Decentralize plugin security #14108
Closed
Decentralize plugin security #14108
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Not only it looks like an awesome feature, but also a nice cleanup of existing code (I went through the diff out of curiosity). Very cool. |
|
nice! |
| @@ -37,52 +37,6 @@ grant codeBase "${es.security.jar.lucene.core}" { | |||
| permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; | |||
| }; | |||
|
|
|||
| //// Special plugin permissions: | |||
There was a problem hiding this comment.
boom! nice once - that 46 lines of deletions is worth the change IMO already
|
this looks awesome! thanks for doing this! |
|
<3 |
rmuir
added
review
:Core/Infra/Plugins
… prevent user from answering unnecessary questions.
|
@s1monw I pushed changes to improve the docs. I also moved the check after 'plugin already exists' check, so that the user doesn't have to enter Y/N before that case. |
|
LGTM |
rmuir
added a commit
to rmuir/elasticsearch
that referenced
this pull request
Oct 15, 2015
* Add ability for plugins to declare additional permissions with a custom plugin-security.policy file and corresponding AccessController logic. See the plugin author's guide for more information. * Add warning messages to users for extra plugin permissions in bin/plugin. * When bin/plugin is run interactively (stdin is a controlling terminal and -b/--batch not supplied), require user confirmation. * Improve unit test and IDE support for plugins with additional permissions by exposing plugin's metadata as a maven test resource. Closes elastic#14108 Squashed commit of the following: commit cf8ace6 Author: Robert Muir <[email protected]> Date: Wed Oct 14 13:36:05 2015 -0400 fix new unit test from master merge commit 9be3c5a Merge: 2f168b8 7368231 Author: Robert Muir <[email protected]> Date: Wed Oct 14 12:58:31 2015 -0400 Merge branch 'master' into off_my_back commit 2f168b8 Author: Robert Muir <[email protected]> Date: Wed Oct 14 12:56:04 2015 -0400 improve plugin author documentation commit 6e6c2bf Author: Robert Muir <[email protected]> Date: Wed Oct 14 12:52:14 2015 -0400 move security confirmation after 'plugin already installed' check, to prevent user from answering unnecessary questions. commit 08233a2 Author: Robert Muir <[email protected]> Date: Wed Oct 14 05:36:42 2015 -0400 Add documentation and pluginmanager support commit 05dad86 Author: Robert Muir <[email protected]> Date: Wed Oct 14 02:22:24 2015 -0400 Decentralize plugin permissions (modulo docs and pluginmanager work) Conflicts: core/src/main/java/org/elasticsearch/bootstrap/Security.java core/src/main/resources/org/elasticsearch/bootstrap/security.policy
rmuir
added a commit
that referenced
this pull request
Oct 15, 2015
* Add ability for plugins to declare additional permissions with a custom plugin-security.policy file and corresponding AccessController logic. See the plugin author's guide for more information. * Add warning messages to users for extra plugin permissions in bin/plugin. * When bin/plugin is run interactively (stdin is a controlling terminal and -b/--batch not supplied), require user confirmation. * Improve unit test and IDE support for plugins with additional permissions by exposing plugin's metadata as a maven test resource. Closes #14108 Squashed commit of the following: commit cc3f7ec Author: Robert Muir <[email protected]> Date: Thu Oct 15 02:15:49 2015 -0400 java 7 fixes commit 626cf16 Author: Robert Muir <[email protected]> Date: Thu Oct 15 02:09:19 2015 -0400 Don't merge file back to discovery-ec2 commit a64471d Author: Robert Muir <[email protected]> Date: Wed Oct 14 14:46:45 2015 -0400 Decentralize plugin security * Add ability for plugins to declare additional permissions with a custom plugin-security.policy file and corresponding AccessController logic. See the plugin author's guide for more information. * Add warning messages to users for extra plugin permissions in bin/plugin. * When bin/plugin is run interactively (stdin is a controlling terminal and -b/--batch not supplied), require user confirmation. * Improve unit test and IDE support for plugins with additional permissions by exposing plugin's metadata as a maven test resource. Closes #14108 Squashed commit of the following: commit cf8ace6 Author: Robert Muir <[email protected]> Date: Wed Oct 14 13:36:05 2015 -0400 fix new unit test from master merge commit 9be3c5a Merge: 2f168b8 7368231 Author: Robert Muir <[email protected]> Date: Wed Oct 14 12:58:31 2015 -0400 Merge branch 'master' into off_my_back commit 2f168b8 Author: Robert Muir <[email protected]> Date: Wed Oct 14 12:56:04 2015 -0400 improve plugin author documentation commit 6e6c2bf Author: Robert Muir <[email protected]> Date: Wed Oct 14 12:52:14 2015 -0400 move security confirmation after 'plugin already installed' check, to prevent user from answering unnecessary questions. commit 08233a2 Author: Robert Muir <[email protected]> Date: Wed Oct 14 05:36:42 2015 -0400 Add documentation and pluginmanager support commit 05dad86 Author: Robert Muir <[email protected]> Date: Wed Oct 14 02:22:24 2015 -0400 Decentralize plugin permissions (modulo docs and pluginmanager work) Conflicts: core/src/main/java/org/elasticsearch/bootstrap/Security.java core/src/main/resources/org/elasticsearch/bootstrap/security.policy
|
Thats a great idea and i would love to see this as soon as possible released. I am working on a shield kerberos realm (nearly finished) and i had to disable security manager entirely cause all the Subject.doAsstuff is with current ES policy not allowed. Would also be nice to read krb5.conf directly from /etc/. |
|
I hoped for plugin security, thanks! Right now I have to disable security manager completely to get my groovy-based web app plugin things going https://github.com/jprante/elasticsearch-webapp |
|
Hi @salyh @jprante ... I have set the feature for 2.2 because it depends on a ton of other work that was done in the 2.2 codebase. I'm afraid this is about the soonest we can get this out unfortunately. Before releasing it I have in mind add some minor improvements to it (e.g. ability to use full policy syntax, possibly rename the configuration file to improve IDE/test support, etc). I am working on some of that at the moment. |
|
@rmuir Awesome stuff! Thanks for adding this in. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Today ES core defines all the rules for plugins and special exceptions by name. But this means if a plugin developer needs a similar thing (perhaps just a temporary hack or workaround: maybe in a third party dependency of theirs), it is not possible today, and the only solution is to disable securitymanager entirely.
This is bad for a few reasons:
This PR presents an alternative, more like the android model, where plugins can include an optional
plugin-security.policyfile, and users have to confirm the additional requested permissions on installation (if stdin is a controlling terminal, and there is also a new explicit-bbatch flag forbin/plugintoo just for completeness):I think its fairly safe, we protect plugins directories pretty well now (even unix filesystem permissions are improved recently). These permissions are only granted to the plugin, like today, which means this stuff is contained pretty well. Of course it forces plugin authors to write proper security code, but I think that is ok, versus it not being possible at all. I added recommendations and an example to the plugin authors documentation to try to help with this. Even in the worst case if a plugin author adds
AllPermissionand screws up all the security code completely, its still better than having no security checking at all for ANY code... That is the major motivation for me wanting to do this, I think it will make things better. It just took me until now to figure out how to make the IDEs work :)This change also allows tests to work from IDEs for such plugins without as many hacks as before, by configuring some special resources.