Remove Environment.homeFile()
Today we grant read+write+delete access to any files underneath the home. But we have to remove this, if we want to have improved security of files underneath elasticsearch.
This commit is contained in:
parent
4e2bdb67b7
commit
052cf1446f
|
@ -117,11 +117,11 @@ final class Security {
|
||||||
|
|
||||||
/** returns dynamic Permissions to configured paths */
|
/** returns dynamic Permissions to configured paths */
|
||||||
static Permissions createPermissions(Environment environment) throws IOException {
|
static Permissions createPermissions(Environment environment) throws IOException {
|
||||||
// TODO: improve test infra so we can reduce permissions where read/write
|
|
||||||
// is not really needed...
|
|
||||||
Permissions policy = new Permissions();
|
Permissions policy = new Permissions();
|
||||||
|
// read-only dirs
|
||||||
|
addPath(policy, environment.binFile(), "read,readlink");
|
||||||
|
addPath(policy, environment.libFile(), "read,readlink");
|
||||||
addPath(policy, environment.tmpFile(), "read,readlink,write,delete");
|
addPath(policy, environment.tmpFile(), "read,readlink,write,delete");
|
||||||
addPath(policy, environment.homeFile(), "read,readlink,write,delete");
|
|
||||||
addPath(policy, environment.configFile(), "read,readlink,write,delete");
|
addPath(policy, environment.configFile(), "read,readlink,write,delete");
|
||||||
addPath(policy, environment.logsFile(), "read,readlink,write,delete");
|
addPath(policy, environment.logsFile(), "read,readlink,write,delete");
|
||||||
addPath(policy, environment.pluginsFile(), "read,readlink,write,delete");
|
addPath(policy, environment.pluginsFile(), "read,readlink,write,delete");
|
||||||
|
|
|
@ -45,8 +45,6 @@ public class Environment {
|
||||||
|
|
||||||
private final Settings settings;
|
private final Settings settings;
|
||||||
|
|
||||||
private final Path homeFile;
|
|
||||||
|
|
||||||
private final Path[] dataFiles;
|
private final Path[] dataFiles;
|
||||||
|
|
||||||
private final Path[] dataWithClusterFiles;
|
private final Path[] dataWithClusterFiles;
|
||||||
|
@ -57,6 +55,12 @@ public class Environment {
|
||||||
|
|
||||||
private final Path pluginsFile;
|
private final Path pluginsFile;
|
||||||
|
|
||||||
|
/** location of bin/, used by plugin manager */
|
||||||
|
private final Path binFile;
|
||||||
|
|
||||||
|
/** location of lib/, */
|
||||||
|
private final Path libFile;
|
||||||
|
|
||||||
private final Path logsFile;
|
private final Path logsFile;
|
||||||
|
|
||||||
/** Path to the PID file (can be null if no PID file is configured) **/
|
/** Path to the PID file (can be null if no PID file is configured) **/
|
||||||
|
@ -83,6 +87,7 @@ public class Environment {
|
||||||
|
|
||||||
public Environment(Settings settings) {
|
public Environment(Settings settings) {
|
||||||
this.settings = settings;
|
this.settings = settings;
|
||||||
|
final Path homeFile;
|
||||||
if (settings.get("path.home") != null) {
|
if (settings.get("path.home") != null) {
|
||||||
homeFile = PathUtils.get(cleanPath(settings.get("path.home")));
|
homeFile = PathUtils.get(cleanPath(settings.get("path.home")));
|
||||||
} else {
|
} else {
|
||||||
|
@ -133,6 +138,9 @@ public class Environment {
|
||||||
} else {
|
} else {
|
||||||
pidFile = null;
|
pidFile = null;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
binFile = homeFile.resolve("bin");
|
||||||
|
libFile = homeFile.resolve("lib");
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -142,13 +150,6 @@ public class Environment {
|
||||||
return this.settings;
|
return this.settings;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* The home of the installation.
|
|
||||||
*/
|
|
||||||
public Path homeFile() {
|
|
||||||
return homeFile;
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* The data location.
|
* The data location.
|
||||||
*/
|
*/
|
||||||
|
@ -236,6 +237,14 @@ public class Environment {
|
||||||
return pluginsFile;
|
return pluginsFile;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public Path binFile() {
|
||||||
|
return binFile;
|
||||||
|
}
|
||||||
|
|
||||||
|
public Path libFile() {
|
||||||
|
return libFile;
|
||||||
|
}
|
||||||
|
|
||||||
public Path logsFile() {
|
public Path logsFile() {
|
||||||
return logsFile;
|
return logsFile;
|
||||||
}
|
}
|
||||||
|
|
|
@ -140,8 +140,8 @@ public class Node implements Releasable {
|
||||||
|
|
||||||
if (logger.isDebugEnabled()) {
|
if (logger.isDebugEnabled()) {
|
||||||
Environment env = tuple.v2();
|
Environment env = tuple.v2();
|
||||||
logger.debug("using home [{}], config [{}], data [{}], logs [{}], plugins [{}]",
|
logger.debug("using config [{}], data [{}], logs [{}], plugins [{}]",
|
||||||
env.homeFile(), env.configFile(), Arrays.toString(env.dataFiles()), env.logsFile(), env.pluginsFile());
|
env.configFile(), Arrays.toString(env.dataFiles()), env.logsFile(), env.pluginsFile());
|
||||||
}
|
}
|
||||||
|
|
||||||
this.pluginsService = new PluginsService(tuple.v1(), tuple.v2());
|
this.pluginsService = new PluginsService(tuple.v1(), tuple.v2());
|
||||||
|
|
|
@ -733,7 +733,7 @@ public class PluginManager {
|
||||||
}
|
}
|
||||||
|
|
||||||
Path binDir(Environment env) {
|
Path binDir(Environment env) {
|
||||||
return env.homeFile().resolve("bin").resolve(name);
|
return env.binFile().resolve(name);
|
||||||
}
|
}
|
||||||
|
|
||||||
Path configDir(Environment env) {
|
Path configDir(Environment env) {
|
||||||
|
|
|
@ -53,7 +53,7 @@ public class SecurityTests extends ElasticsearchTestCase {
|
||||||
}
|
}
|
||||||
|
|
||||||
// the fake es home
|
// the fake es home
|
||||||
assertTrue(permissions.implies(new FilePermission(esHome.toString(), "read")));
|
assertFalse(permissions.implies(new FilePermission(esHome.toString(), "read")));
|
||||||
// its parent
|
// its parent
|
||||||
assertFalse(permissions.implies(new FilePermission(path.toString(), "read")));
|
assertFalse(permissions.implies(new FilePermission(path.toString(), "read")));
|
||||||
// some other sibling
|
// some other sibling
|
||||||
|
@ -88,9 +88,8 @@ public class SecurityTests extends ElasticsearchTestCase {
|
||||||
}
|
}
|
||||||
|
|
||||||
// check that all directories got permissions:
|
// check that all directories got permissions:
|
||||||
// homefile: this is needed unless we break out rules for "lib" dir.
|
assertTrue(permissions.implies(new FilePermission(environment.binFile().toString(), "read")));
|
||||||
// TODO: make read-only
|
assertTrue(permissions.implies(new FilePermission(environment.libFile().toString(), "read")));
|
||||||
assertTrue(permissions.implies(new FilePermission(environment.homeFile().toString(), "read,readlink,write,delete")));
|
|
||||||
// config file
|
// config file
|
||||||
// TODO: make read-only
|
// TODO: make read-only
|
||||||
assertTrue(permissions.implies(new FilePermission(environment.configFile().toString(), "read,readlink,write,delete")));
|
assertTrue(permissions.implies(new FilePermission(environment.configFile().toString(), "read,readlink,write,delete")));
|
||||||
|
|
|
@ -85,7 +85,7 @@ public class PluginManagerTests extends ElasticsearchIntegrationTest {
|
||||||
String pluginName = "plugin-test";
|
String pluginName = "plugin-test";
|
||||||
Tuple<Settings, Environment> initialSettings = buildInitialSettings();
|
Tuple<Settings, Environment> initialSettings = buildInitialSettings();
|
||||||
Environment env = initialSettings.v2();
|
Environment env = initialSettings.v2();
|
||||||
Path binDir = env.homeFile().resolve("bin");
|
Path binDir = env.binFile();
|
||||||
if (!Files.exists(binDir)) {
|
if (!Files.exists(binDir)) {
|
||||||
Files.createDirectories(binDir);
|
Files.createDirectories(binDir);
|
||||||
}
|
}
|
||||||
|
@ -212,7 +212,7 @@ public class PluginManagerTests extends ElasticsearchIntegrationTest {
|
||||||
String pluginName = "plugin-test";
|
String pluginName = "plugin-test";
|
||||||
Tuple<Settings, Environment> initialSettings = buildInitialSettings();
|
Tuple<Settings, Environment> initialSettings = buildInitialSettings();
|
||||||
Environment env = initialSettings.v2();
|
Environment env = initialSettings.v2();
|
||||||
Path binDir = env.homeFile().resolve("bin");
|
Path binDir = env.binFile();
|
||||||
if (!Files.exists(binDir)) {
|
if (!Files.exists(binDir)) {
|
||||||
Files.createDirectories(binDir);
|
Files.createDirectories(binDir);
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue