diff --git a/plugin/core/src/main/plugin-metadata/plugin-security.policy b/plugin/core/src/main/plugin-metadata/plugin-security.policy index a4945feb232..0cd7a32bcc4 100644 --- a/plugin/core/src/main/plugin-metadata/plugin-security.policy +++ b/plugin/core/src/main/plugin-metadata/plugin-security.policy @@ -1,18 +1,4 @@ grant { - // needed because of problems in unbound LDAP library - permission java.util.PropertyPermission "*", "read,write"; - - // required to configure the custom mailcap for watcher - permission java.lang.RuntimePermission "setFactory"; - - // needed when sending emails for javax.activation - // otherwise a classnotfound exception is thrown due to trying - // to load the class with the application class loader - permission java.lang.RuntimePermission "setContextClassLoader"; - permission java.lang.RuntimePermission "getClassLoader"; - // TODO: remove use of this jar as soon as possible!!!! - permission java.lang.RuntimePermission "accessClassInPackage.com.sun.activation.registries"; - // bouncy castle permission java.security.SecurityPermission "putProviderProperty.BC"; @@ -20,20 +6,10 @@ grant { permission java.security.SecurityPermission "createPolicy.JavaPolicy"; permission java.security.SecurityPermission "getPolicy"; permission java.security.SecurityPermission "setPolicy"; + permission java.util.PropertyPermission "*", "read,write"; // needed for multiple server implementations used in tests permission java.net.SocketPermission "*", "accept,connect"; - - // needed for Windows named pipes in machine learning - permission java.io.FilePermission "\\\\.\\pipe\\*", "read,write"; -}; - -grant codeBase "${codebase.xmlsec-2.0.8.jar}" { - // needed during initialization of OpenSAML library where xml security algorithms are registered - // see https://github.com/apache/santuario-java/blob/e79f1fe4192de73a975bc7246aee58ed0703343d/src/main/java/org/apache/xml/security/utils/JavaUtils.java#L205-L220 - // and https://git.shibboleth.net/view/?p=java-opensaml.git;a=blob;f=opensaml-xmlsec-impl/src/main/java/org/opensaml/xmlsec/signature/impl/SignatureMarshaller.java;hb=db0eaa64210f0e32d359cd6c57bedd57902bf811#l52 - // which uses it in the opensaml-xmlsec-impl - permission java.security.SecurityPermission "org.apache.xml.security.register"; }; grant codeBase "${codebase.netty-common}" { diff --git a/plugin/deprecation/src/main/plugin-metadata/plugin-security.policy b/plugin/deprecation/src/main/plugin-metadata/plugin-security.policy index 45d92fd2b8a..f603bf9ad63 100644 --- a/plugin/deprecation/src/main/plugin-metadata/plugin-security.policy +++ b/plugin/deprecation/src/main/plugin-metadata/plugin-security.policy @@ -1,31 +1,6 @@ grant { - // needed because of problems in unbound LDAP library - permission java.util.PropertyPermission "*", "read,write"; - - // required to configure the custom mailcap for watcher - permission java.lang.RuntimePermission "setFactory"; - - // needed when sending emails for javax.activation - // otherwise a classnotfound exception is thrown due to trying - // to load the class with the application class loader - permission java.lang.RuntimePermission "setContextClassLoader"; - permission java.lang.RuntimePermission "getClassLoader"; - // TODO: remove use of this jar as soon as possible!!!! - permission java.lang.RuntimePermission "accessClassInPackage.com.sun.activation.registries"; - - // bouncy castle - permission java.security.SecurityPermission "putProviderProperty.BC"; - - // needed for x-pack security extension - permission java.security.SecurityPermission "createPolicy.JavaPolicy"; - permission java.security.SecurityPermission "getPolicy"; - permission java.security.SecurityPermission "setPolicy"; - // needed for multiple server implementations used in tests permission java.net.SocketPermission "*", "accept,connect"; - - // needed for Windows named pipes in machine learning - permission java.io.FilePermission "\\\\.\\pipe\\*", "read,write"; }; grant codeBase "${codebase.netty-common}" { diff --git a/plugin/graph/src/main/plugin-metadata/plugin-security.policy b/plugin/graph/src/main/plugin-metadata/plugin-security.policy index 45d92fd2b8a..f603bf9ad63 100644 --- a/plugin/graph/src/main/plugin-metadata/plugin-security.policy +++ b/plugin/graph/src/main/plugin-metadata/plugin-security.policy @@ -1,31 +1,6 @@ grant { - // needed because of problems in unbound LDAP library - permission java.util.PropertyPermission "*", "read,write"; - - // required to configure the custom mailcap for watcher - permission java.lang.RuntimePermission "setFactory"; - - // needed when sending emails for javax.activation - // otherwise a classnotfound exception is thrown due to trying - // to load the class with the application class loader - permission java.lang.RuntimePermission "setContextClassLoader"; - permission java.lang.RuntimePermission "getClassLoader"; - // TODO: remove use of this jar as soon as possible!!!! - permission java.lang.RuntimePermission "accessClassInPackage.com.sun.activation.registries"; - - // bouncy castle - permission java.security.SecurityPermission "putProviderProperty.BC"; - - // needed for x-pack security extension - permission java.security.SecurityPermission "createPolicy.JavaPolicy"; - permission java.security.SecurityPermission "getPolicy"; - permission java.security.SecurityPermission "setPolicy"; - // needed for multiple server implementations used in tests permission java.net.SocketPermission "*", "accept,connect"; - - // needed for Windows named pipes in machine learning - permission java.io.FilePermission "\\\\.\\pipe\\*", "read,write"; }; grant codeBase "${codebase.netty-common}" { diff --git a/plugin/logstash/src/main/plugin-metadata/plugin-security.policy b/plugin/logstash/src/main/plugin-metadata/plugin-security.policy index 9157c2fab47..c54f07cf5cd 100644 --- a/plugin/logstash/src/main/plugin-metadata/plugin-security.policy +++ b/plugin/logstash/src/main/plugin-metadata/plugin-security.policy @@ -1,31 +1,6 @@ grant { - // needed because of problems in unbound LDAP library - permission java.util.PropertyPermission "*", "read,write"; - - // required to configure the custom mailcap for watcher - permission java.lang.RuntimePermission "setFactory"; - - // needed when sending emails for javax.activation - // otherwise a classnotfound exception is thrown due to trying - // to load the class with the application class loader - permission java.lang.RuntimePermission "setContextClassLoader"; - permission java.lang.RuntimePermission "getClassLoader"; - // TODO: remove use of this jar as soon as possible!!!! - permission java.lang.RuntimePermission "accessClassInPackage.com.sun.activation.registries"; - - // bouncy castle - permission java.security.SecurityPermission "putProviderProperty.BC"; - - // needed for x-pack security extension - permission java.security.SecurityPermission "createPolicy.JavaPolicy"; - permission java.security.SecurityPermission "getPolicy"; - permission java.security.SecurityPermission "setPolicy"; - // needed for multiple server implementations used in tests permission java.net.SocketPermission "*", "accept,connect"; - - // needed for Windows named pipes in machine learning - permission java.io.FilePermission "\\\\.\\pipe\\*", "read,write"; }; grant codeBase "${codebase.netty-common}" { diff --git a/plugin/ml/src/main/plugin-metadata/plugin-security.policy b/plugin/ml/src/main/plugin-metadata/plugin-security.policy index 45d92fd2b8a..9ba8ea6798b 100644 --- a/plugin/ml/src/main/plugin-metadata/plugin-security.policy +++ b/plugin/ml/src/main/plugin-metadata/plugin-security.policy @@ -1,26 +1,4 @@ grant { - // needed because of problems in unbound LDAP library - permission java.util.PropertyPermission "*", "read,write"; - - // required to configure the custom mailcap for watcher - permission java.lang.RuntimePermission "setFactory"; - - // needed when sending emails for javax.activation - // otherwise a classnotfound exception is thrown due to trying - // to load the class with the application class loader - permission java.lang.RuntimePermission "setContextClassLoader"; - permission java.lang.RuntimePermission "getClassLoader"; - // TODO: remove use of this jar as soon as possible!!!! - permission java.lang.RuntimePermission "accessClassInPackage.com.sun.activation.registries"; - - // bouncy castle - permission java.security.SecurityPermission "putProviderProperty.BC"; - - // needed for x-pack security extension - permission java.security.SecurityPermission "createPolicy.JavaPolicy"; - permission java.security.SecurityPermission "getPolicy"; - permission java.security.SecurityPermission "setPolicy"; - // needed for multiple server implementations used in tests permission java.net.SocketPermission "*", "accept,connect"; diff --git a/plugin/monitoring/src/main/plugin-metadata/plugin-security.policy b/plugin/monitoring/src/main/plugin-metadata/plugin-security.policy index 45d92fd2b8a..beb104a6b3d 100644 --- a/plugin/monitoring/src/main/plugin-metadata/plugin-security.policy +++ b/plugin/monitoring/src/main/plugin-metadata/plugin-security.policy @@ -13,19 +13,8 @@ grant { // TODO: remove use of this jar as soon as possible!!!! permission java.lang.RuntimePermission "accessClassInPackage.com.sun.activation.registries"; - // bouncy castle - permission java.security.SecurityPermission "putProviderProperty.BC"; - - // needed for x-pack security extension - permission java.security.SecurityPermission "createPolicy.JavaPolicy"; - permission java.security.SecurityPermission "getPolicy"; - permission java.security.SecurityPermission "setPolicy"; - // needed for multiple server implementations used in tests permission java.net.SocketPermission "*", "accept,connect"; - - // needed for Windows named pipes in machine learning - permission java.io.FilePermission "\\\\.\\pipe\\*", "read,write"; }; grant codeBase "${codebase.netty-common}" { diff --git a/plugin/security/src/main/plugin-metadata/plugin-security.policy b/plugin/security/src/main/plugin-metadata/plugin-security.policy index a4945feb232..84f4eb5ca10 100644 --- a/plugin/security/src/main/plugin-metadata/plugin-security.policy +++ b/plugin/security/src/main/plugin-metadata/plugin-security.policy @@ -1,31 +1,14 @@ grant { + permission java.lang.RuntimePermission "setFactory"; + // needed because of problems in unbound LDAP library permission java.util.PropertyPermission "*", "read,write"; - // required to configure the custom mailcap for watcher - permission java.lang.RuntimePermission "setFactory"; - - // needed when sending emails for javax.activation - // otherwise a classnotfound exception is thrown due to trying - // to load the class with the application class loader + // needed because of SAML (cf. o.e.x.s.s.RestorableContextClassLoader) permission java.lang.RuntimePermission "setContextClassLoader"; - permission java.lang.RuntimePermission "getClassLoader"; - // TODO: remove use of this jar as soon as possible!!!! - permission java.lang.RuntimePermission "accessClassInPackage.com.sun.activation.registries"; - - // bouncy castle - permission java.security.SecurityPermission "putProviderProperty.BC"; - - // needed for x-pack security extension - permission java.security.SecurityPermission "createPolicy.JavaPolicy"; - permission java.security.SecurityPermission "getPolicy"; - permission java.security.SecurityPermission "setPolicy"; // needed for multiple server implementations used in tests permission java.net.SocketPermission "*", "accept,connect"; - - // needed for Windows named pipes in machine learning - permission java.io.FilePermission "\\\\.