honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Simplify security manager permissions 

The security manager permissions were copied wholesale from pre-split
X-Pack. However, this grants unnecessary permissions to the child
plugins. This commit is a simple attempt at removing permissions that
are not needed in the child plugins.

Relates elastic/x-pack-elasticsearch#3651

Original commit: elastic/x-pack-elasticsearch@8325ed83d7
This commit is contained in:
Jason Tedor 2018-01-24 08:57:54 -05:00 committed by GitHub
parent ba7b84d4d0
commit 3932635f98
10 changed files with 8 additions and 198 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
plugin/core/src/main/plugin-metadata/plugin-security.policy
View File

@ -1,18 +1,4 @@
grant {
// needed because of problems in unbound LDAP library
permission java.util.PropertyPermission "*", "read,write";
// required to configure the custom mailcap for watcher
permission java.lang.RuntimePermission "setFactory";
// needed when sending emails for javax.activation
// otherwise a classnotfound exception is thrown due to trying
// to load the class with the application class loader
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.lang.RuntimePermission "getClassLoader";
// TODO: remove use of this jar as soon as possible!!!!
permission java.lang.RuntimePermission "accessClassInPackage.com.sun.activation.registries";
// bouncy castle
permission java.security.SecurityPermission "putProviderProperty.BC";
@ -20,20 +6,10 @@ grant {
permission java.security.SecurityPermission "createPolicy.JavaPolicy";
permission java.security.SecurityPermission "getPolicy";
permission java.security.SecurityPermission "setPolicy";
permission java.util.PropertyPermission "*", "read,write";
// needed for multiple server implementations used in tests
permission java.net.SocketPermission "*", "accept,connect";
// needed for Windows named pipes in machine learning
permission java.io.FilePermission "\\\\.\\pipe\\*", "read,write";
};
grant codeBase "${codebase.xmlsec-2.0.8.jar}" {
// needed during initialization of OpenSAML library where xml security algorithms are registered
// see https://github.com/apache/santuario-java/blob/e79f1fe4192de73a975bc7246aee58ed0703343d/src/main/java/org/apache/xml/security/utils/JavaUtils.java#L205-L220
// and https://git.shibboleth.net/view/?p=java-opensaml.git;a=blob;f=opensaml-xmlsec-impl/src/main/java/org/opensaml/xmlsec/signature/impl/SignatureMarshaller.java;hb=db0eaa64210f0e32d359cd6c57bedd57902bf811#l52
// which uses it in the opensaml-xmlsec-impl
permission java.security.SecurityPermission "org.apache.xml.security.register";
};
grant codeBase "${codebase.netty-common}" {

25
plugin/deprecation/src/main/plugin-metadata/plugin-security.policy
View File

@ -1,31 +1,6 @@
grant {
// needed because of problems in unbound LDAP library
permission java.util.PropertyPermission "*", "read,write";
// required to configure the custom mailcap for watcher
permission java.lang.RuntimePermission "setFactory";
// needed when sending emails for javax.activation
// otherwise a classnotfound exception is thrown due to trying
// to load the class with the application class loader
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.lang.RuntimePermission "getClassLoader";
// TODO: remove use of this jar as soon as possible!!!!
permission java.lang.RuntimePermission "accessClassInPackage.com.sun.activation.registries";
// bouncy castle
permission java.security.SecurityPermission "putProviderProperty.BC";
// needed for x-pack security extension
permission java.security.SecurityPermission "createPolicy.JavaPolicy";
permission java.security.SecurityPermission "getPolicy";
permission java.security.SecurityPermission "setPolicy";
// needed for multiple server implementations used in tests
permission java.net.SocketPermission "*", "accept,connect";
// needed for Windows named pipes in machine learning
permission java.io.FilePermission "\\\\.\\pipe\\*", "read,write";
};
grant codeBase "${codebase.netty-common}" {

25
plugin/graph/src/main/plugin-metadata/plugin-security.policy
View File

@ -1,31 +1,6 @@
grant {
// needed because of problems in unbound LDAP library
permission java.util.PropertyPermission "*", "read,write";
// required to configure the custom mailcap for watcher
permission java.lang.RuntimePermission "setFactory";
// needed when sending emails for javax.activation
// otherwise a classnotfound exception is thrown due to trying
// to load the class with the application class loader
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.lang.RuntimePermission "getClassLoader";
// TODO: remove use of this jar as soon as possible!!!!
permission java.lang.RuntimePermission "accessClassInPackage.com.sun.activation.registries";
// bouncy castle
permission java.security.SecurityPermission "putProviderProperty.BC";
// needed for x-pack security extension
permission java.security.SecurityPermission "createPolicy.JavaPolicy";
permission java.security.SecurityPermission "getPolicy";
permission java.security.SecurityPermission "setPolicy";
// needed for multiple server implementations used in tests
permission java.net.SocketPermission "*", "accept,connect";
// needed for Windows named pipes in machine learning
permission java.io.FilePermission "\\\\.\\pipe\\*", "read,write";
};
grant codeBase "${codebase.netty-common}" {

25
plugin/logstash/src/main/plugin-metadata/plugin-security.policy
View File

@ -1,31 +1,6 @@
grant {
// needed because of problems in unbound LDAP library
permission java.util.PropertyPermission "*", "read,write";
// required to configure the custom mailcap for watcher
permission java.lang.RuntimePermission "setFactory";
// needed when sending emails for javax.activation
// otherwise a classnotfound exception is thrown due to trying
// to load the class with the application class loader
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.lang.RuntimePermission "getClassLoader";
// TODO: remove use of this jar as soon as possible!!!!
permission java.lang.RuntimePermission "accessClassInPackage.com.sun.activation.registries";
// bouncy castle
permission java.security.SecurityPermission "putProviderProperty.BC";
// needed for x-pack security extension
permission java.security.SecurityPermission "createPolicy.JavaPolicy";
permission java.security.SecurityPermission "getPolicy";
permission java.security.SecurityPermission "setPolicy";
// needed for multiple server implementations used in tests
permission java.net.SocketPermission "*", "accept,connect";
// needed for Windows named pipes in machine learning
permission java.io.FilePermission "\\\\.\\pipe\\*", "read,write";
};
grant codeBase "${codebase.netty-common}" {

22
plugin/ml/src/main/plugin-metadata/plugin-security.policy
View File

@ -1,26 +1,4 @@
grant {
// needed because of problems in unbound LDAP library
permission java.util.PropertyPermission "*", "read,write";
// required to configure the custom mailcap for watcher
permission java.lang.RuntimePermission "setFactory";
// needed when sending emails for javax.activation
// otherwise a classnotfound exception is thrown due to trying
// to load the class with the application class loader
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.lang.RuntimePermission "getClassLoader";
// TODO: remove use of this jar as soon as possible!!!!
permission java.lang.RuntimePermission "accessClassInPackage.com.sun.activation.registries";
// bouncy castle
permission java.security.SecurityPermission "putProviderProperty.BC";
// needed for x-pack security extension
permission java.security.SecurityPermission "createPolicy.JavaPolicy";
permission java.security.SecurityPermission "getPolicy";
permission java.security.SecurityPermission "setPolicy";
// needed for multiple server implementations used in tests
permission java.net.SocketPermission "*", "accept,connect";

11
plugin/monitoring/src/main/plugin-metadata/plugin-security.policy
View File

@ -13,19 +13,8 @@ grant {
// TODO: remove use of this jar as soon as possible!!!!
permission java.lang.RuntimePermission "accessClassInPackage.com.sun.activation.registries";
// bouncy castle
permission java.security.SecurityPermission "putProviderProperty.BC";
// needed for x-pack security extension
permission java.security.SecurityPermission "createPolicy.JavaPolicy";
permission java.security.SecurityPermission "getPolicy";
permission java.security.SecurityPermission "setPolicy";
// needed for multiple server implementations used in tests
permission java.net.SocketPermission "*", "accept,connect";
// needed for Windows named pipes in machine learning
permission java.io.FilePermission "\\\\.\\pipe\\*", "read,write";
};
grant codeBase "${codebase.netty-common}" {

23
plugin/security/src/main/plugin-metadata/plugin-security.policy
View File

@ -1,31 +1,14 @@
grant {
permission java.lang.RuntimePermission "setFactory";
// needed because of problems in unbound LDAP library
permission java.util.PropertyPermission "*", "read,write";
// required to configure the custom mailcap for watcher
permission java.lang.RuntimePermission "setFactory";
// needed when sending emails for javax.activation
// otherwise a classnotfound exception is thrown due to trying
// to load the class with the application class loader
// needed because of SAML (cf. o.e.x.s.s.RestorableContextClassLoader)
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.lang.RuntimePermission "getClassLoader";
// TODO: remove use of this jar as soon as possible!!!!
permission java.lang.RuntimePermission "accessClassInPackage.com.sun.activation.registries";
// bouncy castle
permission java.security.SecurityPermission "putProviderProperty.BC";
// needed for x-pack security extension
permission java.security.SecurityPermission "createPolicy.JavaPolicy";
permission java.security.SecurityPermission "getPolicy";
permission java.security.SecurityPermission "setPolicy";
// needed for multiple server implementations used in tests
permission java.net.SocketPermission "*", "accept,connect";
// needed for Windows named pipes in machine learning
permission java.io.FilePermission "\\\\.\\pipe\\*", "read,write";
};
grant codeBase "${codebase.xmlsec-2.0.8.jar}" {

25
plugin/upgrade/src/main/plugin-metadata/plugin-security.policy
View File

@ -1,31 +1,6 @@
grant {
// needed because of problems in unbound LDAP library
permission java.util.PropertyPermission "*", "read,write";
// required to configure the custom mailcap for watcher
permission java.lang.RuntimePermission "setFactory";
// needed when sending emails for javax.activation
// otherwise a classnotfound exception is thrown due to trying
// to load the class with the application class loader
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.lang.RuntimePermission "getClassLoader";
// TODO: remove use of this jar as soon as possible!!!!
permission java.lang.RuntimePermission "accessClassInPackage.com.sun.activation.registries";
// bouncy castle
permission java.security.SecurityPermission "putProviderProperty.BC";
// needed for x-pack security extension
permission java.security.SecurityPermission "createPolicy.JavaPolicy";
permission java.security.SecurityPermission "getPolicy";
permission java.security.SecurityPermission "setPolicy";
// needed for multiple server implementations used in tests
permission java.net.SocketPermission "*", "accept,connect";
// needed for Windows named pipes in machine learning
permission java.io.FilePermission "\\\\.\\pipe\\*", "read,write";
};
grant codeBase "${codebase.netty-common}" {

10
plugin/watcher/src/main/java/org/elasticsearch/xpack/watcher/Watcher.java
View File

@ -193,12 +193,6 @@ import static java.util.Collections.emptyList;
public class Watcher extends Plugin implements ActionPlugin, ScriptPlugin {
static {
// some classes need to have their own clinit blocks
BodyPartSource.init();
Account.init();
}
public static final Setting<String> INDEX_WATCHER_TEMPLATE_VERSION_SETTING =
new Setting<>("index.xpack.watcher.template.version", "", Function.identity(), Setting.Property.IndexScope);
public static final Setting<Boolean> ENCRYPT_SENSITIVE_DATA_SETTING =
@ -251,6 +245,10 @@ public class Watcher extends Plugin implements ActionPlugin, ScriptPlugin {
return Collections.emptyList();
}
// only initialize these classes if Watcher is enabled, and only after the plugin security policy for Watcher is in place
BodyPartSource.init();
Account.init();
final CryptoService cryptoService;
try {
cryptoService = ENCRYPT_SENSITIVE_DATA_SETTING.get(settings) ? new CryptoService(settings) : null;

14
plugin/watcher/src/main/plugin-metadata/plugin-security.policy
View File

@ -1,7 +1,4 @@
grant {
// needed because of problems in unbound LDAP library
permission java.util.PropertyPermission "*", "read,write";
// required to configure the custom mailcap for watcher
permission java.lang.RuntimePermission "setFactory";
@ -13,19 +10,8 @@ grant {
// TODO: remove use of this jar as soon as possible!!!!
permission java.lang.RuntimePermission "accessClassInPackage.com.sun.activation.registries";
// bouncy castle
permission java.security.SecurityPermission "putProviderProperty.BC";
// needed for x-pack security extension
permission java.security.SecurityPermission "createPolicy.JavaPolicy";
permission java.security.SecurityPermission "getPolicy";
permission java.security.SecurityPermission "setPolicy";
// needed for multiple server implementations used in tests
permission java.net.SocketPermission "*", "accept,connect";
// needed for Windows named pipes in machine learning
permission java.io.FilePermission "\\\\.\\pipe\\*", "read,write";
};
grant codeBase "${codebase.netty-common}" {