While adding a feature to our backend authentication module, I encountered initialisation errors for setProperty(networkaddress.cache.ttl) requiring the addition of the following to the plugin-security.properties file:
permission java.security.SecurityPermission" “setProperty.networkaddress.cache.ttl”;
However, this causes more problems - even before my module jar is loaded (and even if it’s removed):
[2018-11-07T16:01:08,664][INFO ][c.f.s.SearchGuardPlugin ] ES Config path is C:\dev\elastic\stack\elasticsearch-6.4.0\config
[2018-11-07T16:01:08,669][ERROR][o.e.b.Bootstrap ] Exception
java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]
at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:607) ~[elasticsearch-6.4.0.jar:6.4.0]
at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:549) ~[elasticsearch-6.4.0.jar:6.4.0]
at …
Caused by: java.lang.reflect.InvocationTargetException
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[?:1.8.0_161]
at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:598) ~[elasticsearch-6.4.0.jar:6.4.0]
… 15 more
Caused by: java.security.AccessControlException: access denied (“java.util.PropertyPermission” “jdk.tls.rejectClientInitiatedRenegotiation” “write”)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) ~[?:1.8.0_161]
at java.security.AccessController.checkPermission(AccessController.java:884) ~[?:1.8.0_161]
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) ~[?:1.8.0_161]
at java.lang.System.setProperty(System.java:792) ~[?:1.8.0_161]
at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin$3.run(SearchGuardSSLPlugin.java:149) ~[?:?]
at …
Adding that permission also, seems to have no effect.
permission java.util.PropertyPermission “jdk.tls.rejectClientInitiatedRenegotiation”,“write”;
The SSL plugin performs this tls setProperty inside a doPrivileged block (and presumably works without the ttl setProperty permission) so I don’t understand where the problem arises. Do I need a different construct in the plugin-security.properties file?
Thanks,
James
Can you please post your current effective plugin-security.policy file? And please also post the stacktrace of your initial problem with setProperty(networkaddress.cache.ttl)
If you are a customer you can also open an issue in Service Desk and share some code.
···
On Wednesday, 7 November 2018 18:09:33 UTC+1, jbe…@ft-…com wrote:
- ElasticSearch 6.4.0, Search Guard 23.1
While adding a feature to our backend authentication module, I encountered initialisation errors for setProperty(networkaddress.cache.ttl) requiring the addition of the following to the plugin-security.properties file:
permission java.security.SecurityPermission" “setProperty.networkaddress.cache.ttl”;
However, this causes more problems - even before my module jar is loaded (and even if it’s removed):
[2018-11-07T16:01:08,664][INFO ][c.f.s.SearchGuardPlugin ] ES Config path is C:\dev\elastic\stack\elasticsearch-6.4.0\config
[2018-11-07T16:01:08,669][ERROR][o.e.b.Bootstrap ] Exception
java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]
at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:607) ~[elasticsearch-6.4.0.jar:6.4.0]
at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:549) ~[elasticsearch-6.4.0.jar:6.4.0]
at …
Caused by: java.lang.reflect.InvocationTargetException
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[?:1.8.0_161]
at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:598) ~[elasticsearch-6.4.0.jar:6.4.0]
… 15 more
Caused by: java.security.AccessControlException: access denied (“java.util.PropertyPermission” “jdk.tls.rejectClientInitiatedRenegotiation” “write”)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) ~[?:1.8.0_161]
at java.security.AccessController.checkPermission(AccessController.java:884) ~[?:1.8.0_161]
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) ~[?:1.8.0_161]
at java.lang.System.setProperty(System.java:792) ~[?:1.8.0_161]
at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin$3.run(SearchGuardSSLPlugin.java:149) ~[?:?]
at …
Adding that permission also, seems to have no effect.
permission java.util.PropertyPermission “jdk.tls.rejectClientInitiatedRenegotiation”,“write”;
The SSL plugin performs this tls setProperty inside a doPrivileged block (and presumably works without the ttl setProperty permission) so I don’t understand where the problem arises. Do I need a different construct in the plugin-security.properties file?
Thanks,
James
By default write and read “java.util.PropertyPermission” for all properties are granted here https://github.com/floragunncom/search-guard/blob/281621d36da4fee45e1c1ed9676667142d4c931f/plugin-security.policy#L25 So make sure you do not remove this line.