honeymoose/OpenSearch
1
0
Fork 0
mirror of https://github.com/honeymoose/OpenSearch.git synced 2025-02-17 02:14:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

Remove policy config file, its a resource.

Browse Source 
Remove exposed boolean to turn off security.
Add unit test
This commit is contained in:
Robert Muir 2015-04-23 22:02:57 -04:00
parent b2850bff47
commit 500c956b45
6 changed files with 66 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
config/elasticsearch.yml
View File

@ -231,16 +231,6 @@
#
#http.enabled: false
################################### Security ##################################
# SecurityManager runs elasticsearch with a lower set of priviledges.
# For more information, see
# <https://docs.oracle.com/javase/tutorial/essential/environment/security.html>.
# Disable security completely:
#
# security.enabled: false
################################### Gateway ###################################
# The gateway allows for persisting the cluster state between full cluster

2
pom.xml
View File

@ -630,7 +630,7 @@
<tests.compatibility>${tests.compatibility}</tests.compatibility>
<java.awt.headless>true</java.awt.headless>
<!-- security manager / test.policy -->
<java.security.policy>${basedir}/config/security.policy</java.security.policy>
<java.security.policy>${basedir}/src/main/resources/org/elasticsearch/bootstrap/security.policy</java.security.policy>
</systemProperties>
</configuration>
</execution>

2
src/main/java/org/elasticsearch/bootstrap/Bootstrap.java
View File

@ -93,7 +93,7 @@ public class Bootstrap {
}
private void setupSecurity(Settings settings, Environment environment) throws Exception {
if (settings.getAsBoolean("security.enabled", true)) {
if (settings.getAsBoolean("security.manager.enabled", true)) {
Security.configure(environment);
}
}

20
src/main/java/org/elasticsearch/bootstrap/Security.java
View File

@ -19,19 +19,22 @@
package org.elasticsearch.bootstrap;
import com.google.common.io.ByteStreams;
import org.apache.lucene.util.IOUtils;
import org.apache.lucene.util.StringHelper;
import org.elasticsearch.common.logging.Loggers;
import org.elasticsearch.env.Environment;
import java.io.BufferedOutputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.io.OutputStreamWriter;
import java.io.Writer;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.NoSuchFileException;
import java.nio.file.Path;
import java.util.HashSet;
import java.util.Set;
@ -44,6 +47,9 @@ import java.util.Set;
*/
class Security {
/** template policy file, the one used in tests */
static final String POLICY_RESOURCE = "security.policy";
/**
* Initializes securitymanager for the environment
* Can only happen once!
@ -51,18 +57,24 @@ class Security {
static void configure(Environment environment) throws IOException {
// init lucene random seed. it will use /dev/urandom where available.
StringHelper.randomId();
Path newConfig = processTemplate(environment.configFile().resolve("security.policy"), environment);
InputStream config = Security.class.getResourceAsStream(POLICY_RESOURCE);
if (config == null) {
throw new NoSuchFileException(POLICY_RESOURCE);
}
Path newConfig = processTemplate(config, environment);
System.setProperty("java.security.policy", newConfig.toString());
System.setSecurityManager(new SecurityManager());
IOUtils.deleteFilesIgnoringExceptions(newConfig); // TODO: maybe log something if it fails?
}
// package-private for testing
static Path processTemplate(Path template, Environment environment) throws IOException {
static Path processTemplate(InputStream template, Environment environment) throws IOException {
Path processed = Files.createTempFile(null, null);
try (OutputStream output = new BufferedOutputStream(Files.newOutputStream(processed))) {
// copy the template as-is.
Files.copy(template, output);
try (InputStream in = template) {
ByteStreams.copy(in, output);
}
// add permissions for all configured paths.
Set<Path> paths = new HashSet<>();

0
config/security.policy → src/main/resources/org/elasticsearch/bootstrap/security.policy
View File

48
src/test/java/org/elasticsearch/bootstrap/SecurityTests.java Normal file
View File

@ -0,0 +1,48 @@
/*
* Licensed to Elasticsearch under one or more contributor
* license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright
* ownership. Elasticsearch licenses this file to you under
* the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.elasticsearch.bootstrap;
import org.elasticsearch.test.ElasticsearchTestCase;
import java.nio.charset.StandardCharsets;
import java.nio.file.Path;
import java.util.Collections;
public class SecurityTests extends ElasticsearchTestCase {
/** backslash escaping (e.g. windows paths) */
public void testEncode() {
assertEquals("c:\\\\foobar", Security.encode("c:\\foobar"));
}
/** test template processing */
public void testTemplateProcessing() throws Exception {
Path path = createTempDir();
byte results[] = Security.createPermissions(Collections.singleton(path));
String unicode = new String(results, StandardCharsets.UTF_8);
// try not to make this test too fragile or useless
assertTrue(unicode.contains("grant {"));
assertTrue(unicode.contains(Security.encode(path)));
assertTrue(unicode.contains("read"));
assertTrue(unicode.contains("write"));
}
}