Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Adding Permission in plugin-security.policy has no effect #9511

Closed
DevJhaAbhishek opened this issue Aug 23, 2023 · 5 comments
Closed

[BUG] Adding Permission in plugin-security.policy has no effect #9511

DevJhaAbhishek opened this issue Aug 23, 2023 · 5 comments
Labels
bug Something isn't working untriaged

Comments

@DevJhaAbhishek
Copy link

Describe the bug
Added permission in plugin-security.policy but after installing the plugin and while running OpenSearch, getting access denied.

Added the following permission in plugin-security.policy file in telemetry-otel plugin
permission java.util.PropertyPermission "*", "read,write"

While running OpenSearch (after installing the plugin) getting following error:

org.opensearch.bootstrap.StartupException: java.security.AccessControlException: access denied ("java.util.PropertyPermission" "otel.metrics.exporter" "write")
        at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:184) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
        at org.opensearch.bootstrap.OpenSearch.execute(OpenSearch.java:171) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
        at org.opensearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:104) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
        at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138) ~[opensearch-cli-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
        at org.opensearch.cli.Command.main(Command.java:101) ~[opensearch-cli-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
        at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:137) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
        at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:103) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]

Adding the same permission in org/opensearch/bootstrap/security.policy or hard-coding the policy file path in jvm options like -Djava.security.policy=file:///path seems to work (as expected)

Similar behaviour is happening for other permissions as well.

Expected behavior
Permissions should automatically be picked up from plugin-security.policy file

Plugins
telemetry-otel

Additional context
Complete Log:

./opensearch-plugin install -b -v file:/Users/abiskjha/workspace/Opensearch/OpenSearch/plugins/telemetry-otel/build/distributions/telemetry-otel-3.0.0-SNAPSHOT.zip 

-> Installing file:/Users/abiskjha/workspace/Opensearch/OpenSearch/plugins/telemetry-otel/build/distributions/telemetry-otel-3.0.0-SNAPSHOT.zip
-> Downloading file:/Users/abiskjha/workspace/Opensearch/OpenSearch/plugins/telemetry-otel/build/distributions/telemetry-otel-3.0.0-SNAPSHOT.zip
Retrieving zip from file:/Users/abiskjha/workspace/Opensearch/OpenSearch/plugins/telemetry-otel/build/distributions/telemetry-otel-3.0.0-SNAPSHOT.zip
- Plugin information:
Name: telemetry-otel
Description: Opentelemetry based telemetry implementation.
Version: 3.0.0-SNAPSHOT
OpenSearch Version: 3.0.0
Java Version: 11
Native Controller: false
Extended Plugins: []
 * Classname: org.opensearch.telemetry.OTelTelemetryPlugin
Folder name: 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@     WARNING: plugin requires additional permissions     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
* java.lang.RuntimePermission accessClassInPackage.sun.misc
* java.lang.RuntimePermission accessDeclaredMembers
* java.lang.RuntimePermission getClassLoader
* java.lang.RuntimePermission shutdownHooks
* java.lang.reflect.ReflectPermission suppressAccessChecks
* java.net.NetPermission getProxySelector
* java.net.SocketPermission * connect,resolve
* java.util.PropertyPermission * read,write
See http://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html
for descriptions of what these permissions allow and the associated risks.
-> Installed telemetry-otel with folder name telemetry-otel

