-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
VirtualMethod does unprivileged reflection access #12304
Comments
Hi, VirtualMethod is stone-aged class which was recently introduced again to handle the rewrite(IndexReader) vs rewrite(IndexSearcher) backwards compatibility. Yes it may miss doPrivileged(). In fact the missing permission is granted by Opensearch (it's needed for other cases), but the doPrivileged is missing. Nowadays I would implement this differently. Maybe fix it without permissions using lookups? This is new in 9.7, the recently released 9.6 does not use this. If I provide a PR for 9.x can you test my "better fix"? I am not 100% sure it can be fixed without permissions, but give me a try. |
Thanks @uschindler , sure, happy to assist with testing |
Thanks for finding the issue so early (before a release). Backport #12197 uses VirtualMethod class for the first time since.... Very long time. It was heavily used at Lucene 3 and 4 times. But back at that time we did not care about security manager. |
Hi, So we need to use doPrivileged. But here the important limitation: It is NOT the responsibility of VirtualMethod to use AccessController, it must be done by the caller. In the current case here it is not an issue as both are in same module, but for example use of VirtualMethod in another module would break if VirtualMethod does the doPrivileged. So the caller (here oal.search.Query) has to do it. I will provide a PR. |
See this PR: #12308 Actually to reduce impact of this more we could add an if statement in the Query constructor to not do the override/distance check for Lucene's own classes (as we have all ported to use new API). The problem only affects external classes (and the corresponding Test). We could add a |
@reta thank you for the early testing and finding this bug! Definitely my fault 🤦 |
Not a problem at all, thanks for quick fix folks! |
@benwtrent I don't think it is your fault. The documentation did not even suggest to use AccessController. |
Description
In OpenSearch, we've updated to the recent Apache Lucene 9.7 snapshots and got an number of tests failing with
java.security.AccessControlException
. The culprit isorg.apache.lucene.util.VirtualMethod
class that does a number of unprivileged calls to Reflection APIs without usingAccessController.doPrivileged
, a sample stack trace is below:I surely know that
SecurityManager
& co are deprecated but Apache Lucene / OpenSearch / Elasticsearch are still relying on it for the time being.@uschindler @jpountz the fix is simple (happy to take it and submit a pull request) if there are no objections to make this change in general, cc @nknize
Sample failing tests:
Version and environment details
Latest 9.7.0 snapshots (built of
branch_9x
)The text was updated successfully, but these errors were encountered: