Improve startup exceptions (especially file permissions etc)
Squashed commit of the following: commit 0014d31c1c478977cc8c50eb635eab0fb91449e4 Author: Robert Muir <rmuir@apache.org> Date: Fri Aug 21 18:20:35 2015 -0400 Add missing paren to javadocs commit bb46142785c67b849cfa5aa08fe5a3877a550b3d Author: Robert Muir <rmuir@apache.org> Date: Fri Aug 21 18:08:45 2015 -0400 Improve startup exceptions (especially file permissions etc)
This commit is contained in:
parent
907f648a88
commit
d96af934db
|
@ -118,25 +118,25 @@ final class Security {
|
||||||
static Permissions createPermissions(Environment environment) throws IOException {
|
static Permissions createPermissions(Environment environment) throws IOException {
|
||||||
Permissions policy = new Permissions();
|
Permissions policy = new Permissions();
|
||||||
// read-only dirs
|
// read-only dirs
|
||||||
addPath(policy, environment.binFile(), "read,readlink");
|
addPath(policy, "path.home", environment.binFile(), "read,readlink");
|
||||||
addPath(policy, environment.libFile(), "read,readlink");
|
addPath(policy, "path.home", environment.libFile(), "read,readlink");
|
||||||
addPath(policy, environment.pluginsFile(), "read,readlink");
|
addPath(policy, "path.plugins", environment.pluginsFile(), "read,readlink");
|
||||||
addPath(policy, environment.configFile(), "read,readlink");
|
addPath(policy, "path.conf", environment.configFile(), "read,readlink");
|
||||||
addPath(policy, environment.scriptsFile(), "read,readlink");
|
addPath(policy, "path.scripts", environment.scriptsFile(), "read,readlink");
|
||||||
// read-write dirs
|
// read-write dirs
|
||||||
addPath(policy, environment.tmpFile(), "read,readlink,write,delete");
|
addPath(policy, "java.io.tmpdir", environment.tmpFile(), "read,readlink,write,delete");
|
||||||
addPath(policy, environment.logsFile(), "read,readlink,write,delete");
|
addPath(policy, "path.logs", environment.logsFile(), "read,readlink,write,delete");
|
||||||
if (environment.sharedDataFile() != null) {
|
if (environment.sharedDataFile() != null) {
|
||||||
addPath(policy, environment.sharedDataFile(), "read,readlink,write,delete");
|
addPath(policy, "path.shared_data", environment.sharedDataFile(), "read,readlink,write,delete");
|
||||||
}
|
}
|
||||||
for (Path path : environment.dataFiles()) {
|
for (Path path : environment.dataFiles()) {
|
||||||
addPath(policy, path, "read,readlink,write,delete");
|
addPath(policy, "path.data", path, "read,readlink,write,delete");
|
||||||
}
|
}
|
||||||
for (Path path : environment.dataWithClusterFiles()) {
|
for (Path path : environment.dataWithClusterFiles()) {
|
||||||
addPath(policy, path, "read,readlink,write,delete");
|
addPath(policy, "path.data", path, "read,readlink,write,delete");
|
||||||
}
|
}
|
||||||
for (Path path : environment.repoFiles()) {
|
for (Path path : environment.repoFiles()) {
|
||||||
addPath(policy, path, "read,readlink,write,delete");
|
addPath(policy, "path.repo", path, "read,readlink,write,delete");
|
||||||
}
|
}
|
||||||
if (environment.pidFile() != null) {
|
if (environment.pidFile() != null) {
|
||||||
// we just need permission to remove the file if its elsewhere.
|
// we just need permission to remove the file if its elsewhere.
|
||||||
|
@ -145,10 +145,20 @@ final class Security {
|
||||||
return policy;
|
return policy;
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Add access to path (and all files underneath it */
|
/**
|
||||||
static void addPath(Permissions policy, Path path, String permissions) throws IOException {
|
* Add access to path (and all files underneath it)
|
||||||
// paths may not exist yet
|
* @param policy current policy to add permissions to
|
||||||
|
* @param configurationName the configuration name associated with the path (for error messages only)
|
||||||
|
* @param path the path itself
|
||||||
|
* @param permissions set of filepermissions to grant to the path
|
||||||
|
*/
|
||||||
|
static void addPath(Permissions policy, String configurationName, Path path, String permissions) {
|
||||||
|
// paths may not exist yet, this also checks accessibility
|
||||||
|
try {
|
||||||
ensureDirectoryExists(path);
|
ensureDirectoryExists(path);
|
||||||
|
} catch (IOException e) {
|
||||||
|
throw new IllegalStateException("Unable to access '" + configurationName + "' (" + path + ")", e);
|
||||||
|
}
|
||||||
|
|
||||||
// add each path twice: once for itself, again for files underneath it
|
// add each path twice: once for itself, again for files underneath it
|
||||||
policy.add(new FilePermission(path.toString(), permissions));
|
policy.add(new FilePermission(path.toString(), permissions));
|
||||||
|
|
|
@ -59,10 +59,7 @@ class StartupError extends RuntimeException {
|
||||||
cause = getFirstGuiceCause((CreationException)cause);
|
cause = getFirstGuiceCause((CreationException)cause);
|
||||||
}
|
}
|
||||||
|
|
||||||
String message = cause.getMessage();
|
String message = cause.toString();
|
||||||
if (message == null) {
|
|
||||||
message = "Unknown Error";
|
|
||||||
}
|
|
||||||
s.println(message);
|
s.println(message);
|
||||||
|
|
||||||
if (cause != null) {
|
if (cause != null) {
|
||||||
|
|
|
@ -107,7 +107,7 @@ public class PluginsService extends AbstractComponent {
|
||||||
List<Bundle> bundles = getPluginBundles(environment);
|
List<Bundle> bundles = getPluginBundles(environment);
|
||||||
tupleBuilder.addAll(loadBundles(bundles));
|
tupleBuilder.addAll(loadBundles(bundles));
|
||||||
} catch (IOException ex) {
|
} catch (IOException ex) {
|
||||||
throw new IllegalStateException(ex);
|
throw new IllegalStateException("Unable to initialize plugins", ex);
|
||||||
}
|
}
|
||||||
|
|
||||||
plugins = tupleBuilder.build();
|
plugins = tupleBuilder.build();
|
||||||
|
@ -279,9 +279,10 @@ public class PluginsService extends AbstractComponent {
|
||||||
}
|
}
|
||||||
|
|
||||||
static List<Bundle> getPluginBundles(Environment environment) throws IOException {
|
static List<Bundle> getPluginBundles(Environment environment) throws IOException {
|
||||||
ESLogger logger = Loggers.getLogger(Bootstrap.class);
|
ESLogger logger = Loggers.getLogger(PluginsService.class);
|
||||||
|
|
||||||
Path pluginsDirectory = environment.pluginsFile();
|
Path pluginsDirectory = environment.pluginsFile();
|
||||||
|
// TODO: remove this leniency, but tests bogusly rely on it
|
||||||
if (!isAccessibleDirectory(pluginsDirectory, logger)) {
|
if (!isAccessibleDirectory(pluginsDirectory, logger)) {
|
||||||
return Collections.emptyList();
|
return Collections.emptyList();
|
||||||
}
|
}
|
||||||
|
|
|
@ -101,7 +101,7 @@ public class BootstrapForTesting {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
// java.io.tmpdir
|
// java.io.tmpdir
|
||||||
Security.addPath(perms, javaTmpDir, "read,readlink,write,delete");
|
Security.addPath(perms, "java.io.tmpdir", javaTmpDir, "read,readlink,write,delete");
|
||||||
// custom test config file
|
// custom test config file
|
||||||
if (Strings.hasLength(System.getProperty("tests.config"))) {
|
if (Strings.hasLength(System.getProperty("tests.config"))) {
|
||||||
perms.add(new FilePermission(System.getProperty("tests.config"), "read,readlink"));
|
perms.add(new FilePermission(System.getProperty("tests.config"), "read,readlink"));
|
||||||
|
|
|
@ -244,7 +244,7 @@ public class SecurityTests extends ESTestCase {
|
||||||
assumeNoException("test cannot create symbolic links with security manager enabled", e);
|
assumeNoException("test cannot create symbolic links with security manager enabled", e);
|
||||||
}
|
}
|
||||||
Permissions permissions = new Permissions();
|
Permissions permissions = new Permissions();
|
||||||
Security.addPath(permissions, link, "read");
|
Security.addPath(permissions, "testing", link, "read");
|
||||||
assertExactPermissions(new FilePermission(link.toString(), "read"), permissions);
|
assertExactPermissions(new FilePermission(link.toString(), "read"), permissions);
|
||||||
assertExactPermissions(new FilePermission(link.resolve("foo").toString(), "read"), permissions);
|
assertExactPermissions(new FilePermission(link.resolve("foo").toString(), "read"), permissions);
|
||||||
assertExactPermissions(new FilePermission(target.toString(), "read"), permissions);
|
assertExactPermissions(new FilePermission(target.toString(), "read"), permissions);
|
||||||
|
|
Loading…
Reference in New Issue