\\pipe\\*", "read,write"; }; grant codeBase "${codebase.xmlsec-2.0.8.jar}" { diff --git a/plugin/upgrade/src/main/plugin-metadata/plugin-security.policy b/plugin/upgrade/src/main/plugin-metadata/plugin-security.policy index 45d92fd2b8a..f603bf9ad63 100644 --- a/plugin/upgrade/src/main/plugin-metadata/plugin-security.policy +++ b/plugin/upgrade/src/main/plugin-metadata/plugin-security.policy @@ -1,31 +1,6 @@ grant { - // needed because of problems in unbound LDAP library - permission java.util.PropertyPermission "*", "read,write"; - - // required to configure the custom mailcap for watcher - permission java.lang.RuntimePermission "setFactory"; - - // needed when sending emails for javax.activation - // otherwise a classnotfound exception is thrown due to trying - // to load the class with the application class loader - permission java.lang.RuntimePermission "setContextClassLoader"; - permission java.lang.RuntimePermission "getClassLoader"; - // TODO: remove use of this jar as soon as possible!!!! - permission java.lang.RuntimePermission "accessClassInPackage.com.sun.activation.registries"; - - // bouncy castle - permission java.security.SecurityPermission "putProviderProperty.BC"; - - // needed for x-pack security extension - permission java.security.SecurityPermission "createPolicy.JavaPolicy"; - permission java.security.SecurityPermission "getPolicy"; - permission java.security.SecurityPermission "setPolicy"; - // needed for multiple server implementations used in tests permission java.net.SocketPermission "*", "accept,connect"; - - // needed for Windows named pipes in machine learning - permission java.io.FilePermission "\\\\.\\pipe\\*", "read,write"; }; grant codeBase "${codebase.netty-common}" { diff --git a/plugin/watcher/src/main/java/org/elasticsearch/xpack/watcher/Watcher.java b/plugin/watcher/src/main/java/org/elasticsearch/xpack/watcher/Watcher.java index f596f0dd16c..15ee834a1f8 100644 --- a/plugin/watcher/src/main/java/org/elasticsearch/xpack/watcher/Watcher.java +++ b/plugin/watcher/src/main/java/org/elasticsearch/xpack/watcher/Watcher.java @@ -193,12 +193,6 @@ import static java.util.Collections.emptyList; public class Watcher extends Plugin implements ActionPlugin, ScriptPlugin { - static { - // some classes need to have their own clinit blocks - BodyPartSource.init(); - Account.init(); - } - public static final Setting INDEX_WATCHER_TEMPLATE_VERSION_SETTING = new Setting<>("index.xpack.watcher.template.version", "", Function.identity(), Setting.Property.IndexScope); public static final Setting ENCRYPT_SENSITIVE_DATA_SETTING = @@ -251,6 +245,10 @@ public class Watcher extends Plugin implements ActionPlugin, ScriptPlugin { return Collections.emptyList(); } + // only initialize these classes if Watcher is enabled, and only after the plugin security policy for Watcher is in place + BodyPartSource.init(); + Account.init(); + final CryptoService cryptoService; try { cryptoService = ENCRYPT_SENSITIVE_DATA_SETTING.get(settings) ? new CryptoService(settings) : null; diff --git a/plugin/watcher/src/main/plugin-metadata/plugin-security.policy b/plugin/watcher/src/main/plugin-metadata/plugin-security.policy index 45d92fd2b8a..8472a42a648 100644 --- a/plugin/watcher/src/main/plugin-metadata/plugin-security.policy +++ b/plugin/watcher/src/main/plugin-metadata/plugin-security.policy @@ -1,7 +1,4 @@ grant { - // needed because of problems in unbound LDAP library - permission java.util.PropertyPermission "*", "read,write"; - // required to configure the custom mailcap for watcher permission java.lang.RuntimePermission "setFactory"; @@ -13,19 +10,8 @@ grant { // TODO: remove use of this jar as soon as possible!!!! permission java.lang.RuntimePermission "accessClassInPackage.com.sun.activation.registries"; - // bouncy castle - permission java.security.SecurityPermission "putProviderProperty.BC"; - - // needed for x-pack security extension - permission java.security.SecurityPermission "createPolicy.JavaPolicy"; - permission java.security.SecurityPermission "getPolicy"; - permission java.security.SecurityPermission "setPolicy"; - // needed for multiple server implementations used in tests permission java.net.SocketPermission "*", "accept,connect"; - - // needed for Windows named pipes in machine learning - permission java.io.FilePermission "\\\\.\\pipe\\*", "read,write"; }; grant codeBase "${codebase.netty-common}" {