mirror of
https://github.com/elastic/elasticsearch.git
synced 2025-06-27 17:10:22 -04:00
Remove security manager policy files (#127727)
Now that security manager is gone, the policy files are no longer needed. This commit removes the server, test and plugin specific policy files
This commit is contained in:
Ryan Ernst
GitHub
parent
e3b000efba
commit
22a52a9c64
63 changed files with 3 additions and 700 deletions
|
|
@ -183,11 +183,7 @@ public class BasePluginBuildPlugin implements Plugin<Project> {
|
|||
) {
|
||||
var bundleSpec = project.copySpec();
|
||||
bundleSpec.from(buildProperties);
|
||||
bundleSpec.from(pluginMetadata, copySpec -> {
|
||||
// metadata (eg custom security policy)
|
||||
// the codebases properties file is only for tests and not needed in production
|
||||
copySpec.exclude("plugin-security.codebases");
|
||||
});
|
||||
bundleSpec.from(pluginMetadata);
|
||||
bundleSpec.from(
|
||||
(Callable<TaskProvider<Task>>) () -> project.getPluginManager().hasPlugin("com.gradleup.shadow")
|
||||
? project.getTasks().named("shadowJar")
|
||||
|
|
|
|||
|
|
@ -1,4 +0,0 @@
|
|||
grant {
|
||||
// Needed to read the log file
|
||||
permission java.io.FilePermission "@tests.logfile@", "read";
|
||||
};
|
||||
|
|
@ -922,7 +922,7 @@ public class InstallPluginAction implements Closeable {
|
|||
private PluginDescriptor installPlugin(InstallablePlugin descriptor, Path tmpRoot, List<Path> deleteOnFailure) throws Exception {
|
||||
final PluginDescriptor info = loadPluginInfo(tmpRoot);
|
||||
|
||||
Path legacyPolicyFile = tmpRoot.resolve(PluginDescriptor.ES_PLUGIN_POLICY);
|
||||
Path legacyPolicyFile = tmpRoot.resolve("plugin-security.policy");
|
||||
if (Files.exists(legacyPolicyFile)) {
|
||||
terminal.errorPrintln(
|
||||
"WARNING: this plugin contains a legacy Security Policy file. Starting with version 8.18, "
|
||||
|
|
|
|||
|
|
@ -1,33 +0,0 @@
|
|||
/*
|
||||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
||||
* or more contributor license agreements. Licensed under the "Elastic License
|
||||
* 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
|
||||
* Public License v 1"; you may not use this file except in compliance with, at
|
||||
* your election, the "Elastic License 2.0", the "GNU Affero General Public
|
||||
* License v3.0 only", or the "Server Side Public License, v 1".
|
||||
*/
|
||||
|
||||
grant {
|
||||
permission java.lang.RuntimePermission "accessSystemModules";
|
||||
permission java.lang.RuntimePermission "createClassLoader";
|
||||
permission java.lang.RuntimePermission "getClassLoader";
|
||||
permission java.util.PropertyPermission "elastic.apm.*", "write";
|
||||
permission java.util.PropertyPermission "*", "read,write";
|
||||
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
|
||||
};
|
||||
|
||||
grant codeBase "${codebase.elastic-apm-agent}" {
|
||||
permission java.lang.RuntimePermission "accessDeclaredMembers";
|
||||
permission java.lang.RuntimePermission "setContextClassLoader";
|
||||
permission java.lang.RuntimePermission "setFactory";
|
||||
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
|
||||
permission java.net.SocketPermission "*", "connect,resolve";
|
||||
// profiling function in APM agent
|
||||
permission java.util.PropertyPermission "AsyncProfiler.safemode", "write";
|
||||
permission java.lang.RuntimePermission "accessUserInformation";
|
||||
permission java.lang.RuntimePermission "loadLibrary.*";
|
||||
permission java.lang.RuntimePermission "getClassLoader";
|
||||
permission java.io.FilePermission "<<ALL FILES>>", "read,write";
|
||||
permission org.elasticsearch.secure_sm.ThreadPermission "modifyArbitraryThreadGroup";
|
||||
permission java.net.NetPermission "getProxySelector";
|
||||
};
|
||||
|
|
@ -1,12 +0,0 @@
|
|||
/*
|
||||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
||||
* or more contributor license agreements. Licensed under the "Elastic License
|
||||
* 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
|
||||
* Public License v 1"; you may not use this file except in compliance with, at
|
||||
* your election, the "Elastic License 2.0", the "GNU Affero General Public
|
||||
* License v3.0 only", or the "Server Side Public License, v 1".
|
||||
*/
|
||||
|
||||
grant {
|
||||
permission java.net.SocketPermission "*", "connect";
|
||||
};
|
||||
|
|
@ -1,23 +0,0 @@
|
|||
/*
|
||||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
||||
* or more contributor license agreements. Licensed under the "Elastic License
|
||||
* 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
|
||||
* Public License v 1"; you may not use this file except in compliance with, at
|
||||
* your election, the "Elastic License 2.0", the "GNU Affero General Public
|
||||
* License v3.0 only", or the "Server Side Public License, v 1".
|
||||
*/
|
||||
|
||||
grant {
|
||||
// needed to generate runtime classes
|
||||
permission java.lang.RuntimePermission "createClassLoader";
|
||||
|
||||
// expression runtime
|
||||
permission org.elasticsearch.script.ClassPermission "java.lang.String";
|
||||
permission org.elasticsearch.script.ClassPermission "org.apache.lucene.expressions.Expression";
|
||||
permission org.elasticsearch.script.ClassPermission "org.apache.lucene.search.DoubleValues";
|
||||
// available functions
|
||||
permission org.elasticsearch.script.ClassPermission "java.lang.Math";
|
||||
permission org.elasticsearch.script.ClassPermission "org.apache.lucene.util.MathUtil";
|
||||
permission org.elasticsearch.script.ClassPermission "org.apache.lucene.util.SloppyMath";
|
||||
permission org.elasticsearch.script.ClassPermission "org.apache.lucene.expressions.js.ExpressionMath";
|
||||
};
|
||||
|
|
@ -1,16 +0,0 @@
|
|||
/*
|
||||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
||||
* or more contributor license agreements. Licensed under the "Elastic License
|
||||
* 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
|
||||
* Public License v 1"; you may not use this file except in compliance with, at
|
||||
* your election, the "Elastic License 2.0", the "GNU Affero General Public
|
||||
* License v3.0 only", or the "Server Side Public License, v 1".
|
||||
*/
|
||||
|
||||
grant {
|
||||
// needed to generate runtime classes
|
||||
permission java.lang.RuntimePermission "createClassLoader";
|
||||
|
||||
// needed to find the classloader to load whitelisted classes from
|
||||
permission java.lang.RuntimePermission "getClassLoader";
|
||||
};
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
elasticsearch-rest-client: org.elasticsearch.client.RestClient
|
||||
httpasyncclient: org.apache.http.nio.client.HttpAsyncClient
|
||||
|
|
@ -1,23 +0,0 @@
|
|||
/*
|
||||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
||||
* or more contributor license agreements. Licensed under the "Elastic License
|
||||
* 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
|
||||
* Public License v 1"; you may not use this file except in compliance with, at
|
||||
* your election, the "Elastic License 2.0", the "GNU Affero General Public
|
||||
* License v3.0 only", or the "Server Side Public License, v 1".
|
||||
*/
|
||||
|
||||
grant {
|
||||
// reindex opens socket connections using the rest client
|
||||
permission java.net.SocketPermission "*", "connect";
|
||||
};
|
||||
|
||||
grant codeBase "${codebase.elasticsearch-rest-client}" {
|
||||
// rest client uses system properties which gets the default proxy
|
||||
permission java.net.NetPermission "getProxySelector";
|
||||
};
|
||||
|
||||
grant codeBase "${codebase.httpasyncclient}" {
|
||||
// rest client uses system properties which gets the default proxy
|
||||
permission java.net.NetPermission "getProxySelector";
|
||||
};
|
||||
|
|
@ -1,20 +0,0 @@
|
|||
/*
|
||||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
||||
* or more contributor license agreements. Licensed under the "Elastic License
|
||||
* 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
|
||||
* Public License v 1"; you may not use this file except in compliance with, at
|
||||
* your election, the "Elastic License 2.0", the "GNU Affero General Public
|
||||
* License v3.0 only", or the "Server Side Public License, v 1".
|
||||
*/
|
||||
|
||||
grant {
|
||||
// azure client opens socket connections for to access repository
|
||||
permission java.net.SocketPermission "*", "connect";
|
||||
// io.netty.util.concurrent.GlobalEventExecutor.startThread
|
||||
permission java.lang.RuntimePermission "setContextClassLoader";
|
||||
// io.netty.util.concurrent.GlobalEventExecutor.startThread
|
||||
permission java.lang.RuntimePermission "getClassLoader";
|
||||
// Used by jackson bean deserialization
|
||||
permission java.lang.RuntimePermission "accessDeclaredMembers";
|
||||
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
|
||||
};
|
||||
|
|
@ -1,20 +0,0 @@
|
|||
/*
|
||||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
||||
* or more contributor license agreements. Licensed under the "Elastic License
|
||||
* 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
|
||||
* Public License v 1"; you may not use this file except in compliance with, at
|
||||
* your election, the "Elastic License 2.0", the "GNU Affero General Public
|
||||
* License v3.0 only", or the "Server Side Public License, v 1".
|
||||
*/
|
||||
|
||||
grant {
|
||||
// required by: com.google.api.client.json.JsonParser#parseValue
|
||||
permission java.lang.RuntimePermission "accessDeclaredMembers";
|
||||
// required by: com.google.api.client.json.GenericJson#<init>
|
||||
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
|
||||
// required to add google certs to the gcs client trustore
|
||||
permission java.lang.RuntimePermission "setFactory";
|
||||
|
||||
// gcs client opens socket connections for to access repository
|
||||
permission java.net.SocketPermission "*", "connect";
|
||||
};
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
grant {
|
||||
permission java.lang.RuntimePermission "accessDeclaredMembers";
|
||||
};
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
grant {
|
||||
permission java.lang.RuntimePermission "accessDeclaredMembers";
|
||||
};
|
||||
|
|
@ -1,34 +0,0 @@
|
|||
/*
|
||||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
||||
* or more contributor license agreements. Licensed under the "Elastic License
|
||||
* 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
|
||||
* Public License v 1"; you may not use this file except in compliance with, at
|
||||
* your election, the "Elastic License 2.0", the "GNU Affero General Public
|
||||
* License v3.0 only", or the "Server Side Public License, v 1".
|
||||
*/
|
||||
|
||||
grant {
|
||||
|
||||
// needed because of problems in ClientConfiguration
|
||||
// TODO: get these fixed in aws sdk
|
||||
permission java.lang.RuntimePermission "accessDeclaredMembers";
|
||||
permission java.lang.RuntimePermission "getClassLoader";
|
||||
// Needed because of problems in AmazonS3Client:
|
||||
// When no region is set on a AmazonS3Client instance, the
|
||||
// AWS SDK loads all known partitions from a JSON file and
|
||||
// uses a Jackson's ObjectMapper for that: this one, in
|
||||
// version 2.5.3 with the default binding options, tries
|
||||
// to suppress access checks of ctor/field/method and thus
|
||||
// requires this special permission. AWS must be fixed to
|
||||
// uses Jackson correctly and have the correct modifiers
|
||||
// on binded classes.
|
||||
// TODO: get these fixed in aws sdk
|
||||
// See https://github.com/aws/aws-sdk-java/issues/766
|
||||
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
|
||||
|
||||
// s3 client opens socket connections for to access repository
|
||||
permission java.net.SocketPermission "*", "connect";
|
||||
|
||||
// only for tests : org.elasticsearch.repositories.s3.S3RepositoryPlugin
|
||||
permission java.util.PropertyPermission "es.allow_insecure_settings", "read,write";
|
||||
};
|
||||
|
|
@ -1,12 +0,0 @@
|
|||
/*
|
||||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
||||
* or more contributor license agreements. Licensed under the "Elastic License
|
||||
* 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
|
||||
* Public License v 1"; you may not use this file except in compliance with, at
|
||||
* your election, the "Elastic License 2.0", the "GNU Affero General Public
|
||||
* License v3.0 only", or the "Server Side Public License, v 1".
|
||||
*/
|
||||
|
||||
grant {
|
||||
permission java.net.SocketPermission "*", "connect";
|
||||
};
|
||||
|
|
@ -1 +0,0 @@
|
|||
systemd: org.elasticsearch.systemd.SystemdPlugin
|
||||
|
|
@ -1,13 +0,0 @@
|
|||
/*
|
||||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
||||
* or more contributor license agreements. Licensed under the "Elastic License
|
||||
* 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
|
||||
* Public License v 1"; you may not use this file except in compliance with, at
|
||||
* your election, the "Elastic License 2.0", the "GNU Affero General Public
|
||||
* License v3.0 only", or the "Server Side Public License, v 1".
|
||||
*/
|
||||
|
||||
grant codeBase "${codebase.systemd}" {
|
||||
// for registering native methods
|
||||
permission java.lang.RuntimePermission "accessDeclaredMembers";
|
||||
};
|
||||
|
|
@ -1 +0,0 @@
|
|||
netty-transport: io.netty.channel.Channel
|
||||
|
|
@ -1,26 +0,0 @@
|
|||
/*
|
||||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
||||
* or more contributor license agreements. Licensed under the "Elastic License
|
||||
* 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
|
||||
* Public License v 1"; you may not use this file except in compliance with, at
|
||||
* your election, the "Elastic License 2.0", the "GNU Affero General Public
|
||||
* License v3.0 only", or the "Server Side Public License, v 1".
|
||||
*/
|
||||
|
||||
grant codeBase "${codebase.netty-common}" {
|
||||
// for reading the system-wide configuration for the backlog of established sockets
|
||||
permission java.io.FilePermission "/proc/sys/net/core/somaxconn", "read";
|
||||
|
||||
// netty makes and accepts socket connections
|
||||
permission java.net.SocketPermission "*", "accept,connect";
|
||||
|
||||
// Netty gets and sets classloaders for some of its internal threads
|
||||
permission java.lang.RuntimePermission "setContextClassLoader";
|
||||
permission java.lang.RuntimePermission "getClassLoader";
|
||||
};
|
||||
|
||||
grant codeBase "${codebase.netty-transport}" {
|
||||
// Netty NioEventLoop wants to change this, because of https://bugs.openjdk.java.net/browse/JDK-6427854
|
||||
// the bug says it only happened rarely, and that its fixed, but apparently it still happens rarely!
|
||||
permission java.util.PropertyPermission "sun.nio.ch.bugLevel", "write";
|
||||
};
|
||||
|
|
@ -1,13 +0,0 @@
|
|||
/*
|
||||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
||||
* or more contributor license agreements. Licensed under the "Elastic License
|
||||
* 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
|
||||
* Public License v 1"; you may not use this file except in compliance with, at
|
||||
* your election, the "Elastic License 2.0", the "GNU Affero General Public
|
||||
* License v3.0 only", or the "Server Side Public License, v 1".
|
||||
*/
|
||||
|
||||
grant {
|
||||
// azure client opens socket connections for discovery
|
||||
permission java.net.SocketPermission "*", "connect";
|
||||
};
|
||||
|
|
@ -1,23 +0,0 @@
|
|||
/*
|
||||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
||||
* or more contributor license agreements. Licensed under the "Elastic License
|
||||
* 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
|
||||
* Public License v 1"; you may not use this file except in compliance with, at
|
||||
* your election, the "Elastic License 2.0", the "GNU Affero General Public
|
||||
* License v3.0 only", or the "Server Side Public License, v 1".
