From 7abd05173496efaad1281badc14c13295b88a62b Mon Sep 17 00:00:00 2001 From: Robert Muir Date: Tue, 22 Dec 2015 12:07:37 -0500 Subject: [PATCH] better containing of hadoop for actual blobstore operations --- .../repositories/hdfs/HdfsBlobStore.java | 11 +++++++++-- .../elasticsearch/repositories/hdfs/HdfsPlugin.java | 2 ++ .../src/main/plugin-metadata/plugin-security.policy | 2 +- 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/plugins/repository-hdfs/src/main/java/org/elasticsearch/repositories/hdfs/HdfsBlobStore.java b/plugins/repository-hdfs/src/main/java/org/elasticsearch/repositories/hdfs/HdfsBlobStore.java index 0351ae28219..23404a7c360 100644 --- a/plugins/repository-hdfs/src/main/java/org/elasticsearch/repositories/hdfs/HdfsBlobStore.java +++ b/plugins/repository-hdfs/src/main/java/org/elasticsearch/repositories/hdfs/HdfsBlobStore.java @@ -29,10 +29,13 @@ import org.elasticsearch.common.blobstore.BlobPath; import org.elasticsearch.common.blobstore.BlobStore; import java.io.IOException; +import java.lang.reflect.ReflectPermission; import java.security.AccessController; import java.security.PrivilegedActionException; import java.security.PrivilegedExceptionAction; +import javax.security.auth.AuthPermission; + final class HdfsBlobStore implements BlobStore { private final Path root; @@ -110,10 +113,13 @@ final class HdfsBlobStore implements BlobStore { interface Operation { V run(FileContext fileContext) throws IOException; } - + /** * Executes the provided operation against this store */ + // we can do FS ops with only two elevated permissions: + // 1) hadoop dynamic proxy is messy with access rules + // 2) allow hadoop to add credentials to our Subject V execute(Operation operation) throws IOException { SecurityManager sm = System.getSecurityManager(); if (sm != null) { @@ -129,7 +135,8 @@ final class HdfsBlobStore implements BlobStore { public V run() throws IOException { return operation.run(fileContext); } - }); + }, null, new ReflectPermission("suppressAccessChecks"), + new AuthPermission("modifyPrivateCredentials")); } catch (PrivilegedActionException pae) { throw (IOException) pae.getException(); } diff --git a/plugins/repository-hdfs/src/main/java/org/elasticsearch/repositories/hdfs/HdfsPlugin.java b/plugins/repository-hdfs/src/main/java/org/elasticsearch/repositories/hdfs/HdfsPlugin.java index e85f0c0c865..ccd0b405ff2 100644 --- a/plugins/repository-hdfs/src/main/java/org/elasticsearch/repositories/hdfs/HdfsPlugin.java +++ b/plugins/repository-hdfs/src/main/java/org/elasticsearch/repositories/hdfs/HdfsPlugin.java @@ -63,6 +63,8 @@ public final class HdfsPlugin extends Plugin { Class.forName("org.apache.hadoop.util.StringUtils"); Class.forName("org.apache.hadoop.util.ShutdownHookManager"); Class.forName("org.apache.hadoop.conf.Configuration"); + Class.forName("org.apache.hadoop.hdfs.protocol.HdfsConstants"); + Class.forName("org.apache.hadoop.hdfs.protocol.datatransfer.PipelineAck"); } catch (ClassNotFoundException | IOException e) { throw new RuntimeException(e); } finally { diff --git a/plugins/repository-hdfs/src/main/plugin-metadata/plugin-security.policy b/plugins/repository-hdfs/src/main/plugin-metadata/plugin-security.policy index 83e5599a9c8..85447245c96 100644 --- a/plugins/repository-hdfs/src/main/plugin-metadata/plugin-security.policy +++ b/plugins/repository-hdfs/src/main/plugin-metadata/plugin-security.policy @@ -18,7 +18,7 @@ */ grant { - // Hadoop UserGroupInformation clinit + // Hadoop UserGroupInformation, HdfsConstants, PipelineAck clinit permission java.lang.RuntimePermission "getClassLoader"; // UserGroupInformation (UGI) Metrics clinit