Add debugging when security init screws up (or at trace level if you wish)
This commit is contained in:
parent
5e87801a4b
commit
6e6949d3f4
|
@ -21,9 +21,9 @@ package org.elasticsearch.bootstrap;
|
||||||
|
|
||||||
import com.google.common.io.ByteStreams;
|
import com.google.common.io.ByteStreams;
|
||||||
|
|
||||||
import org.apache.lucene.util.IOUtils;
|
|
||||||
import org.apache.lucene.util.StringHelper;
|
import org.apache.lucene.util.StringHelper;
|
||||||
import org.elasticsearch.common.SuppressForbidden;
|
import org.elasticsearch.common.logging.ESLogger;
|
||||||
|
import org.elasticsearch.common.logging.Loggers;
|
||||||
import org.elasticsearch.env.Environment;
|
import org.elasticsearch.env.Environment;
|
||||||
|
|
||||||
import java.io.*;
|
import java.io.*;
|
||||||
|
@ -32,6 +32,7 @@ import java.nio.file.Files;
|
||||||
import java.nio.file.NoSuchFileException;
|
import java.nio.file.NoSuchFileException;
|
||||||
import java.nio.file.Path;
|
import java.nio.file.Path;
|
||||||
import java.security.NoSuchAlgorithmException;
|
import java.security.NoSuchAlgorithmException;
|
||||||
|
import java.security.PermissionCollection;
|
||||||
import java.security.Policy;
|
import java.security.Policy;
|
||||||
import java.security.URIParameter;
|
import java.security.URIParameter;
|
||||||
|
|
||||||
|
@ -50,8 +51,8 @@ class Security {
|
||||||
* Initializes securitymanager for the environment
|
* Initializes securitymanager for the environment
|
||||||
* Can only happen once!
|
* Can only happen once!
|
||||||
*/
|
*/
|
||||||
@SuppressForbidden(reason = "just debugging")
|
|
||||||
static void configure(Environment environment) throws IOException {
|
static void configure(Environment environment) throws IOException {
|
||||||
|
ESLogger log = Loggers.getLogger(Security.class);
|
||||||
// init lucene random seed. it will use /dev/urandom where available.
|
// init lucene random seed. it will use /dev/urandom where available.
|
||||||
StringHelper.randomId();
|
StringHelper.randomId();
|
||||||
InputStream config = Security.class.getResourceAsStream(POLICY_RESOURCE);
|
InputStream config = Security.class.getResourceAsStream(POLICY_RESOURCE);
|
||||||
|
@ -60,16 +61,23 @@ class Security {
|
||||||
}
|
}
|
||||||
Path newConfig = processTemplate(config, environment);
|
Path newConfig = processTemplate(config, environment);
|
||||||
System.setProperty("java.security.policy", newConfig.toString());
|
System.setProperty("java.security.policy", newConfig.toString());
|
||||||
|
// retrieve the parsed policy we created: its useful if something goes wrong
|
||||||
|
Policy policy = null;
|
||||||
try {
|
try {
|
||||||
Policy policy = Policy.getInstance("JavaPolicy", new URIParameter(newConfig.toUri()));
|
policy = Policy.getInstance("JavaPolicy", new URIParameter(newConfig.toUri()));
|
||||||
System.out.println(policy.getPermissions(Security.class.getProtectionDomain()));
|
} catch (NoSuchAlgorithmException impossible) {
|
||||||
} catch (NoSuchAlgorithmException e) {
|
throw new RuntimeException(impossible);
|
||||||
throw new RuntimeException();
|
|
||||||
}
|
}
|
||||||
|
PermissionCollection permissions = policy.getPermissions(Security.class.getProtectionDomain());
|
||||||
|
log.trace("generated permissions: {}", permissions);
|
||||||
|
|
||||||
System.setSecurityManager(new SecurityManager());
|
System.setSecurityManager(new SecurityManager());
|
||||||
try {
|
try {
|
||||||
// don't hide securityexception here, it means java.io.tmpdir is not accessible!
|
// don't hide securityexception here, it means java.io.tmpdir is not accessible!
|
||||||
Files.delete(newConfig);
|
Files.delete(newConfig);
|
||||||
|
} catch (SecurityException broken) {
|
||||||
|
log.error("unable to properly access temporary files, permissions: {}", permissions);
|
||||||
|
throw broken;
|
||||||
} catch (IOException ignore) {
|
} catch (IOException ignore) {
|
||||||
// e.g. virus scanner on windows
|
// e.g. virus scanner on windows
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue