mirror of
https://github.com/honeymoose/OpenSearch.git
synced 2025-03-25 01:19:02 +00:00
Robert Muir
parent
5de564a19f
commit
7dad162377
@ -23,10 +23,10 @@
|
||||
|
||||
grant {
|
||||
// permissions for file access, write access only to sandbox:
|
||||
permission java.io.FilePermission "<<ALL FILES>>", "read,execute";
|
||||
permission java.io.FilePermission "${junit4.childvm.cwd}", "read,execute,write";
|
||||
permission java.io.FilePermission "${junit4.childvm.cwd}${/}-", "read,execute,write,delete";
|
||||
permission java.io.FilePermission "${junit4.tempDir}${/}*", "read,execute,write,delete";
|
||||
permission java.io.FilePermission "<<ALL FILES>>", "read";
|
||||
permission java.io.FilePermission "${junit4.childvm.cwd}", "read,write";
|
||||
permission java.io.FilePermission "${junit4.childvm.cwd}${/}-", "read,write,delete";
|
||||
permission java.io.FilePermission "${junit4.tempDir}${/}*", "read,write,delete";
|
||||
permission java.nio.file.LinkPermission "symbolic";
|
||||
permission groovy.security.GroovyCodeSourcePermission "/groovy/script";
|
||||
|
||||
@ -35,8 +35,60 @@ grant {
|
||||
|
||||
// Basic permissions needed for Lucene / Elasticsearch to work:
|
||||
permission java.util.PropertyPermission "*", "read,write";
|
||||
permission java.lang.reflect.ReflectPermission "*";
|
||||
permission java.lang.RuntimePermission "*";
|
||||
|
||||
// needed by junit4's gson usage
|
||||
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
|
||||
|
||||
// needed by scripting engines, etc
|
||||
permission java.lang.RuntimePermission "createClassLoader";
|
||||
|
||||
// needed by lucene SPI currently
|
||||
permission java.lang.RuntimePermission "getClassLoader";
|
||||
|
||||
// needed by GroovyScriptEngineService
|
||||
permission java.lang.RuntimePermission "closeClassLoader";
|
||||
|
||||
// needed by ImmutableSettings
|
||||
permission java.lang.RuntimePermission "getenv.*";
|
||||
|
||||
// needed by BootStrap, etc
|
||||
permission java.lang.RuntimePermission "exitVM.*";
|
||||
|
||||
// needed by RandomizedTest.globalTempDir()
|
||||
permission java.lang.RuntimePermission "shutdownHooks";
|
||||
|
||||
// needed by PluginManager
|
||||
permission java.lang.RuntimePermission "setFactory";
|
||||
|
||||
// needed by LuceneTestCase/TestRuleLimitSysouts
|
||||
permission java.lang.RuntimePermission "setIO";
|
||||
|
||||
// needed by junit4 ThreadLeakControl
|
||||
permission java.lang.RuntimePermission "modifyThread";
|
||||
permission java.lang.RuntimePermission "modifyThreadGroup";
|
||||
|
||||
// needed by groovy scripting
|
||||
permission java.lang.RuntimePermission "getProtectionDomain";
|
||||
|
||||
permission java.lang.RuntimePermission "loadLibrary.*";
|
||||
permission java.lang.RuntimePermission "accessClassInPackage.*";
|
||||
permission java.lang.RuntimePermission "defineClassInPackage.*";
|
||||
permission java.lang.RuntimePermission "accessDeclaredMembers";
|
||||
permission java.lang.RuntimePermission "getStackTrace";
|
||||
|
||||
// needed by RandomizedRunner
|
||||
permission java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler";
|
||||
|
||||
permission java.lang.RuntimePermission "usePolicy";
|
||||
|
||||
// needed by JMX instead of getFileSystemAttributes, seems like a bug...
|
||||
permission java.lang.RuntimePermission "getFileStoreAttributes";
|
||||
|
||||
// needed by lucene mockfilesystems
|
||||
permission java.lang.RuntimePermission "fileSystemProvider";
|
||||
|
||||
// needed by plugin manager to set unix permissions
|
||||
permission java.lang.RuntimePermission "accessUserInformation";
|
||||
|
||||
// These two *have* to be spelled out a separate
|
||||
permission java.lang.management.ManagementPermission "control";
|
||||
|
||||
@ -19,6 +19,7 @@
|
||||
package org.elasticsearch.plugins;
|
||||
|
||||
import com.google.common.base.Predicate;
|
||||
|
||||
import org.apache.http.impl.client.HttpClients;
|
||||
import org.apache.lucene.util.IOUtils;
|
||||
import org.elasticsearch.ElasticsearchException;
|
||||
@ -50,6 +51,9 @@ import java.net.URI;
|
||||
import java.nio.file.Files;
|
||||
import java.nio.file.Path;
|
||||
import java.nio.file.Paths;
|
||||
import java.nio.file.attribute.PosixFileAttributeView;
|
||||
import java.nio.file.attribute.PosixFileAttributes;
|
||||
import java.nio.file.attribute.PosixFilePermission;
|
||||
import java.util.concurrent.TimeUnit;
|
||||
|
||||
import static org.elasticsearch.common.io.FileSystemUtilsTests.assertFileContent;
|
||||
@ -124,7 +128,15 @@ public class PluginManagerTests extends ElasticsearchIntegrationTest {
|
||||
assertDirectoryExists(pluginConfigDir);
|
||||
Path toolFile = pluginBinDir.resolve("tool");
|
||||
assertFileExists(toolFile);
|
||||
assertThat(Files.isExecutable(toolFile), is(true));
|
||||
|
||||
// check that the file is marked executable, without actually checking that we can execute it.
|
||||
PosixFileAttributeView view = Files.getFileAttributeView(toolFile, PosixFileAttributeView.class);
|
||||
// the view might be null, on e.g. windows, there is nothing to check there!
|
||||
if (view != null) {
|
||||
PosixFileAttributes attributes = view.readAttributes();
|
||||
assertTrue("unexpected permissions: " + attributes.permissions(),
|
||||
attributes.permissions().contains(PosixFilePermission.OWNER_EXECUTE));
|
||||
}
|
||||
} finally {
|
||||
// we need to clean up the copied dirs
|
||||
IOUtils.rm(pluginBinDir, pluginConfigDir);
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user