plugins: r/w, TODO: can this be minimized? - assertTrue(policy.implies(domain, new FilePermission(environment.pluginsFile().toString(), "read,readlink,write,delete"))); + assertTrue(permissions.implies(new FilePermission(environment.pluginsFile().toString(), "read,readlink,write,delete"))); // data paths: r/w for (Path dataPath : environment.dataFiles()) { - assertTrue(policy.implies(domain, new FilePermission(dataPath.toString(), "read,readlink,write,delete"))); + assertTrue(permissions.implies(new FilePermission(dataPath.toString(), "read,readlink,write,delete"))); } for (Path dataPath : environment.dataWithClusterFiles()) { - assertTrue(policy.implies(domain, new FilePermission(dataPath.toString(), "read,readlink,write,delete"))); + assertTrue(permissions.implies(new FilePermission(dataPath.toString(), "read,readlink,write,delete"))); } // logs: r/w - assertTrue(policy.implies(domain, new FilePermission(environment.logsFile().toString(), "read,readlink,write,delete"))); + assertTrue(permissions.implies(new FilePermission(environment.logsFile().toString(), "read,readlink,write,delete"))); } } From fc54ff5f10d27291d2cd8734b411936f413ffd03 Mon Sep 17 00:00:00 2001 From: Robert Muir Date: Sat, 2 May 2015 15:19:01 -0400 Subject: [PATCH 11/12] remove now-unnecessary test permission --- src/main/resources/org/elasticsearch/bootstrap/security.policy | 1 - 1 file changed, 1 deletion(-) diff --git a/src/main/resources/org/elasticsearch/bootstrap/security.policy b/src/main/resources/org/elasticsearch/bootstrap/security.policy index 4b9b9699e80a8..027e4bd3ea5dc 100644 --- a/src/main/resources/org/elasticsearch/bootstrap/security.policy +++ b/src/main/resources/org/elasticsearch/bootstrap/security.policy @@ -86,7 +86,6 @@ grant { // needed for testing access rules etc permission java.lang.RuntimePermission "createSecurityManager"; - permission java.security.SecurityPermission "createPolicy.JavaPolicy"; // reflection hacks: // needed for Striped64 (what is this doing), also enables unmap hack From 3a89b990ead0600458ed58035359ae4738b6f632 Mon Sep 17 00:00:00 2001 From: Robert Muir Date: Sun, 3 May 2015 23:37:05 -0400 Subject: [PATCH 12/12] remove another unnecessary permission --- src/main/resources/org/elasticsearch/bootstrap/security.policy | 3 --- 1 file changed, 3 deletions(-) diff --git a/src/main/resources/org/elasticsearch/bootstrap/security.policy b/src/main/resources/org/elasticsearch/bootstrap/security.policy index 027e4bd3ea5dc..438fa87d333a5 100644 --- a/src/main/resources/org/elasticsearch/bootstrap/security.policy +++ b/src/main/resources/org/elasticsearch/bootstrap/security.policy @@ -84,9 +84,6 @@ grant { // needed for natives calls permission java.lang.RuntimePermission "loadLibrary.*"; - // needed for testing access rules etc - permission java.lang.RuntimePermission "createSecurityManager"; - // reflection hacks: // needed for Striped64 (what is this doing), also enables unmap hack permission java.lang.RuntimePermission "accessClassInPackage.sun.misc";