|
||||
*/
|
||||
|
||||
grant {
|
||||
// needed because of problems in ClientConfiguration
|
||||
// TODO: get these fixed in aws sdk
|
||||
permission java.lang.RuntimePermission "accessDeclaredMembers";
|
||||
// NOTE: no tests fail without this, but we know the problem
|
||||
// exists in AWS sdk, and tests here are not thorough
|
||||
permission java.lang.RuntimePermission "getClassLoader";
|
||||
|
||||
// ec2 client opens socket connections for discovery
|
||||
permission java.net.SocketPermission "*", "connect";
|
||||
|
||||
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
|
||||
permission java.util.PropertyPermission "http.proxyHost", "read";
|
||||
};
|
||||
|
|
@ -1,18 +0,0 @@
|
|||
/*
|
||||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
||||
* or more contributor license agreements. Licensed under the "Elastic License
|
||||
* 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
|
||||
* Public License v 1"; you may not use this file except in compliance with, at
|
||||
* your election, the "Elastic License 2.0", the "GNU Affero General Public
|
||||
* License v3.0 only", or the "Server Side Public License, v 1".
|
||||
*/
|
||||
|
||||
grant {
|
||||
// needed because of problems in gce
|
||||
permission java.lang.RuntimePermission "accessDeclaredMembers";
|
||||
permission java.lang.RuntimePermission "setFactory";
|
||||
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
|
||||
|
||||
// gce client opens socket connections for discovery
|
||||
permission java.net.SocketPermission "*", "connect";
|
||||
};
|
||||
|
|
@ -1,72 +0,0 @@
|
|||
/*
|
||||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
||||
* or more contributor license agreements. Licensed under the "Elastic License
|
||||
* 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
|
||||
* Public License v 1"; you may not use this file except in compliance with, at
|
||||
* your election, the "Elastic License 2.0", the "GNU Affero General Public
|
||||
* License v3.0 only", or the "Server Side Public License, v 1".
|
||||
*/
|
||||
|
||||
grant {
|
||||
// Hadoop UserGroupInformation, HdfsConstants, PipelineAck clinit
|
||||
permission java.lang.RuntimePermission "getClassLoader";
|
||||
|
||||
// UserGroupInformation (UGI) Metrics clinit
|
||||
permission java.lang.RuntimePermission "accessDeclaredMembers";
|
||||
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
|
||||
|
||||
// Needed so that Hadoop can load the correct classes for SPI and JAAS
|
||||
// org.apache.hadoop.security.SecurityUtil clinit
|
||||
// org.apache.hadoop.security.UserGroupInformation.newLoginContext()
|
||||
permission java.lang.RuntimePermission "setContextClassLoader";
|
||||
|
||||
// org.apache.hadoop.util.StringUtils clinit
|
||||
permission java.util.PropertyPermission "*", "read,write";
|
||||
|
||||
// JAAS is used by Hadoop for authentication purposes
|
||||
// The Hadoop Login JAAS module modifies a Subject's private credentials and principals
|
||||
// The Hadoop RPC Layer must be able to read these credentials, and initiate Kerberos connections
|
||||
|
||||
// org.apache.hadoop.security.UserGroupInformation.getCurrentUser()
|
||||
permission javax.security.auth.AuthPermission "getSubject";
|
||||
|
||||
// org.apache.hadoop.security.UserGroupInformation.doAs()
|
||||
permission javax.security.auth.AuthPermission "doAs";
|
||||
|
||||
// org.apache.hadoop.security.UserGroupInformation.getCredentialsInternal()
|
||||
permission javax.security.auth.PrivateCredentialPermission "org.apache.hadoop.security.Credentials * \"*\"", "read";
|
||||
|
||||
// Hadoop depends on the Kerberos login module for kerberos authentication
|
||||
// com.sun.security.auth.module.Krb5LoginModule.login()
|
||||
permission java.lang.RuntimePermission "accessClassInPackage.sun.security.krb5";
|
||||
|
||||
// com.sun.security.auth.module.Krb5LoginModule.commit()
|
||||
permission javax.security.auth.AuthPermission "modifyPrivateCredentials";
|
||||
permission javax.security.auth.AuthPermission "modifyPrincipals";
|
||||
permission javax.security.auth.PrivateCredentialPermission "javax.security.auth.kerberos.KeyTab * \"*\"", "read";
|
||||
permission javax.security.auth.PrivateCredentialPermission "javax.security.auth.kerberos.KerberosTicket * \"*\"", "read";
|
||||
|
||||
// Hadoop depends on OS level user information for simple authentication
|
||||
// Unix: UnixLoginModule: com.sun.security.auth.module.UnixSystem.UnixSystem init
|
||||
permission java.lang.RuntimePermission "loadLibrary.jaas";
|
||||
permission java.lang.RuntimePermission "loadLibrary.jaas_unix";
|
||||
// Windows: NTLoginModule: com.sun.security.auth.module.NTSystem.loadNative
|
||||
permission java.lang.RuntimePermission "loadLibrary.jaas_nt";
|
||||
permission javax.security.auth.AuthPermission "modifyPublicCredentials";
|
||||
|
||||
// org.apache.hadoop.security.SaslRpcServer.init()
|
||||
permission java.security.SecurityPermission "putProviderProperty.SaslPlainServer";
|
||||
|
||||
// org.apache.hadoop.security.SaslPlainServer.SecurityProvider.SecurityProvider init
|
||||
permission java.security.SecurityPermission "insertProvider";
|
||||
|
||||
// org.apache.hadoop.security.SaslRpcClient.getServerPrincipal -> KerberosPrincipal init
|
||||
permission javax.security.auth.kerberos.ServicePermission "*", "initiate";
|
||||
|
||||
// hdfs client opens socket connections for to access repository
|
||||
permission java.net.SocketPermission "*", "connect";
|
||||
|
||||
// client binds to the address returned from the host name of any principal set up as a service principal
|
||||
// org.apache.hadoop.ipc.Client.Connection.setupConnection
|
||||
permission java.net.SocketPermission "localhost:0", "listen,resolve";
|
||||
};
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
grant {
|
||||
// Needed to read the log file
|
||||
permission java.io.FilePermission "${tests.logfile}", "read";
|
||||
permission java.io.FilePermission "${tests.jsonLogfile}", "read";
|
||||
};
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
grant {
|
||||
// Needed to read the log file
|
||||
permission java.io.FilePermission "${tests.logfile}", "read";
|
||||
};
|
||||
|
|
@ -562,9 +562,6 @@ class Elasticsearch {
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
// policy file codebase declarations in security.policy rely on property expansion, see PolicyUtil.readPolicy
|
||||
Security.setProperty("policy.expandProperties", "true");
|
||||
}
|
||||
|
||||
private static Environment createEnvironment(Path configDir, Settings initialSettings, SecureSettings secureSettings) {
|
||||
|
|
|
|||
|
|
@ -46,8 +46,6 @@ public class PluginDescriptor implements Writeable, ToXContentObject {
|
|||
public static final String STABLE_DESCRIPTOR_FILENAME = "stable-plugin-descriptor.properties";
|
||||
public static final String NAMED_COMPONENTS_FILENAME = "named_components.json";
|
||||
|
||||
public static final String ES_PLUGIN_POLICY = "plugin-security.policy";
|
||||
|
||||
private static final TransportVersion MODULE_NAME_SUPPORT = TransportVersions.V_8_3_0;
|
||||
private static final TransportVersion BOOTSTRAP_SUPPORT_REMOVED = TransportVersions.V_8_4_0;
|
||||
|
||||
|
|
|
|||
|
|
@ -1,6 +0,0 @@
|
|||
grant {
|
||||
// various permissions to fiddle with Unsafe
|
||||
permission java.lang.RuntimePermission "accessDeclaredMembers";
|
||||
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
|
||||
permission java.lang.RuntimePermission "accessClassInPackage.sun.misc";
|
||||
};
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
grant {
|
||||
// needed for multiple server implementations used in tests
|
||||
permission java.net.SocketPermission "*", "accept,connect";
|
||||
};
|
||||
|
|
@ -1 +0,0 @@
|
|||
httpasyncclient: org.apache.http.nio.client.HttpAsyncClient
|
||||
|
|
@ -1,21 +0,0 @@
|
|||
grant {
|
||||
// CommandLineHttpClient
|
||||
permission java.lang.RuntimePermission "setFactory";
|
||||
// bouncy castle
|
||||
permission java.security.SecurityPermission "putProviderProperty.BC";
|
||||
|
||||
// needed in (cf. o.e.x.c.s.s.RestorableContextClassLoader)
|
||||
permission java.lang.RuntimePermission "getClassLoader";
|
||||
permission java.lang.RuntimePermission "setContextClassLoader";
|
||||
|
||||
// needed for multiple server implementations used in tests
|
||||
permission java.net.SocketPermission "*", "accept,connect";
|
||||
|
||||
// needed because of problems in unbound LDAP library
|
||||
permission java.util.PropertyPermission "*", "read,write";
|
||||
};
|
||||
|
||||
grant codeBase "${codebase.httpasyncclient}" {
|
||||
// rest client uses system properties which gets the default proxy
|
||||
permission java.net.NetPermission "getProxySelector";
|
||||
};
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
grant {
|
||||
// needed for multiple server implementations used in tests
|
||||
permission java.net.SocketPermission "*", "accept,connect";
|
||||
};
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
grant {
|
||||
// needed for Jackson ObjectMapper to parse floats
|
||||
permission java.lang.RuntimePermission "accessDeclaredMembers";
|
||||
};
|
||||
|
|
@ -1,13 +0,0 @@
|
|||
/*
|
||||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
||||
* or more contributor license agreements. Licensed under the Elastic License
|
||||
* 2.0; you may not use this file except in compliance with the Elastic License
|
||||
* 2.0.
|
||||
*/
|
||||
|
||||
// Needed by the Arrow memory manager
|
||||
grant {
|
||||
permission java.lang.RuntimePermission "accessDeclaredMembers";
|
||||
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
|
||||
permission java.lang.RuntimePermission "accessClassInPackage.sun.misc";
|
||||
};
|
||||
|
|
@ -1 +0,0 @@
|
|||
arrow: org.elasticsearch.xpack.esql.arrow.AllocationManagerShim
|
||||
|
|
@ -1,12 +0,0 @@
|
|||
/*
|
||||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
||||
* or more contributor license agreements. Licensed under the Elastic License
|
||||
* 2.0; you may not use this file except in compliance with the Elastic License
|
||||
* 2.0.
|
||||
*/
|
||||
|
||||
grant codeBase "${codebase.arrow}" {
|
||||
// Needed for AllocationManagerShim
|
||||
permission java.lang.RuntimePermission "accessDeclaredMembers";
|
||||
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
|
||||
};
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
grant {
|
||||
// needed for multiple server implementations used in tests
|
||||
permission java.net.SocketPermission "*", "accept,connect";
|
||||
};
|
||||
|
|
@ -1,16 +0,0 @@
|
|||
grant {
|
||||
permission java.lang.RuntimePermission "setFactory";
|
||||
|
||||
// ApacheXMLSecurityInitializer
|
||||
permission java.util.PropertyPermission "org.apache.xml.security.ignoreLineBreaks", "read,write";
|
||||
permission java.security.SecurityPermission "org.apache.xml.security.register";
|
||||
|
||||
// needed during initialization of OpenSAML library where xml security algorithms are registered
|
||||
// see https://github.com/apache/santuario-java/blob/e79f1fe4192de73a975bc7246aee58ed0703343d/src/main/java/org/apache/xml/security/utils/JavaUtils.java#L205-L220
|
||||
// and https://git.shibboleth.net/view/?p=java-opensaml.git;a=blob;f=opensaml-xmlsec-impl/src/main/java/org/opensaml/xmlsec/signature/impl/SignatureMarshaller.java;hb=db0eaa64210f0e32d359cd6c57bedd57902bf811#l52
|
||||
// which uses it in the opensaml-xmlsec-impl
|
||||
permission java.security.SecurityPermission "org.apache.xml.security.register";
|
||||
|
||||
// needed for multiple server implementations used in tests
|
||||
permission java.net.SocketPermission "*", "accept,connect";
|
||||
};
|
||||
|
|
@ -1,27 +0,0 @@
|
|||
/*
|
||||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
||||
* or more contributor license agreements. Licensed under the Elastic License
|
||||
* 2.0; you may not use this file except in compliance with the Elastic License
|
||||
* 2.0.
|
||||
*/
|
||||
|
||||
grant {
|
||||
// required by: com.google.api.client.json.JsonParser#parseValue
|
||||
// also required by AWS SDK for client configuration
|
||||
permission java.lang.RuntimePermission "accessDeclaredMembers";
|
||||
permission java.lang.RuntimePermission "getClassLoader";
|
||||
|
||||
// required by: com.google.api.client.json.GenericJson#<init>
|
||||
// also by AWS SDK for Jackson's ObjectMapper
|
||||
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
|
||||
|
||||
// required to add google certs to the gcs client trustore
|
||||
permission java.lang.RuntimePermission "setFactory";
|
||||
|
||||
// gcs client opens socket connections for to access repository
|
||||
// also, AWS Bedrock client opens socket connections and needs resolve for to access to resources
|
||||
permission java.net.SocketPermission "*", "connect,resolve";
|
||||
|
||||
// AWS Clients always try to check the http.proxyHost system property
|
||||
permission java.util.PropertyPermission "http.proxyHost", "read";
|
||||
};
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
grant {
|
||||
// needed for multiple server implementations used in tests
|
||||
permission java.net.SocketPermission "*", "accept,connect";
|
||||
};
|
||||
|
|
@ -1,13 +0,0 @@
|
|||
/*
|
||||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
||||
* or more contributor license agreements. Licensed under the "Elastic License
|
||||
* 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
|
||||
* Public License v 1"; you may not use this file except in compliance with, at
|
||||
* your election, the "Elastic License 2.0", the "GNU Affero General Public
|
||||
* License v3.0 only", or the "Server Side Public License, v 1".
|
||||
*/
|
||||
|
||||
grant {
|
||||
// needed for Painless to generate runtime classes
|
||||
permission java.lang.RuntimePermission "createClassLoader";
|
||||
};
|
||||
|
|
@ -1,10 +0,0 @@
|
|||
/*
|
||||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
||||
* or more contributor license agreements. Licensed under the Elastic License
|
||||
* 2.0; you may not use this file except in compliance with the Elastic License
|
||||
* 2.0.
|
||||
*/
|
||||
|
||||
grant {
|
||||
permission java.net.SocketPermission "*", "connect";
|
||||
};
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
// Needed for painless script to run
|
||||
grant {
|
||||
// needed to create the classloader which allows plugins to extend other plugins
|
||||
permission java.lang.RuntimePermission "createClassLoader";
|
||||
};
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
grant {
|
||||
// needed for Windows named pipes in machine learning
|
||||
permission java.io.FilePermission "\\\\.\\pipe\\*", "read,write";
|
||||
|
||||
// needed for ojalgo linear programming solver
|
||||
permission java.lang.RuntimePermission "accessDeclaredMembers";
|
||||
};
|
||||
|
|
@ -1 +0,0 @@
|
|||
elasticsearch-rest-client: org.elasticsearch.client.RestClient
|
||||
|
|
@ -1,23 +0,0 @@
|
|||
grant {
|
||||
// needed because of problems in unbound LDAP library
|
||||
permission java.util.PropertyPermission "*", "read,write";
|
||||
|
||||
// required to configure the custom mailcap for watcher
|
||||
permission java.lang.RuntimePermission "setFactory";
|
||||
|
||||
// needed when sending emails for javax.activation
|
||||
// otherwise a classnotfound exception is thrown due to trying
|
||||
// to load the class with the application class loader
|
||||
permission java.lang.RuntimePermission "setContextClassLoader";
|
||||
permission java.lang.RuntimePermission "getClassLoader";
|
||||
// TODO: remove use of this jar as soon as possible!!!!
|
||||
permission java.lang.RuntimePermission "accessClassInPackage.com.sun.activation.registries";
|
||||
|
||||
// needed for multiple server implementations used in tests
|
||||
permission java.net.SocketPermission "*", "accept,connect";
|
||||
};
|
||||
|
||||
grant codeBase "${codebase.elasticsearch-rest-client}" {
|
||||
// rest client uses system properties which gets the default proxy
|
||||
permission java.net.NetPermission "getProxySelector";
|
||||
};
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
grant {
|
||||
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
|
||||
permission java.lang.RuntimePermission "accessDeclaredMembers";
|
||||
};
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
netty-common: io.netty.util.NettyRuntime
|
||||
netty-transport: io.netty.channel.Channel
|
||||
|
|
@ -1,64 +0,0 @@
|
|||
grant {
|
||||
permission java.lang.RuntimePermission "setFactory";
|
||||
|
||||
// secure the users file from other things (current and legacy locations)
|
||||
permission org.elasticsearch.SecuredConfigFileAccessPermission "users";
|
||||
permission org.elasticsearch.SecuredConfigFileAccessPermission "x-pack/users";
|
||||
// other security files specified by settings
|
||||
permission org.elasticsearch.SecuredConfigFileSettingAccessPermission "xpack.security.authc.realms.ldap.*.files.role_mapping";
|
||||
permission org.elasticsearch.SecuredConfigFileSettingAccessPermission "xpack.security.authc.realms.pki.*.files.role_mapping";
|
||||
permission org.elasticsearch.SecuredConfigFileSettingAccessPermission "xpack.security.authc.realms.jwt.*.pkc_jwkset_path";
|
||||
permission org.elasticsearch.SecuredConfigFileSettingAccessPermission "xpack.security.authc.realms.saml.*.idp.metadata.path";
|
||||
permission org.elasticsearch.SecuredConfigFileSettingAccessPermission "xpack.security.authc.realms.kerberos.*.keytab.path";
|
||||
|
||||
// needed for SAML
|
||||
permission java.util.PropertyPermission "org.apache.xml.security.ignoreLineBreaks", "read,write";
|
||||
|
||||
// needed during initialization of OpenSAML library where xml security algorithms are registered
|
||||
// see https://github.com/apache/santuario-java/blob/e79f1fe4192de73a975bc7246aee58ed0703343d/src/main/java/org/apache/xml/security/utils/JavaUtils.java#L205-L220
|
||||
// and https://git.shibboleth.net/view/?p=java-opensaml.git;a=blob;f=opensaml-xmlsec-impl/src/main/java/org/opensaml/xmlsec/signature/impl/SignatureMarshaller.java;hb=db0eaa64210f0e32d359cd6c57bedd57902bf811#l52
|
||||
// which uses it in the opensaml-xmlsec-impl
|
||||
permission java.security.SecurityPermission "org.apache.xml.security.register";
|
||||
|
||||
// needed for multiple server implementations used in tests
|
||||
permission java.net.SocketPermission "*", "accept,connect";
|
||||
|
||||
// needed for Kerberos login
|
||||
permission javax.security.auth.AuthPermission "modifyPrincipals";
|
||||
permission javax.security.auth.AuthPermission "modifyPrivateCredentials";
|
||||
permission javax.security.auth.PrivateCredentialPermission "javax.security.auth.kerberos.KerberosKey * \"*\"", "read";
|
||||
permission javax.security.auth.PrivateCredentialPermission "javax.security.auth.kerberos.KeyTab * \"*\"", "read";
|
||||
permission javax.security.auth.PrivateCredentialPermission "javax.security.auth.kerberos.KerberosTicket * \"*\"", "read";
|
||||
permission javax.security.auth.AuthPermission "doAs";
|
||||
permission javax.security.auth.kerberos.ServicePermission "*","initiate,accept";
|
||||
|
||||
permission java.util.PropertyPermission "javax.security.auth.useSubjectCredsOnly","write";
|
||||
permission java.util.PropertyPermission "java.security.krb5.conf","write";
|
||||
permission java.util.PropertyPermission "sun.security.krb5.debug","write";
|
||||
permission java.util.PropertyPermission "java.security.debug","write";
|
||||
permission java.util.PropertyPermission "sun.security.spnego.debug","write";
|
||||
|
||||
// needed for kerberos file permission tests to access user information
|
||||
permission java.lang.RuntimePermission "accessUserInformation";
|
||||
permission java.lang.RuntimePermission "getFileStoreAttributes";
|
||||
};
|
||||
|
||||
grant codeBase "${codebase.netty-common}" {
|
||||
// for reading the system-wide configuration for the backlog of established sockets
|
||||
permission java.io.FilePermission "/proc/sys/net/core/somaxconn", "read";
|
||||
// Netty gets and sets classloaders for some of its internal threads
|
||||
permission java.lang.RuntimePermission "setContextClassLoader";
|
||||
permission java.lang.RuntimePermission "getClassLoader";
|
||||
};
|
||||
|
||||
grant codeBase "${codebase.netty-transport}" {
|
||||
// Netty NioEventLoop wants to change this, because of https://bugs.openjdk.java.net/browse/JDK-6427854
|
||||
// the bug says it only happened rarely, and that its fixed, but apparently it still happens rarely!
|
||||
permission java.util.PropertyPermission "sun.nio.ch.bugLevel", "write";
|
||||
};
|
||||
|
||||
grant codeBase "${codebase.nimbus-jose-jwt-modified}" {
|
||||
// for JSON serialization based on a shaded GSON dependency
|
||||
permission java.lang.RuntimePermission "accessDeclaredMembers";
|
||||
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
|
||||
};
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
grant {
|
||||
// Required for testing the Driver registration
|
||||
permission java.sql.SQLPermission "deregisterDriver";
|
||||
// Required for debug logging purposes
|
||||
permission java.sql.SQLPermission "setLog";
|
||||
};
|
||||
|
|
@ -1,9 +0,0 @@
|
|||
grant {
|
||||
// Needed to read the audit log file
|
||||
permission java.io.FilePermission "${tests.audit.logfile}", "read";
|
||||
permission java.io.FilePermission "${tests.audit.yesterday.logfile}", "read";
|
||||
|
||||
//// Required by ssl subproject:
|
||||
// Required for the net client to setup ssl rather than use global ssl.
|
||||
permission java.lang.RuntimePermission "setFactory";
|
||||
};
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
grant {
|
||||
// Policy is required for tests to connect to testing Elasticsearch instances.
|
||||
permission java.net.SocketPermission "*", "connect,resolve";
|
||||
};
|
||||
|
|
@ -98,10 +98,7 @@ public abstract class SqlSecurityTestCase extends ESRestTestCase {
|
|||
|
||||
protected static final String SQL_ACTION_NAME = "indices:data/read/sql";
|
||||
/**
|
||||
* Location of the audit log file. We could technically figure this out by reading the admin
|
||||
* APIs but it isn't worth doing because we also have to give ourselves permission to read
|
||||
* the file and that must be done by setting a system property and reading it in
|
||||
* {@code plugin-security.policy}. So we may as well have gradle set the property.
|
||||
* Location of the audit log file.
|
||||
*/
|
||||
private static final Path AUDIT_LOG_FILE = lookupAuditLog();
|
||||
private static final Path ROLLED_OVER_AUDIT_LOG_FILE = lookupRolledOverAuditLog();
|
||||
|
|
|
|||
|
|
@ -1,9 +0,0 @@
|
|||
grant {
|
||||
// Needed to read the audit log file
|
||||
permission java.io.FilePermission "${tests.audit.logfile}", "read";
|
||||
permission java.io.FilePermission "${tests.audit.yesterday.logfile}", "read";
|
||||
|
||||
//// Required by ssl subproject:
|
||||
// Required for the net client to setup ssl rather than use global ssl.
|
||||
permission java.lang.RuntimePermission "setFactory";
|
||||
};
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
grant {
|
||||
// Policy is required for tests to connect to testing Elasticsearch instances.
|
||||
permission java.net.SocketPermission "*", "connect,resolve";
|
||||
};
|
||||
|
|
@ -1,15 +0,0 @@
|
|||
grant {
|
||||
// required to configure the custom mailcap for watcher
|
||||
permission java.lang.RuntimePermission "setFactory";
|
||||
|
||||
// needed when sending emails for javax.activation
|
||||
// otherwise a classnotfound exception is thrown due to trying
|
||||
// to load the class with the application class loader
|
||||
permission java.lang.RuntimePermission "setContextClassLoader";
|
||||
permission java.lang.RuntimePermission "getClassLoader";
|
||||
// TODO: remove use of this jar as soon as possible!!!!
|
||||
permission java.lang.RuntimePermission "accessClassInPackage.com.sun.activation.registries";
|
||||
|
||||
// needed for multiple server implementations used in tests
|
||||
permission java.net.SocketPermission "*", "accept,connect";
|
||||
};
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
grant {
|
||||
permission javax.security.auth.AuthPermission "doAsPrivileged";
|
||||
permission javax.security.auth.kerberos.DelegationPermission "\"HTTP/localhost@BUILD.ELASTIC.CO\" \"krbtgt/BUILD.ELASTIC.CO@BUILD.ELASTIC.CO\"";
|
||||
permission javax.security.auth.kerberos.DelegationPermission "\"HTTP/localhost.localdomain@BUILD.ELASTIC.CO\" \"krbtgt/BUILD.ELASTIC.CO@BUILD.ELASTIC.CO\"";
|
||||
permission javax.security.auth.kerberos.DelegationPermission "\"HTTP/localhost4@BUILD.ELASTIC.CO\" \"krbtgt/BUILD.ELASTIC.CO@BUILD.ELASTIC.CO\"";
|
||||
permission javax.security.auth.kerberos.DelegationPermission "\"HTTP/localhost4.localdomain4@BUILD.ELASTIC.CO\" \"krbtgt/BUILD.ELASTIC.CO@BUILD.ELASTIC.CO\"";
|
||||
};
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
grant {
|
||||
// example security manager permission
|
||||
permission java.util.PropertyPermission "foobar", "read";
|
||||
};
|
||||
Loading…
Add table
Add a link
Reference in a new issue