diff --git a/qa/evil-tests/src/test/java/org/elasticsearch/bootstrap/PolicyUtilTests.java b/qa/evil-tests/src/test/java/org/elasticsearch/bootstrap/PolicyUtilTests.java index ad19638861555..2d63f26ef1793 100644 --- a/qa/evil-tests/src/test/java/org/elasticsearch/bootstrap/PolicyUtilTests.java +++ b/qa/evil-tests/src/test/java/org/elasticsearch/bootstrap/PolicyUtilTests.java @@ -256,6 +256,7 @@ void assertIllegalPermissions(List illegalPermissions, PolicyParser pars "javax.management.MBeanPermission * setAttribute", "javax.management.MBeanPermission * unregisterMBean", "javax.management.MBeanServerPermission *", + "javax.management.MBeanTrustPermission register", "javax.security.auth.AuthPermission doAs", "javax.security.auth.AuthPermission doAsPrivileged", "javax.security.auth.AuthPermission getSubject", diff --git a/server/src/main/java/org/elasticsearch/bootstrap/PolicyUtil.java b/server/src/main/java/org/elasticsearch/bootstrap/PolicyUtil.java index ed915fa55d6f5..9cdf1ad261eb6 100644 --- a/server/src/main/java/org/elasticsearch/bootstrap/PolicyUtil.java +++ b/server/src/main/java/org/elasticsearch/bootstrap/PolicyUtil.java @@ -52,6 +52,7 @@ import javax.management.MBeanPermission; import javax.management.MBeanServerPermission; +import javax.management.MBeanTrustPermission; import javax.management.ObjectName; import javax.security.auth.AuthPermission; import javax.security.auth.PrivateCredentialPermission; @@ -139,7 +140,8 @@ public boolean test(Permission permission) { "addNotificationListener,getAttribute,getDomains,getMBeanInfo,getObjectInstance,instantiate,invoke," + "isInstanceOf,queryMBeans,queryNames,registerMBean,removeNotificationListener,setAttribute,unregisterMBean" ), - new MBeanServerPermission("*") + new MBeanServerPermission("*"), + new MBeanTrustPermission("register") ); // While it would be ideal to represent all allowed permissions with concrete instances so that we can // use the builtin implies method to match them against the parsed policy, this does not work in all