ScriptDocValues getDate() on long field triggers AccessControlException #28408
Assignees
Labels
Comments
rjernst
added
>bug
:Core/Infra/Scripting
|
cc @nik9000 |
|
Eep. This is a pretty terrible bug. I'll take a look at it soon-ish. There are 5 or 6 things ahead of it in my TODO list but I'll see about bumping it up. |
|
I had a look at this. I can't reproduce it, but from the stacktrace in the discuss post it looks like this isn't an "all the time" thing. It looks like this is triggered when log4j goes digging around in the filesystem which it doesn't do all the time. I'm going to open a PR that goes under the assumption that this is caused by that. |
|
OK. I can reproduce "something" happening locally. If I leave the code as is it can break file rolling. But instead of failing the request the line fails to log. I can fix that with the fix that, I think, should fix this issue. |
nik9000
added a commit
to nik9000/elasticsearch
that referenced
this issue
Feb 1, 2018
If you call `getDates()` on a long or date type field add a deprecation warning to the response and log something to the deprecation logger. This *mostly* worked just fine but if the deprecation logger happens to roll then the roll will be performed with the script's permissions rather than the permissions of the server. And scripts don't have permissions to, say, open files. So the rolling failed. This fixes that by wrapping the call the deprecation logger in `doPriviledged`. This is a strange `doPrivileged` call because it doens't check Elasticsearch's `SpecialPermission`. `SpecialPermission` is a permission that no-script code has and that scripts never have. Usually all `doPrivileged` calls check `SpecialPermission` to make sure that they are not accidentally acting on behalf of a script. But in this case we are *intentionally* acting on behalf of a script. Closes elastic#28408
nik9000
added a commit
that referenced
this issue
Feb 3, 2018
If you call `getDates()` on a long or date type field add a deprecation warning to the response and log something to the deprecation logger. This *mostly* worked just fine but if the deprecation logger happens to roll then the roll will be performed with the script's permissions rather than the permissions of the server. And scripts don't have permissions to, say, open files. So the rolling failed. This fixes that by wrapping the call the deprecation logger in `doPriviledged`. This is a strange `doPrivileged` call because it doens't check Elasticsearch's `SpecialPermission`. `SpecialPermission` is a permission that no-script code has and that scripts never have. Usually all `doPrivileged` calls check `SpecialPermission` to make sure that they are not accidentally acting on behalf of a script. But in this case we are *intentionally* acting on behalf of a script. Closes #28408
nik9000
added a commit
that referenced
this issue
Feb 4, 2018
If you call `getDates()` on a long or date type field add a deprecation warning to the response and log something to the deprecation logger. This *mostly* worked just fine but if the deprecation logger happens to roll then the roll will be performed with the script's permissions rather than the permissions of the server. And scripts don't have permissions to, say, open files. So the rolling failed. This fixes that by wrapping the call the deprecation logger in `doPriviledged`. This is a strange `doPrivileged` call because it doens't check Elasticsearch's `SpecialPermission`. `SpecialPermission` is a permission that no-script code has and that scripts never have. Usually all `doPrivileged` calls check `SpecialPermission` to make sure that they are not accidentally acting on behalf of a script. But in this case we are *intentionally* acting on behalf of a script. Closes #28408
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In #22948 we added a deprecation warning when using
.dateon a long field. However, since scripts run in a reduced permission environment, the underlying call to log the message results in a security manager exception. We need to do this in a doPrivileged block.See https://discuss.elastic.co/t/painless-script-appender-deprecation-rolling-java-security-accesscontaccess-denied/117313
The text was updated successfully, but these errors were encountered: