Merge pull request #10936 from rmuir/eight_point_three

simplify securitymanager init
This commit is contained in:
Robert Muir 2015-05-04 04:53:18 -07:00
commit f042b8f2e1
3 changed files with 80 additions and 85 deletions

View File

@ -19,16 +19,19 @@
package org.elasticsearch.bootstrap; package org.elasticsearch.bootstrap;
import com.google.common.io.ByteStreams;
import org.apache.lucene.util.IOUtils;
import org.apache.lucene.util.StringHelper; import org.apache.lucene.util.StringHelper;
import org.elasticsearch.env.Environment; import org.elasticsearch.env.Environment;
import java.io.*; import java.io.*;
import java.nio.charset.StandardCharsets; import java.net.URI;
import java.nio.file.Files; import java.nio.file.Files;
import java.nio.file.NoSuchFileException;
import java.nio.file.Path; import java.nio.file.Path;
import java.security.Permission;
import java.security.PermissionCollection;
import java.security.Permissions;
import java.security.Policy;
import java.security.ProtectionDomain;
import java.security.URIParameter;
/** /**
* Initializes securitymanager with necessary permissions. * Initializes securitymanager with necessary permissions.
@ -45,70 +48,74 @@ class Security {
* Initializes securitymanager for the environment * Initializes securitymanager for the environment
* Can only happen once! * Can only happen once!
*/ */
static void configure(Environment environment) throws IOException { static void configure(Environment environment) throws Exception {
// init lucene random seed. it will use /dev/urandom where available. // init lucene random seed. it will use /dev/urandom where available:
StringHelper.randomId(); StringHelper.randomId();
InputStream config = Security.class.getResourceAsStream(POLICY_RESOURCE);
if (config == null) { // enable security policy: union of template and environment-based paths.
throw new NoSuchFileException(POLICY_RESOURCE); URI template = Security.class.getResource(POLICY_RESOURCE).toURI();
} Policy.setPolicy(new ESPolicy(template, createPermissions(environment)));
Path newConfig = processTemplate(config, environment);
System.setProperty("java.security.policy", newConfig.toString()); // enable security manager
System.setSecurityManager(new SecurityManager()); System.setSecurityManager(new SecurityManager());
IOUtils.deleteFilesIgnoringExceptions(newConfig); // TODO: maybe log something if it fails?
// do some basic tests
selfTest();
} }
// package-private for testing /** returns dynamic Permissions to configured paths */
static Path processTemplate(InputStream template, Environment environment) throws IOException { static Permissions createPermissions(Environment environment) throws IOException {
Path processed = Files.createTempFile(null, null); // TODO: improve test infra so we can reduce permissions where read/write
try (OutputStream output = new BufferedOutputStream(Files.newOutputStream(processed))) { // is not really needed...
// copy the template as-is. Permissions policy = new Permissions();
try (InputStream in = new BufferedInputStream(template)) { addPath(policy, environment.homeFile(), "read,readlink,write,delete");
ByteStreams.copy(in, output); addPath(policy, environment.configFile(), "read,readlink,write,delete");
} addPath(policy, environment.logsFile(), "read,readlink,write,delete");
addPath(policy, environment.pluginsFile(), "read,readlink,write,delete");
// all policy files are UTF-8: for (Path path : environment.dataFiles()) {
// https://docs.oracle.com/javase/7/docs/technotes/guides/security/PolicyFiles.html addPath(policy, path, "read,readlink,write,delete");
try (Writer writer = new OutputStreamWriter(output, StandardCharsets.UTF_8)) {
writer.write(System.lineSeparator());
writer.write("grant {");
writer.write(System.lineSeparator());
// add permissions for all configured paths.
// TODO: improve test infra so we can reduce permissions where read/write
// is not really needed...
addPath(writer, environment.homeFile(), "read,readlink,write,delete");
addPath(writer, environment.configFile(), "read,readlink,write,delete");
addPath(writer, environment.logsFile(), "read,readlink,write,delete");
addPath(writer, environment.pluginsFile(), "read,readlink,write,delete");
for (Path path : environment.dataFiles()) {
addPath(writer, path, "read,readlink,write,delete");
}
for (Path path : environment.dataWithClusterFiles()) {
addPath(writer, path, "read,readlink,write,delete");
}
writer.write("};");
writer.write(System.lineSeparator());
}
} }
return processed; for (Path path : environment.dataWithClusterFiles()) {
addPath(policy, path, "read,readlink,write,delete");
}
return policy;
} }
static void addPath(Writer writer, Path path, String permissions) throws IOException { /** Add access to path (and all files underneath it */
static void addPath(Permissions policy, Path path, String permissions) throws IOException {
// paths may not exist yet // paths may not exist yet
Files.createDirectories(path); Files.createDirectories(path);
// add each path twice: once for itself, again for files underneath it // add each path twice: once for itself, again for files underneath it
writer.write("permission java.io.FilePermission \"" + encode(path) + "\", \"" + permissions + "\";"); policy.add(new FilePermission(path.toString(), permissions));
writer.write(System.lineSeparator()); policy.add(new FilePermission(path.toString() + path.getFileSystem().getSeparator() + "-", permissions));
writer.write("permission java.io.FilePermission \"" + encode(path) + "${/}-\", \"" + permissions + "\";");
writer.write(System.lineSeparator());
} }
// Any backslashes in paths must be escaped, because it is the escape character when parsing. /** Simple checks that everything is ok */
// See "Note Regarding File Path Specifications on Windows Systems". static void selfTest() {
// https://docs.oracle.com/javase/7/docs/technotes/guides/security/PolicyFiles.html // check we can manipulate temporary files
static String encode(Path path) { try {
return path.toString().replace("\\", "\\\\"); Files.delete(Files.createTempFile(null, null));
} catch (IOException ignored) {
// potentially virus scanner
} catch (SecurityException problem) {
throw new SecurityException("Security misconfiguration: cannot access java.io.tmpdir", problem);
}
}
/** custom policy for union of static and dynamic permissions */
static class ESPolicy extends Policy {
final Policy template;
final PermissionCollection dynamic;
ESPolicy(URI template, PermissionCollection dynamic) throws Exception {
this.template = Policy.getInstance("JavaPolicy", new URIParameter(template));
this.dynamic = dynamic;
}
@Override
public boolean implies(ProtectionDomain domain, Permission permission) {
return template.implies(domain, permission) || dynamic.implies(permission);
}
} }
} }