./opensearch
[2023-08-23T20:00:42,148][INFO ][o.o.n.Node               ] [88665a378ca4.ant.amazon.com] version[3.0.0-SNAPSHOT], pid[71873], build[tar/563e3ad9f47c2447fcf5385f99ced428c3ce6a32/2023-08-21T13:18:13.271308Z], OS[Mac OS X/13.3.1/x86_64], JVM[Eclipse Adoptium/OpenJDK 64-Bit Server VM/11.0.20/11.0.20+8]
[2023-08-23T20:00:42,152][INFO ][o.o.n.Node               ] [88665a378ca4.ant.amazon.com] JVM home [/Library/Java/JavaVirtualMachines/jdk-11.0.20+8/Contents/Home], using bundled JDK/JRE [false]
[2023-08-23T20:00:42,152][INFO ][o.o.n.Node               ] [88665a378ca4.ant.amazon.com] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms1g, -Xmx1g, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/var/folders/2q/5p_zrsdj1h94rps5_2tqszzr0000gr/T/opensearch-5527867092778323220, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=data, -XX:ErrorFile=logs/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=logs/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Djava.util.concurrent.ForkJoinPool.common.threadFactory=org.opensearch.secure_sm.SecuredForkJoinWorkerThreadFactory, -Dopensearch.experimental.feature.telemetry.enabled=true, -XX:MaxDirectMemorySize=536870912, -Dopensearch.path.home=/Users/abiskjha/workspace/Opensearch/OpenSearch/distribution/archives/linux-tar/build/install/opensearch-3.0.0-SNAPSHOT, -Dopensearch.path.conf=/Users/abiskjha/workspace/Opensearch/OpenSearch/distribution/archives/linux-tar/build/install/opensearch-3.0.0-SNAPSHOT/config, -Dopensearch.distribution.type=tar, -Dopensearch.bundled_jdk=true]
[2023-08-23T20:00:42,152][WARN ][o.o.n.Node               ] [88665a378ca4.ant.amazon.com] version [3.0.0-SNAPSHOT] is a pre-release version of OpenSearch and is not suitable for production
[2023-08-23T20:00:43,053][INFO ][o.o.i.r.ReindexModulePlugin] [88665a378ca4.ant.amazon.com] ReindexPlugin reloadSPI called
[2023-08-23T20:00:43,055][INFO ][o.o.i.r.ReindexModulePlugin] [88665a378ca4.ant.amazon.com] Unable to find any implementation for RemoteReindexExtension
[2023-08-23T20:00:43,065][INFO ][o.o.p.PluginsService     ] [88665a378ca4.ant.amazon.com] loaded module [aggs-matrix-stats]
[2023-08-23T20:00:43,065][INFO ][o.o.p.PluginsService     ] [88665a378ca4.ant.amazon.com] loaded module [analysis-common]
[2023-08-23T20:00:43,065][INFO ][o.o.p.PluginsService     ] [88665a378ca4.ant.amazon.com] loaded module [geo]
[2023-08-23T20:00:43,065][INFO ][o.o.p.PluginsService     ] [88665a378ca4.ant.amazon.com] loaded module [ingest-common]
[2023-08-23T20:00:43,066][INFO ][o.o.p.PluginsService     ] [88665a378ca4.ant.amazon.com] loaded module [ingest-geoip]
[2023-08-23T20:00:43,066][INFO ][o.o.p.PluginsService     ] [88665a378ca4.ant.amazon.com] loaded module [ingest-user-agent]
[2023-08-23T20:00:43,066][INFO ][o.o.p.PluginsService     ] [88665a378ca4.ant.amazon.com] loaded module [lang-expression]
[2023-08-23T20:00:43,066][INFO ][o.o.p.PluginsService     ] [88665a378ca4.ant.amazon.com] loaded module [lang-mustache]
[2023-08-23T20:00:43,066][INFO ][o.o.p.PluginsService     ] [88665a378ca4.ant.amazon.com] loaded module [lang-painless]
[2023-08-23T20:00:43,067][INFO ][o.o.p.PluginsService     ] [88665a378ca4.ant.amazon.com] loaded module [mapper-extras]
[2023-08-23T20:00:43,067][INFO ][o.o.p.PluginsService     ] [88665a378ca4.ant.amazon.com] loaded module [opensearch-dashboards]
[2023-08-23T20:00:43,067][INFO ][o.o.p.PluginsService     ] [88665a378ca4.ant.amazon.com] loaded module [parent-join]
[2023-08-23T20:00:43,067][INFO ][o.o.p.PluginsService     ] [88665a378ca4.ant.amazon.com] loaded module [percolator]
[2023-08-23T20:00:43,067][INFO ][o.o.p.PluginsService     ] [88665a378ca4.ant.amazon.com] loaded module [rank-eval]
[2023-08-23T20:00:43,068][INFO ][o.o.p.PluginsService     ] [88665a378ca4.ant.amazon.com] loaded module [reindex]
[2023-08-23T20:00:43,068][INFO ][o.o.p.PluginsService     ] [88665a378ca4.ant.amazon.com] loaded module [repository-url]
[2023-08-23T20:00:43,068][INFO ][o.o.p.PluginsService     ] [88665a378ca4.ant.amazon.com] loaded module [search-pipeline-common]
[2023-08-23T20:00:43,069][INFO ][o.o.p.PluginsService     ] [88665a378ca4.ant.amazon.com] loaded module [systemd]
[2023-08-23T20:00:43,069][INFO ][o.o.p.PluginsService     ] [88665a378ca4.ant.amazon.com] loaded module [test-delayed-aggs]
[2023-08-23T20:00:43,069][INFO ][o.o.p.PluginsService     ] [88665a378ca4.ant.amazon.com] loaded module [transport-netty4]
[2023-08-23T20:00:43,070][INFO ][o.o.p.PluginsService     ] [88665a378ca4.ant.amazon.com] loaded plugin [telemetry-otel]
[2023-08-23T20:00:43,096][INFO ][o.o.e.ExtensionsManager  ] [88665a378ca4.ant.amazon.com] ExtensionsManager initialized
[2023-08-23T20:00:43,124][INFO ][o.o.e.NodeEnvironment    ] [88665a378ca4.ant.amazon.com] using [1] data paths, mounts [[/System/Volumes/Data (/dev/disk1s2)]], net usable_space [30.4gb], net total_space [465.6gb], types [apfs]
[2023-08-23T20:00:43,129][INFO ][o.o.e.NodeEnvironment    ] [88665a378ca4.ant.amazon.com] heap size [1gb], compressed ordinary object pointers [true]
[2023-08-23T20:00:43,260][INFO ][o.o.n.Node               ] [88665a378ca4.ant.amazon.com] node name [88665a378ca4.ant.amazon.com], node ID [LAUKXxY5STqf-9eB9X4OiQ], cluster name [opensearch], roles [ingest, remote_cluster_client, data, cluster_manager]
[2023-08-23T20:00:45,882][INFO ][o.o.t.t.e.OTelSpanExporterFactory] [88665a378ca4.ant.amazon.com] Successfully instantiated the SpanExporter class class io.opentelemetry.exporter.logging.LoggingSpanExporter
[2023-08-23T20:00:45,896][ERROR][o.o.b.OpenSearchUncaughtExceptionHandler] [88665a378ca4.ant.amazon.com] uncaught exception in thread [main]
org.opensearch.bootstrap.StartupException: java.security.AccessControlException: access denied ("java.util.PropertyPermission" "otel.metrics.exporter" "write")
        at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:184) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
        at org.opensearch.bootstrap.OpenSearch.execute(OpenSearch.java:171) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
        at org.opensearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:104) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
        at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138) ~[opensearch-cli-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
        at org.opensearch.cli.Command.main(Command.java:101) ~[opensearch-cli-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
        at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:137) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
        at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:103) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
Caused by: java.security.AccessControlException: access denied ("java.util.PropertyPermission" "otel.metrics.exporter" "write")
        at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) ~[?:?]
        at java.security.AccessController.checkPermission(AccessController.java:897) ~[?:?]
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:322) ~[?:?]
        at java.lang.System.setProperty(System.java:907) ~[?:?]
        at org.opensearch.telemetry.tracing.OTelResourceProvider.get(OTelResourceProvider.java:81) ~[?:?]
        at org.opensearch.telemetry.tracing.OTelResourceProvider.get(OTelResourceProvider.java:54) ~[?:?]
        at org.opensearch.telemetry.OTelTelemetryPlugin.telemetry(OTelTelemetryPlugin.java:62) ~[?:?]
        at org.opensearch.telemetry.OTelTelemetryPlugin.getTelemetry(OTelTelemetryPlugin.java:53) ~[?:?]
        at org.opensearch.telemetry.TelemetryModule.<init>(TelemetryModule.java:28) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
        at org.opensearch.node.Node.<init>(Node.java:730) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
        at org.opensearch.node.Node.<init>(Node.java:390) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
        at org.opensearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:242) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
        at org.opensearch.bootstrap.Bootstrap.setup(Bootstrap.java:242) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
        at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:404) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
        at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:180) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
        ... 6 more
uncaught exception in thread [main]
java.security.AccessControlException: access denied ("java.util.PropertyPermission" "otel.metrics.exporter" "write")
        at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
        at java.base/java.security.AccessController.checkPermission(AccessController.java:897)
        at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)
        at java.base/java.lang.System.setProperty(System.java:907)
        at org.opensearch.telemetry.tracing.OTelResourceProvider.get(OTelResourceProvider.java:81)
        at org.opensearch.telemetry.tracing.OTelResourceProvider.get(OTelResourceProvider.java:54)
        at org.opensearch.telemetry.OTelTelemetryPlugin.telemetry(OTelTelemetryPlugin.java:62)
        at org.opensearch.telemetry.OTelTelemetryPlugin.getTelemetry(OTelTelemetryPlugin.java:53)
        at org.opensearch.telemetry.TelemetryModule.<init>(TelemetryModule.java:28)
        at org.opensearch.node.Node.<init>(Node.java:730)
        at org.opensearch.node.Node.<init>(Node.java:390)
        at org.opensearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:242)
        at org.opensearch.bootstrap.Bootstrap.setup(Bootstrap.java:242)
        at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:404)
        at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:180)
        at org.opensearch.bootstrap.OpenSearch.execute(OpenSearch.java:171)
        at org.opensearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:104)
        at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138)
        at org.opensearch.cli.Command.main(Command.java:101)
        at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:137)
        at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:103)
For complete error details, refer to the log at /Users/abiskjha/workspace/Opensearch/OpenSearch/distribution/archives/linux-tar/build/install/opensearch-3.0.0-SNAPSHOT/logs/opensearch.log
@DevJhaAbhishek DevJhaAbhishek added bug Something isn't working untriaged labels Aug 23, 2023
@DevJhaAbhishek
Copy link
Author

@reta @dblock @nknize @Gaganjuneja @shwetathareja @Bukhtawar Please help

@cwperks
Copy link
Member

cwperks commented Aug 24, 2023

This may be a related issue seen on the security plugin: opensearch-project/security#3213

@willyborankin

@Gaganjuneja
Copy link
Contributor

Try this - #9453 (comment)

@reta
Copy link
Collaborator

reta commented Aug 24, 2023

@DevJhaAbhishek I am closing this one, the fix is provided here (#9453 (comment) as @Gaganjuneja pointed out)

@reta reta closed this as completed Aug 24, 2023
@DevJhaAbhishek
Copy link
Author

Thanks for the suggestion. I have tried using this approach and it seems to be working

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working untriaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@reta @Gaganjuneja @cwperks @DevJhaAbhishek