-
Notifications
You must be signed in to change notification settings - Fork 24.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
remove all accessClassInPackage permissions for java 9 compatibility #13444
Comments
sun.nio.ch can be removed completely after we upgrade lucene again. |
lucene tests are passing with the jigsaw EA now: https://issues.apache.org/jira/browse/LUCENE-6795 i will bump the lucene version in #13439 and see how ES looks. |
The answer is that nothing compiles, all tests fail, and ES won't start, of course :) |
@uschindler opened a bug at groovy that might be related to our issues: https://issues.apache.org/jira/browse/GROOVY-7587 |
The Lucene MMapDirectory unmapping is part of the whitelisted APIs in JIGSAW, so we can still call it: http://openjdk.java.net/jeps/260 Thanks to our work in arguing about sun.misc.Cleaner :-) |
Example:
|
That is not allowed. See https://issues.apache.org/jira/browse/GROOVY-7587 |
The whole thing is already investigated by both Oracle and also Groovy people. This is no 1 issue on the jigsaw-dev mailing list :-) The issue has nothing to do with this it accessing stuff inside nio. The problem is: Theoretically Groovy can handle that, it is just "surprised" by a new Exception type it cannot handle. Oracle now thinks about making this new Exception a subclass of SecurityException to work around issues like that (setAccessible was only documented to throw SecurityException and now it suddenly throws another runtime exception. Because of that Groovy cannot handle that (and hide the non-accessible method, it just fails). By default it simply ignores fields it cannot make accessible. |
I'm confused, because I get the security exception in both JDK 8 and JDK 9. |
You get the SecurityException because we don't allow it by policy in elasticsearch. On java 9 even if there is no securitymanager, you will still get InaccessibleObjectException. |
FWIW, using
and a command line like
then ES 2.0.0-beta1 with my groovy plugin which uses |
You need to use a jigsaw build. |
Ok, I missed that. |
You can download one from here: http://jdk9.java.net/jigsaw Master is fully functional on that build but only after some battles this weekend :) The remaining internal packages that we use (for mmap unmapping and reflection for scripting and mocks) are "ok for now" because they are "critical internal apis" (http://openjdk.java.net/jeps/260). But these are deprecated and going away eventually. |
Hi, The problem here is a different one and has to do with reflection in general. The problem is that Java returns package internal classes which implement a public interface. Because groovy needs to call methods on it, it must reflect on them. So we must allow that otherwise you cannot even find out which methods are. Reflecting internal packages is not necessarily bad, that is something every scripting language must be able to do. Java 8's internal Javascript can do this, the problem is external scripting engines. You must just disallow to call seAccessible()! In fact Groovy does not want to make them accessible, it just needs to find out what methods are on the object - it does not want to make them accessible or call them. These are 2 different issues. The latter will also work with Java 9! |
Yes, I got confused because I thought JDK 9 early access include jigsaw but there are separate builds. The issues are indeed different. Just worrying about how Groovy will work in the JDK 9 future, and with or without security manager. It's a bit too early to see the light at the end of the tunnel. Robert is doing amazing work! |
1 similar comment
Yes, I got confused because I thought JDK 9 early access include jigsaw but there are separate builds. The issues are indeed different. Just worrying about how Groovy will work in the JDK 9 future, and with or without security manager. It's a bit too early to see the light at the end of the tunnel. Robert is doing amazing work! |
It does not work at all. The most funny fact is: They cannot fix (and more important test the bugfix) because of a chicken-egg problem: "For Groovy we have a chicken and egg problem for testing, because this change breaks Groovy, and Groovy uses Gradle to build. Since Gradle itself uses Groovy, we have no compatible build tool to test the fix... So it's very problematic." (http://mail.openjdk.java.net/pipermail/jigsaw-dev/2015-September/004517.html) So they cannot even build Groovy with Java 9 - LOL! Personally, I would nuke Groovy in ES and use Nashorn only. |
It's more complex and not only Groovy - all platforms with dynamic class loading and inspection with |
bq. And Guava is also an ES dependency. That is not a problem, because ES does not use the reflection stuff in Guava. This is like commons-lang + commons-collections + commons-io, a large library. |
It is also vice versa. Like Lucene and ES, projects should look into the issues and fix their code. As seen from my work yesterday, most stuff can be done without making anything accesible by just refectoring your code. I did a short conculsion to the lucene-dev mailing list: http://mail-archives.apache.org/mod_mbox/lucene-dev/201509.mbox/%3C014801d0ee23%245c8f5df0%2415ae19d0%24%40thetaphi.de%3E |