View File

@ -34,7 +34,7 @@ grant {
// project base directory // project base directory
permission java.io.FilePermission "${project.basedir}${/}target${/}-", "read"; permission java.io.FilePermission "${project.basedir}${/}target${/}-", "read";
// read permission for lib sigar // read permission for lib sigar
permission java.io.FilePermission "${project.basedir}${/}lib/sigar{/}-", "read"; permission java.io.FilePermission "${project.basedir}${/}lib${/}sigar${/}-", "read";
// mvn custom ./m2/repository for dependency jars // mvn custom ./m2/repository for dependency jars
permission java.io.FilePermission "${m2.repository}${/}-", "read"; permission java.io.FilePermission "${m2.repository}${/}-", "read";
@ -84,10 +84,6 @@ grant {
// needed for natives calls // needed for natives calls
permission java.lang.RuntimePermission "loadLibrary.*"; permission java.lang.RuntimePermission "loadLibrary.*";
// needed for testing access rules etc
permission java.lang.RuntimePermission "createSecurityManager";
permission java.security.SecurityPermission "createPolicy.JavaPolicy";
// reflection hacks: // reflection hacks:
// needed for Striped64 (what is this doing), also enables unmap hack // needed for Striped64 (what is this doing), also enables unmap hack
permission java.lang.RuntimePermission "accessClassInPackage.sun.misc"; permission java.lang.RuntimePermission "accessClassInPackage.sun.misc";

View File

@ -24,12 +24,9 @@ import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.env.Environment; import org.elasticsearch.env.Environment;
import org.elasticsearch.test.ElasticsearchTestCase; import org.elasticsearch.test.ElasticsearchTestCase;
import java.io.ByteArrayInputStream;
import java.io.FilePermission; import java.io.FilePermission;
import java.nio.file.Path; import java.nio.file.Path;
import java.security.Policy; import java.security.Permissions;
import java.security.ProtectionDomain;
import java.security.URIParameter;
public class SecurityTests extends ElasticsearchTestCase { public class SecurityTests extends ElasticsearchTestCase {
@ -43,16 +40,14 @@ public class SecurityTests extends ElasticsearchTestCase {
Settings settings = settingsBuilder.build(); Settings settings = settingsBuilder.build();
Environment environment = new Environment(settings); Environment environment = new Environment(settings);
Path policyFile = Security.processTemplate(new ByteArrayInputStream(new byte[0]), environment); Permissions permissions = Security.createPermissions(environment);
ProtectionDomain domain = getClass().getProtectionDomain();
Policy policy = Policy.getInstance("JavaPolicy", new URIParameter(policyFile.toUri()));
// the fake es home // the fake es home
assertTrue(policy.implies(domain, new FilePermission(esHome.toString(), "read"))); assertTrue(permissions.implies(new FilePermission(esHome.toString(), "read")));
// its parent // its parent
assertFalse(policy.implies(domain, new FilePermission(path.toString(), "read"))); assertFalse(permissions.implies(new FilePermission(path.toString(), "read")));
// some other sibling // some other sibling
assertFalse(policy.implies(domain, new FilePermission(path.resolve("other").toString(), "read"))); assertFalse(permissions.implies(new FilePermission(path.resolve("other").toString(), "read")));
} }
/** test generated permissions for all configured paths */ /** test generated permissions for all configured paths */
@ -68,28 +63,25 @@ public class SecurityTests extends ElasticsearchTestCase {
Settings settings = settingsBuilder.build(); Settings settings = settingsBuilder.build();
Environment environment = new Environment(settings); Environment environment = new Environment(settings);
Path policyFile = Security.processTemplate(new ByteArrayInputStream(new byte[0]), environment); Permissions permissions = Security.createPermissions(environment);
ProtectionDomain domain = getClass().getProtectionDomain();
Policy policy = Policy.getInstance("JavaPolicy", new URIParameter(policyFile.toUri()));
// check that all directories got permissions: // check that all directories got permissions:
// homefile: this is needed unless we break out rules for "lib" dir. // homefile: this is needed unless we break out rules for "lib" dir.
// TODO: make read-only // TODO: make read-only
assertTrue(policy.implies(domain, new FilePermission(environment.homeFile().toString(), "read,readlink,write,delete"))); assertTrue(permissions.implies(new FilePermission(environment.homeFile().toString(), "read,readlink,write,delete")));
// config file // config file
// TODO: make read-only // TODO: make read-only
assertTrue(policy.implies(domain, new FilePermission(environment.configFile().toString(), "read,readlink,write,delete"))); assertTrue(permissions.implies(new FilePermission(environment.configFile().toString(), "read,readlink,write,delete")));
// plugins: r/w, TODO: can this be minimized? // plugins: r/w, TODO: can this be minimized?
assertTrue(policy.implies(domain, new FilePermission(environment.pluginsFile().toString(), "read,readlink,write,delete"))); assertTrue(permissions.implies(new FilePermission(environment.pluginsFile().toString(), "read,readlink,write,delete")));
// data paths: r/w // data paths: r/w
for (Path dataPath : environment.dataFiles()) { for (Path dataPath : environment.dataFiles()) {
assertTrue(policy.implies(domain, new FilePermission(dataPath.toString(), "read,readlink,write,delete"))); assertTrue(permissions.implies(new FilePermission(dataPath.toString(), "read,readlink,write,delete")));
} }
for (Path dataPath : environment.dataWithClusterFiles()) { for (Path dataPath : environment.dataWithClusterFiles()) {
assertTrue(policy.implies(domain, new FilePermission(dataPath.toString(), "read,readlink,write,delete"))); assertTrue(permissions.implies(new FilePermission(dataPath.toString(), "read,readlink,write,delete")));
} }
// logs: r/w // logs: r/w
assertTrue(policy.implies(domain, new FilePermission(environment.logsFile().toString(), "read,readlink,write,delete"))); assertTrue(permissions.implies(new FilePermission(environment.logsFile().toString(), "read,readlink,write,delete")));
} }
} }