search

opensearch-project / OpenSearch

🔎 Open source distributed and RESTful search engine.
https://opensearch.org/docs/latest/opensearch/index/
Apache License 2.0
9.73k stars 1.8k forks source link

[BUG] Adding Permission in plugin-security.policy has no effect #9511

Closed DevJhaAbhishek closed 1 year ago

DevJhaAbhishek commented 1 year ago

Describe the bug Added permission in plugin-security.policy but after installing the plugin and while running OpenSearch, getting access denied.

Added the following permission in plugin-security.policy file in telemetry-otel plugin permission java.util.PropertyPermission "*", "read,write"

While running OpenSearch (after installing the plugin) getting following error:

org.opensearch.bootstrap.StartupException: java.security.AccessControlException: access denied ("java.util.PropertyPermission" "otel.metrics.exporter" "write")
        at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:184) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
        at org.opensearch.bootstrap.OpenSearch.execute(OpenSearch.java:171) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
        at org.opensearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:104) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
        at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138) ~[opensearch-cli-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
        at org.opensearch.cli.Command.main(Command.java:101) ~[opensearch-cli-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
        at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:137) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
        at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:103) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]

Adding the same permission in org/opensearch/bootstrap/security.policy or hard-coding the policy file path in jvm options like -Djava.security.policy=file:///path seems to work (as expected)

Similar behaviour is happening for other permissions as well.

Expected behavior Permissions should automatically be picked up from plugin-security.policy file

Plugins telemetry-otel

Additional context Complete Log:

./opensearch-plugin install -b -v file:/Users/abiskjha/workspace/Opensearch/OpenSearch/plugins/telemetry-otel/build/distributions/telemetry-otel-3.0.0-SNAPSHOT.zip 

-> Installing file:/Users/abiskjha/workspace/Opensearch/OpenSearch/plugins/telemetry-otel/build/distributions/telemetry-otel-3.0.0-SNAPSHOT.zip
-> Downloading file:/Users/abiskjha/workspace/Opensearch/OpenSearch/plugins/telemetry-otel/build/distributions/telemetry-otel-3.0.0-SNAPSHOT.zip
Retrieving zip from file:/Users/abiskjha/workspace/Opensearch/OpenSearch/plugins/telemetry-otel/build/distributions/telemetry-otel-3.0.0-SNAPSHOT.zip
- Plugin information:
Name: telemetry-otel
Description: Opentelemetry based telemetry implementation.
Version: 3.0.0-SNAPSHOT
OpenSearch Version: 3.0.0
Java Version: 11
Native Controller: false
Extended Plugins: []
 * Classname: org.opensearch.telemetry.OTelTelemetryPlugin
Folder name: 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@     WARNING: plugin requires additional permissions     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
* java.lang.RuntimePermission accessClassInPackage.sun.misc
* java.lang.RuntimePermission accessDeclaredMembers
* java.lang.RuntimePermission getClassLoader
* java.lang.RuntimePermission shutdownHooks
* java.lang.reflect.ReflectPermission suppressAccessChecks
* java.net.NetPermission getProxySelector
* java.net.SocketPermission * connect,resolve
* java.util.PropertyPermission * read,write
See http://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html
for descriptions of what these permissions allow and the associated risks.
-> Installed telemetry-otel with folder name telemetry-otel

./opensearch
[2023-08-23T20:00:42,148][INFO ][o.o.n.Node               ] [88665a378ca4.ant.amazon.com] version[3.0.0-SNAPSHOT], pid[71873], build[tar/563e3ad9f47c2447fcf5385f99ced428c3ce6a32/2023-08-21T13:18:13.271308Z], OS[Mac OS X/13.3.1/x86_64], JVM[Eclipse Adoptium/OpenJDK 64-Bit Server VM/11.0.20/11.0.20+8]
[2023-08-23T20:00:42,152][INFO ][o.o.n.Node               ] [88665a378ca4.ant.amazon.com] JVM home [/Library/Java/JavaVirtualMachines/jdk-11.0.20+8/Contents/Home], using bundled JDK/JRE [false]
[2023-08-23T20:00:42,152][INFO ][o.o.n.Node               ] [88665a378ca4.ant.amazon.com] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms1g, -Xmx1g, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/var/folders/2q/5p_zrsdj1h94rps5_2tqszzr0000gr/T/opensearch-5527867092778323220, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=data, -XX:ErrorFile=logs/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=logs/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Djava.util.concurrent.ForkJoinPool.common.threadFactory=org.opensearch.secure_sm.SecuredForkJoinWorkerThreadFactory, -Dopensearch.experimental.feature.telemetry.enabled=true, -XX:MaxDirectMemorySize=536870912, -Dopensearch.path.home=/Users/abiskjha/workspace/Opensearch/OpenSearch/distribution/archives/linux-tar/build/install/opensearch-3.0.0-SNAPSHOT, -Dopensearch.path.conf=/Users/abiskjha/workspace/Opensearch/OpenSearch/distribution/archives/linux-tar/build/install/opensearch-3.0.0-SNAPSHOT/config, -Dopensearch.distribution.type=tar, -Dopensearch.bundled_jdk=true]
[2023-08-23T20:00:42,152][WARN ][o.o.n.Node               ] [88665a378ca4.ant.amazon.com] version [3.0.0-SNAPSHOT] is a pre-release version of OpenSearch and is not suitable for production
[2023-08-23T20:00:43,053][INFO ][o.o.i.r.ReindexModulePlugin] [88665a378ca4.ant.amazon.com] ReindexPlugin reloadSPI called
[2023-08-23T20:00:43,055][INFO ][o.o.i.r.ReindexModulePlugin] [88665a378ca4.ant.amazon.com] Unable to find any implementation for RemoteReindexExtension
[2023-08-23T20:00:43,065][INFO ][o.o.p.PluginsService     ] [88665a378ca4.ant.amazon.com] loaded module [aggs-matrix-stats]
[2023-08-23T20:00:43,065][INFO ][o.o.p.PluginsService     ] [88665a378ca4.ant.amazon.com] loaded module [analysis-common]
[2023-08-23T20:00:43,065][INFO ][o.o.p.PluginsService     ] [88665a378ca4.ant.amazon.com] loaded module [geo]
[2023-08-23T20:00:43,065][INFO ][o.o.p.PluginsService     ] [88665a378ca4.ant.amazon.com] loaded module [ingest-common]
[2023-08-23T20:00:43,066][INFO ][o.o.p.PluginsService     ] [88665a378ca4.ant.amazon.com] loaded module [ingest-geoip]
[2023-08-23T20:00:43,066][INFO ][o.o.p.PluginsService     ] [88665a378ca4.ant.amazon.com] loaded module [ingest-user-agent]
[2023-08-23T20:00:43,066][INFO ][o.o.p.PluginsService     ] [88665a378ca4.ant.amazon.com] loaded module [lang-expression]
[2023-08-23T20:00:43,066][INFO ][o.o.p.PluginsService     ] [88665a378ca4.ant.amazon.com] loaded module [lang-mustache]
[2023-08-23T20:00:43,066][INFO ][o.o.p.PluginsService     ] [88665a378ca4.ant.amazon.com] loaded module [lang-painless]
[2023-08-23T20:00:43,067][INFO ][o.o.p.PluginsService     ] [88665a378ca4.ant.amazon.com] loaded module [mapper-extras]
[2023-08-23T20:00:43,067][INFO ][o.o.p.PluginsService     ] [88665a378ca4.ant.amazon.com] loaded module [opensearch-dashboards]
[2023-08-23T20:00:43,067][INFO ][o.o.p.PluginsService     ] [88665a378ca4.ant.amazon.com] loaded module [parent-join]
[2023-08-23T20:00:43,067][INFO ][o.o.p.PluginsService     ] [88665a378ca4.ant.amazon.com] loaded module [percolator]
[2023-08-23T20:00:43,067][INFO ][o.o.p.PluginsService     ] [88665a378ca4.ant.amazon.com] loaded module [rank-eval]
[2023-08-23T20:00:43,068][INFO ][o.o.p.PluginsService     ] [88665a378ca4.ant.amazon.com] loaded module [reindex]
[2023-08-23T20:00:43,068][INFO ][o.o.p.PluginsService     ] [88665a378ca4.ant.amazon.com] loaded module [repository-url]
[2023-08-23T20:00:43,068][INFO ][o.o.p.PluginsService     ] [88665a378ca4.ant.amazon.com] loaded module [search-pipeline-common]
[2023-08-23T20:00:43,069][INFO ][o.o.p.PluginsService     ] [88665a378ca4.ant.amazon.com] loaded module [systemd]
[2023-08-23T20:00:43,069][INFO ][o.o.p.PluginsService     ] [88665a378ca4.ant.amazon.com] loaded module [test-delayed-aggs]
[2023-08-23T20:00:43,069][INFO ][o.o.p.PluginsService     ] [88665a378ca4.ant.amazon.com] loaded module [transport-netty4]
[2023-08-23T20:00:43,070][INFO ][o.o.p.PluginsService     ] [88665a378ca4.ant.amazon.com] loaded plugin [telemetry-otel]
[2023-08-23T20:00:43,096][INFO ][o.o.e.ExtensionsManager  ] [88665a378ca4.ant.amazon.com] ExtensionsManager initialized
[2023-08-23T20:00:43,124][INFO ][o.o.e.NodeEnvironment    ] [88665a378ca4.ant.amazon.com] using [1] data paths, mounts [[/System/Volumes/Data (/dev/disk1s2)]], net usable_space [30.4gb], net total_space [465.6gb], types [apfs]
[2023-08-23T20:00:43,129][INFO ][o.o.e.NodeEnvironment    ] [88665a378ca4.ant.amazon.com] heap size [1gb], compressed ordinary object pointers [true]
[2023-08-23T20:00:43,260][INFO ][o.o.n.Node               ] [88665a378ca4.ant.amazon.com] node name [88665a378ca4.ant.amazon.com], node ID [LAUKXxY5STqf-9eB9X4OiQ], cluster name [opensearch], roles [ingest, remote_cluster_client, data, cluster_manager]
[2023-08-23T20:00:45,882][INFO ][o.o.t.t.e.OTelSpanExporterFactory] [88665a378ca4.ant.amazon.com] Successfully instantiated the SpanExporter class class io.opentelemetry.exporter.logging.LoggingSpanExporter
[2023-08-23T20:00:45,896][ERROR][o.o.b.OpenSearchUncaughtExceptionHandler] [88665a378ca4.ant.amazon.com] uncaught exception in thread [main]
org.opensearch.bootstrap.StartupException: java.security.AccessControlException: access denied ("java.util.PropertyPermission" "otel.metrics.exporter" "write")
        at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:184) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
        at org.opensearch.bootstrap.OpenSearch.execute(OpenSearch.java:171) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
        at org.opensearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:104) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
        at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138) ~[opensearch-cli-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
        at org.opensearch.cli.Command.main(Command.java:101) ~[opensearch-cli-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
        at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:137) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
        at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:103) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
Caused by: java.security.AccessControlException: access denied ("java.util.PropertyPermission" "otel.metrics.exporter" "write")
        at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) ~[?:?]
        at java.security.AccessController.checkPermission(AccessController.java:897) ~[?:?]
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:322) ~[?:?]
        at java.lang.System.setProperty(System.java:907) ~[?:?]
        at org.opensearch.telemetry.tracing.OTelResourceProvider.get(OTelResourceProvider.java:81) ~[?:?]
        at org.opensearch.telemetry.tracing.OTelResourceProvider.get(OTelResourceProvider.java:54) ~[?:?]
        at org.opensearch.telemetry.OTelTelemetryPlugin.telemetry(OTelTelemetryPlugin.java:62) ~[?:?]
        at org.opensearch.telemetry.OTelTelemetryPlugin.getTelemetry(OTelTelemetryPlugin.java:53) ~[?:?]
        at org.opensearch.telemetry.TelemetryModule.<init>(TelemetryModule.java:28) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
        at org.opensearch.node.Node.<init>(Node.java:730) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
        at org.opensearch.node.Node.<init>(Node.java:390) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
        at org.opensearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:242) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
        at org.opensearch.bootstrap.Bootstrap.setup(Bootstrap.java:242) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
        at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:404) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
        at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:180) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
        ... 6 more
uncaught exception in thread [main]
java.security.AccessControlException: access denied ("java.util.PropertyPermission" "otel.metrics.exporter" "write")
        at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
        at java.base/java.security.AccessController.checkPermission(AccessController.java:897)
        at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)
        at java.base/java.lang.System.setProperty(System.java:907)
        at org.opensearch.telemetry.tracing.OTelResourceProvider.get(OTelResourceProvider.java:81)
        at org.opensearch.telemetry.tracing.OTelResourceProvider.get(OTelResourceProvider.java:54)
        at org.opensearch.telemetry.OTelTelemetryPlugin.telemetry(OTelTelemetryPlugin.java:62)
        at org.opensearch.telemetry.OTelTelemetryPlugin.getTelemetry(OTelTelemetryPlugin.java:53)
        at org.opensearch.telemetry.TelemetryModule.<init>(TelemetryModule.java:28)
        at org.opensearch.node.Node.<init>(Node.java:730)
        at org.opensearch.node.Node.<init>(Node.java:390)
        at org.opensearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:242)
        at org.opensearch.bootstrap.Bootstrap.setup(Bootstrap.java:242)
        at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:404)
        at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:180)
        at org.opensearch.bootstrap.OpenSearch.execute(OpenSearch.java:171)
        at org.opensearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:104)
        at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138)
        at org.opensearch.cli.Command.main(Command.java:101)
        at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:137)
        at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:103)
For complete error details, refer to the log at /Users/abiskjha/workspace/Opensearch/OpenSearch/distribution/archives/linux-tar/build/install/opensearch-3.0.0-SNAPSHOT/logs/opensearch.log
DevJhaAbhishek commented 1 year ago

@reta @dblock @nknize @Gaganjuneja @shwetathareja @Bukhtawar Please help

cwperks commented 1 year ago

This may be a related issue seen on the security plugin: https://github.com/opensearch-project/security/issues/3213

@willyborankin

Gaganjuneja commented 1 year ago

Try this - https://github.com/opensearch-project/OpenSearch/pull/9453#discussion_r1303178969

reta commented 1 year ago

@DevJhaAbhishek I am closing this one, the fix is provided here (https://github.com/opensearch-project/OpenSearch/pull/9453#discussion_r1303178969 as @Gaganjuneja pointed out)

DevJhaAbhishek commented 1 year ago

Thanks for the suggestion. I have tried using this approach and it seems to be working