Security Plugin cannot startup due to AccessControlException: access denied #3317
Conversation
reta
requested review from
cliu123,
cwperks,
DarshitChanpura,
davidlago,
peternied,
RyanL1997,
stephen-crawford and
willyborankin
as code owners
Codecov Report
@@ Coverage Diff @@
## main #3317 +/- ##
=========================================
Coverage 63.24% 63.25%
+ Complexity 3450 3449 -1
=========================================
Files 263 263
Lines 20040 20036 -4
Branches 3344 3343 -1
=========================================
- Hits 12674 12673 -1
+ Misses 5739 5736 -3
Partials 1627 1627
|
|
@reta we had more settings: add @cwperks aded this fix: #3289. So all of them need to be added to the the SDK now? If yes this is a partial fix :-( |
It seems like this one have to go to core :( I am still looking hence this pull request is in draft state |
ehhh "read,write" :-( |
|
@peternied, @cwperks and @reta I think this solution is ok for 2.10 but is not good in the future. Core should not provide such permissions, more important all plugin could add additional permissions. |
|
@reta im wrong we have such login in the policy. |
| @@ -331,16 +331,6 @@ public OpenSearchSecurityPlugin(final Settings settings, final Path configPath) | |||
| sm.checkPermission(new SpecialPermission()); | |||
| } | |||
|
|
|||
| AccessController.doPrivileged(new PrivilegedAction<Object>() { | |||
There was a problem hiding this comment.
@peternied @cwperks any reasons we need to explicitly add BouncyCastleProvider?
There was a problem hiding this comment.
Ahhh it is historical. It was added this way.
There was a problem hiding this comment.
From the javadoc for java.security.Security it is safe to call addProvider multiple times: https://docs.oracle.com/javase%2F7%2Fdocs%2Fapi%2F%2F/java/security/Security.html#addProvider(java.security.Provider)
the preference position in which the provider was added, or -1 if the provider was not added because it is already installed.
@willyborankin the ${codebase} placeholder is resolved relatively to plugin: |
got it |
@willyborankin you are right that the permissions added in that PR would also need to be added to core since the dependency is now coming from core. I have a PR in core to add the existing bouncy castle permissions that the security plugin has into core opensearch-project/OpenSearch#9770 (Option 2 from this PR's description) I am trying to figure out now the reasons why the security plugin calls on |
We definitely need to add the BC provider, but since it is in core now, it should be done by core, that would also solve any issues with other plugins trying to add/remove BC. |
…denied Signed-off-by: Andriy Redko <[email protected]>
|
@reta From the javadoc for
|
@cwperks The problem is not how many times, the problem is who adds it first because that would impact the security policy to be taken into account (related to #3213 (comment)), and again - you need to grant the permissions to the plugin |
If you set any security provider this way it means that in the list of sec providers JDK knows about it is in the first place.So you lets say can create a cipher this way: Cipher cipher = Cipher.getInstance("DESede/CBC/NoPadding");otherwise you need add a provider name: Cipher cipher = Cipher.getInstance("DESede/CBC/NoPadding", BouncyCastleProvider.PROVIDER_NAME)We can change it but it is not so fast as you could think. |
|
Closing in favor of opensearch-project/OpenSearch#9779 |
Description
Fixing AccessControlException after opensearch-project/OpenSearch#9289, we have 2 options here:
bcprovmoved to core, it will be loaded by core, the plugin should not try to enforce itIssues Resolved
Closes #3309
Is this a backport? If so, please add backport PR # and/or commits #
Testing
Covered by existing tests
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.