And setAccessible is not a "tweak", its not ok to use at all. I am working to ban it completely with the security policy as soon as possible. this thread says it nicely: http://mail.openjdk.java.net/pipermail/hotspot-dev/2015-June/019277.html
|
Nice post! I think we have 2 issues here: setAccessible must be banned anyways. The problem with groovy is also another problem: Dynamic scripting languages have to figure out which methods they can call on, so they have to "inspect" the class. As you see from stack trace above, Groovy did not want to call setAccessible. The issue was it was not even able to do Class#getMethod() which retrieves only public methods. This is needed to call the function dynamically. The problem is that we forbid refelction at all! So forbidding setAccesible is fine, but for dynamic scripting languages you should allow "inspection" of those classes, otherwise they will never be able to call any method. |
That is not going to happen. it is too much of a security risk. For scripts in ES, this is not needed (and by the way, groovy scripts run with zero permissions so there is no sense in them getting a Path or File or anything like that). |
And its not allowed in java 9 anyway, so good time to stop dreaming. |
I was just talking about "inspection" not calling or making stuff accessible! :-) |
Public methods are no problem, we don't do anything to prevent that. As far as |
Yes, I create a jar for ES plugin zip with gradle. Compiled groovy classes are bytecode for the JVM but they come with a load of extra language features, dynamic type checking at run time, compilation on demand, class caching, method / operator overloading, meta object protocol (MOP) etc. It's the Groovy runtime that executes reflection. |
@jprante I wish I had an easy answer for you. We know groovy has challenges here (hence the java 9 problems), but I don't know about the issues besides our scripting integration, I just have not looked into it. That one is simpler because of what that functionality is designed to do, vs writing entire plugin in it. I do know it has the option for static compilation, which could be an interim workaround, until they solve these issues (it claims direct method calls which should bypass the issue). I have heard it takes away a lot of the grooviness, sorry I'm just not knowledgeable on groovy and trying to brainstorm solutions that do not involve disabling security. |
@rmuir thanks, I appreciate your help. I will disable security manager for my Groovy plugins for now. Unfortunately static compilation does not make a difference. It removes dynamic typing, which is good for faster execution time, but does not make the Groovy runtime obsolete, which is invoked since all Groovy classes extend from
From my little knowledge, if people try to create ES JVM plugins with Scala, or Clojure, they may encounter similar issues, because these languages also offer meta programming and bring their own language runtime, which uses Java platform reflection, e.g. http://scalamacros.org/paperstalks/2012-04-28-MetaprogrammingInScala210.pdf http://clojure-doc.org/articles/language/macros.html This is clearly not an issue that can be solved by ES alone, so my message is only meant to rise some attention of possible security manager side effects. I will follow the Java 9 jigsaw process to see what the future will bring for Groovy, Scala, Clojure et.al. |
Interestingly, clojure reported today that they are functional on jigsaw: http://mail.openjdk.java.net/pipermail/jigsaw-dev/2015-September/004609.html I don't know what they are doing differently... and I plan to look into these more anyway, to at least improve ES scripting integration, but have not had the chance yet. Thanks for trying compilestatic, i was really hoping that would play better... grrr |
Pinging @elastic/es-core-infra |
With jigsaw this stuff is not really an option anymore of security manager or not (try a build: http://jdk9.java.net/jigsaw)
We have quite a few of these in master, they all need to be removed, so things work on java 9:
I opened a PR for this (aws/aws-sdk-java#432) but they have gone silent. Maybe they do not know, aws-sdk will not work on java 9 if it tries to do this (and I don't see why they should be doing it at all).Removed.
This one needs looking into, I don't know why groovy needs this.
This one becomes more fine-grained to just the lucene test-framework jar in #13439. Additionally I raised a thread on nio-dev about it: http://mail.openjdk.java.net/pipermail/nio-dev/2015-September/003321.htmlRemoved.
This one is currently being discussed on the jdk lists: http://mail.openjdk.java.net/pipermail/core-libs-dev/2015-September/035055.html
However if its not available, lucene will fall back to not unmapping, so things will still "work", you just have disk usage, address space, etc tied to the garbage collector.
The text was updated successfully, but these errors were encountered: