From f70188ac580f33f5c078f5ed70f4ef2bfc2db937 Mon Sep 17 00:00:00 2001 From: Tim Brooks Date: Fri, 3 Feb 2017 09:39:56 -0600 Subject: [PATCH] Remove connect SocketPermissions from core (#22797) This is related to #22116. Core no longer needs `SocketPermission` `connect`. This permission is relegated to these modules/plugins: - transport-netty4 module - reindex module - repository-url module - discovery-azure-classic plugin - discovery-ec2 plugin - discovery-gce plugin - repository-azure plugin - repository-gcs plugin - repository-hdfs plugin - repository-s3 plugin And for tests: - mocksocket jar - rest client - httpcore-nio jar - httpasyncclient jar --- buildSrc/version.properties | 6 +++++ client/rest/build.gradle | 2 +- .../elasticsearch/bootstrap/security.policy | 4 ++-- .../bootstrap/test-framework.policy | 20 ++++++++++++++-- .../plugin-metadata/plugin-security.policy | 23 +++++++++++++++++++ .../blobstore/url/URLBlobContainer.java | 13 ++++++++++- .../plugin-metadata/plugin-security.policy | 22 ++++++++++++++++++ .../plugin-metadata/plugin-security.policy | 4 ++-- .../plugin-metadata/plugin-security.policy | 23 +++++++++++++++++++ .../plugin-metadata/plugin-security.policy | 3 +++ .../plugin-metadata/plugin-security.policy | 3 +++ .../plugin-metadata/plugin-security.policy | 23 +++++++++++++++++++ .../plugin-metadata/plugin-security.policy | 3 +++ .../repositories/hdfs/HdfsBlobContainer.java | 3 --- .../plugin-metadata/plugin-security.policy | 3 +++ .../plugin-metadata/plugin-security.policy | 3 +++ 16 files changed, 147 insertions(+), 11 deletions(-) create mode 100644 modules/reindex/src/main/plugin-metadata/plugin-security.policy create mode 100644 modules/repository-url/src/main/plugin-metadata/plugin-security.policy create mode 100644 plugins/discovery-azure-classic/src/main/plugin-metadata/plugin-security.policy create mode 100644 plugins/repository-azure/src/main/plugin-metadata/plugin-security.policy diff --git a/buildSrc/version.properties b/buildSrc/version.properties index 4ea3cf920bb45..ddbf87c4a71fe 100644 --- a/buildSrc/version.properties +++ b/buildSrc/version.properties @@ -1,3 +1,4 @@ +# When updating elasticsearch, please update 'rest' version in core/src/main/resources/org/elasticsearch/bootstrap/test-framework.policy elasticsearch = 6.0.0-alpha1 lucene = 6.4.0 @@ -15,11 +16,16 @@ jna = 4.2.2 randomizedrunner = 2.4.0 junit = 4.11 httpclient = 4.5.2 +# When updating httpcore, please also update core/src/main/resources/org/elasticsearch/bootstrap/test-framework.policy httpcore = 4.4.5 +# When updating httpasyncclient, please also update core/src/main/resources/org/elasticsearch/bootstrap/test-framework.policy +httpasyncclient = 4.1.2 commonslogging = 1.1.3 commonscodec = 1.10 hamcrest = 1.3 securemock = 1.2 +# When updating mocksocket, please also update core/src/main/resources/org/elasticsearch/bootstrap/test-framework.policy mocksocket = 1.1 + # benchmark dependencies jmh = 1.17.3 diff --git a/client/rest/build.gradle b/client/rest/build.gradle index 67f8426fb5faa..d5d9c9cfbb5f1 100644 --- a/client/rest/build.gradle +++ b/client/rest/build.gradle @@ -33,7 +33,7 @@ group = 'org.elasticsearch.client' dependencies { compile "org.apache.httpcomponents:httpclient:${versions.httpclient}" compile "org.apache.httpcomponents:httpcore:${versions.httpcore}" - compile "org.apache.httpcomponents:httpasyncclient:4.1.2" + compile "org.apache.httpcomponents:httpasyncclient:${versions.httpasyncclient}" compile "org.apache.httpcomponents:httpcore-nio:${versions.httpcore}" compile "commons-codec:commons-codec:${versions.commonscodec}" compile "commons-logging:commons-logging:${versions.commonslogging}" diff --git a/core/src/main/resources/org/elasticsearch/bootstrap/security.policy b/core/src/main/resources/org/elasticsearch/bootstrap/security.policy index 2b88253532aef..e93b1af8cc71d 100644 --- a/core/src/main/resources/org/elasticsearch/bootstrap/security.policy +++ b/core/src/main/resources/org/elasticsearch/bootstrap/security.policy @@ -55,8 +55,8 @@ grant { // third party code, to safeguard these against unprivileged code like scripts. permission org.elasticsearch.SpecialPermission; - // Allow connecting to the internet anywhere - permission java.net.SocketPermission "*", "connect,resolve"; + // Allow host/ip name service lookups + permission java.net.SocketPermission "*", "resolve"; // Allow read access to all system properties permission java.util.PropertyPermission "*", "read"; diff --git a/core/src/main/resources/org/elasticsearch/bootstrap/test-framework.policy b/core/src/main/resources/org/elasticsearch/bootstrap/test-framework.policy index dbbbac05f1174..ad43609d1c870 100644 --- a/core/src/main/resources/org/elasticsearch/bootstrap/test-framework.policy +++ b/core/src/main/resources/org/elasticsearch/bootstrap/test-framework.policy @@ -64,6 +64,22 @@ grant codeBase "${codebase.junit-4.11.jar}" { }; grant codeBase "${codebase.mocksocket-1.1.jar}" { - // mocksocket accepts socket connections - permission java.net.SocketPermission "*", "accept"; + // mocksocket makes and accepts socket connections + permission java.net.SocketPermission "*", "accept,connect"; +}; + + +grant codeBase "${codebase.rest-6.0.0-alpha1-SNAPSHOT.jar}" { + // rest makes socket connections for rest tests + permission java.net.SocketPermission "*", "connect"; +}; + +grant codeBase "${codebase.httpcore-nio-4.4.5.jar}" { + // httpcore makes socket connections for rest tests + permission java.net.SocketPermission "*", "connect"; +}; + +grant codeBase "${codebase.httpasyncclient-4.1.2.jar}" { + // httpasyncclient makes socket connections for rest tests + permission java.net.SocketPermission "*", "connect"; }; diff --git a/modules/reindex/src/main/plugin-metadata/plugin-security.policy b/modules/reindex/src/main/plugin-metadata/plugin-security.policy new file mode 100644 index 0000000000000..f9ce0f894d3c9 --- /dev/null +++ b/modules/reindex/src/main/plugin-metadata/plugin-security.policy @@ -0,0 +1,23 @@ +/* + * Licensed to Elasticsearch under one or more contributor + * license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright + * ownership. Elasticsearch licenses this file to you under + * the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +grant { + // reindex opens socket connections using the rest client + permission java.net.SocketPermission "*", "connect"; +}; diff --git a/modules/repository-url/src/main/java/org/elasticsearch/common/blobstore/url/URLBlobContainer.java b/modules/repository-url/src/main/java/org/elasticsearch/common/blobstore/url/URLBlobContainer.java index ede57d461a13d..bc7381f91c670 100644 --- a/modules/repository-url/src/main/java/org/elasticsearch/common/blobstore/url/URLBlobContainer.java +++ b/modules/repository-url/src/main/java/org/elasticsearch/common/blobstore/url/URLBlobContainer.java @@ -29,6 +29,9 @@ import java.io.InputStream; import java.net.URL; import java.nio.file.NoSuchFileException; +import java.security.AccessController; +import java.security.PrivilegedActionException; +import java.security.PrivilegedExceptionAction; import java.util.Map; /** @@ -102,7 +105,7 @@ public boolean blobExists(String blobName) { @Override public InputStream readBlob(String name) throws IOException { try { - return new BufferedInputStream(new URL(path, name).openStream(), blobStore.bufferSizeInBytes()); + return new BufferedInputStream(getInputStream(new URL(path, name)), blobStore.bufferSizeInBytes()); } catch (FileNotFoundException fnfe) { throw new NoSuchFileException("[" + name + "] blob not found"); } @@ -113,4 +116,12 @@ public void writeBlob(String blobName, InputStream inputStream, long blobSize) t throw new UnsupportedOperationException("URL repository doesn't support this operation"); } + private static InputStream getInputStream(URL url) throws IOException { + try { + return AccessController.doPrivileged((PrivilegedExceptionAction) url::openStream); + } catch (PrivilegedActionException e) { + throw (IOException) e.getCause(); + } + } + } diff --git a/modules/repository-url/src/main/plugin-metadata/plugin-security.policy b/modules/repository-url/src/main/plugin-metadata/plugin-security.policy new file mode 100644 index 0000000000000..b878c485755f9 --- /dev/null +++ b/modules/repository-url/src/main/plugin-metadata/plugin-security.policy @@ -0,0 +1,22 @@ +/* + * Licensed to Elasticsearch under one or more contributor + * license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright + * ownership. Elasticsearch licenses this file to you under + * the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +grant { + permission java.net.SocketPermission "*", "connect"; +}; diff --git a/modules/transport-netty4/src/main/plugin-metadata/plugin-security.policy b/modules/transport-netty4/src/main/plugin-metadata/plugin-security.policy index 1118675817c51..11c564cc383ec 100644 --- a/modules/transport-netty4/src/main/plugin-metadata/plugin-security.policy +++ b/modules/transport-netty4/src/main/plugin-metadata/plugin-security.policy @@ -18,8 +18,8 @@ */ grant { - // netty accepts socket connections - permission java.net.SocketPermission "*", "accept"; + // netty makes and accepts socket connections + permission java.net.SocketPermission "*", "accept,connect"; }; grant codeBase "${codebase.netty-common-4.1.7.Final.jar}" { diff --git a/plugins/discovery-azure-classic/src/main/plugin-metadata/plugin-security.policy b/plugins/discovery-azure-classic/src/main/plugin-metadata/plugin-security.policy new file mode 100644 index 0000000000000..4407898ece402 --- /dev/null +++ b/plugins/discovery-azure-classic/src/main/plugin-metadata/plugin-security.policy @@ -0,0 +1,23 @@ +/* + * Licensed to Elasticsearch under one or more contributor + * license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright + * ownership. Elasticsearch licenses this file to you under + * the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +grant { + // azure client opens socket connections for discovery + permission java.net.SocketPermission "*", "connect"; +}; diff --git a/plugins/discovery-ec2/src/main/plugin-metadata/plugin-security.policy b/plugins/discovery-ec2/src/main/plugin-metadata/plugin-security.policy index d5c92a9d67b79..8f0278de3923c 100644 --- a/plugins/discovery-ec2/src/main/plugin-metadata/plugin-security.policy +++ b/plugins/discovery-ec2/src/main/plugin-metadata/plugin-security.policy @@ -24,4 +24,7 @@ grant { // NOTE: no tests fail without this, but we know the problem // exists in AWS sdk, and tests here are not thorough permission java.lang.RuntimePermission "getClassLoader"; + + // ec2 client opens socket connections for discovery + permission java.net.SocketPermission "*", "connect"; }; diff --git a/plugins/discovery-gce/src/main/plugin-metadata/plugin-security.policy b/plugins/discovery-gce/src/main/plugin-metadata/plugin-security.policy index 1463f5d1119eb..f47803cebb09e 100644 --- a/plugins/discovery-gce/src/main/plugin-metadata/plugin-security.policy +++ b/plugins/discovery-gce/src/main/plugin-metadata/plugin-security.policy @@ -22,4 +22,7 @@ grant { permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.lang.RuntimePermission "setFactory"; permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; + + // gce client opens socket connections for discovery + permission java.net.SocketPermission "*", "connect"; }; diff --git a/plugins/repository-azure/src/main/plugin-metadata/plugin-security.policy b/plugins/repository-azure/src/main/plugin-metadata/plugin-security.policy new file mode 100644 index 0000000000000..19a35f8405903 --- /dev/null +++ b/plugins/repository-azure/src/main/plugin-metadata/plugin-security.policy @@ -0,0 +1,23 @@ +/* + * Licensed to Elasticsearch under one or more contributor + * license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright + * ownership. Elasticsearch licenses this file to you under + * the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +grant { + // azure client opens socket connections for to access repository + permission java.net.SocketPermission "*", "connect"; +}; diff --git a/plugins/repository-gcs/src/main/plugin-metadata/plugin-security.policy b/plugins/repository-gcs/src/main/plugin-metadata/plugin-security.policy index bc7acd6060275..ce9b0334638a0 100644 --- a/plugins/repository-gcs/src/main/plugin-metadata/plugin-security.policy +++ b/plugins/repository-gcs/src/main/plugin-metadata/plugin-security.policy @@ -23,4 +23,7 @@ grant { permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; permission java.net.URLPermission "http://www.googleapis.com/*", "*"; permission java.net.URLPermission "https://www.googleapis.com/*", "*"; + + // gcs client opens socket connections for to access repository + permission java.net.SocketPermission "*", "connect"; }; diff --git a/plugins/repository-hdfs/src/main/java/org/elasticsearch/repositories/hdfs/HdfsBlobContainer.java b/plugins/repository-hdfs/src/main/java/org/elasticsearch/repositories/hdfs/HdfsBlobContainer.java index e64ab5c4d910f..4649cf858d254 100644 --- a/plugins/repository-hdfs/src/main/java/org/elasticsearch/repositories/hdfs/HdfsBlobContainer.java +++ b/plugins/repository-hdfs/src/main/java/org/elasticsearch/repositories/hdfs/HdfsBlobContainer.java @@ -19,12 +19,10 @@ package org.elasticsearch.repositories.hdfs; import org.apache.hadoop.fs.CreateFlag; -import org.apache.hadoop.fs.FSDataInputStream; import org.apache.hadoop.fs.FSDataOutputStream; import org.apache.hadoop.fs.FileStatus; import org.apache.hadoop.fs.Options.CreateOpts; import org.apache.hadoop.fs.Path; -import org.apache.lucene.util.IOUtils; import org.elasticsearch.common.Nullable; import org.elasticsearch.common.blobstore.BlobMetaData; import org.elasticsearch.common.blobstore.BlobPath; @@ -32,7 +30,6 @@ import org.elasticsearch.common.blobstore.support.PlainBlobMetaData; import org.elasticsearch.repositories.hdfs.HdfsBlobStore.Operation; -import java.io.BufferedInputStream; import java.io.FilterInputStream; import java.io.IOException; import java.io.InputStream; diff --git a/plugins/repository-hdfs/src/main/plugin-metadata/plugin-security.policy b/plugins/repository-hdfs/src/main/plugin-metadata/plugin-security.policy index 85447245c96f2..b800f3eee46ca 100644 --- a/plugins/repository-hdfs/src/main/plugin-metadata/plugin-security.policy +++ b/plugins/repository-hdfs/src/main/plugin-metadata/plugin-security.policy @@ -35,4 +35,7 @@ grant { permission javax.security.auth.AuthPermission "getSubject"; permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "modifyPrivateCredentials"; + + // hdfs client opens socket connections for to access repository + permission java.net.SocketPermission "*", "connect"; }; diff --git a/plugins/repository-s3/src/main/plugin-metadata/plugin-security.policy b/plugins/repository-s3/src/main/plugin-metadata/plugin-security.policy index 1f09cada2e5d8..d8fca1fc89938 100644 --- a/plugins/repository-s3/src/main/plugin-metadata/plugin-security.policy +++ b/plugins/repository-s3/src/main/plugin-metadata/plugin-security.policy @@ -34,4 +34,7 @@ grant { // TODO: get these fixed in aws sdk // See https://github.com/aws/aws-sdk-java/issues/766 permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; + + // s3 client opens socket connections for to access repository + permission java.net.SocketPermission "*", "connect"; };