Internal: Add versionless alias for rest client codebase in policy files #26521
Conversation
versions Security manager policy files contains grants for specific codebases, where a codebase is a jar file. We use a system property containing the name of the jar file to resolve the jar file location when parsing the policy file. However, this means the version of the jars must be modified when versions of dependencies change. This is particularly messy for elasticsearch, where we now have a dependency on the rest client, and need to support both a snapshot version for testing and non snapshot for release. This commit removes the version portion of the jar file name. The implications are we will no longer need to edit policy files when dependencies change, and do not need any special handling for snapshot vs release builds and their internal policy files in the core elasticsearch jar.
|
I offered an alternate proposal which is to change the grants for our JARs to |
| continue; // tests :( | ||
| } | ||
| String shortName = fileName.replaceFirst("-\\d+\\.\\d+.*\\.jar", ".jar"); |
There was a problem hiding this comment.
This assumes a version format that while fairly standard is not guaranteed.
There was a problem hiding this comment.
Sure it is not guaranteed to work for all possible version formats (specifically any that might use just a single version). But this will cover 99.9% of versions out there, and the edge case would not be for our own policy files (which is currently the only place we actually use jar specific grants). If there is a version format that is different, we can tweak this in the future, but this is still progress.
This would also be breaking for plugin developers. The "name-of-artifact" is not what we produce right now. We just put the property in "codebase.filename", which includes the version and .jar extension. |
|
And note that "breaking" for plugin developers is debatable. None of the official plugins use jar specific grants. Nor (I believe) do our examples for plugin developers to add their policy files. And finally, we can make this fail with a build check which validates the policy file, but that would require doing a first pass parse of the policy file to search for property uses (which i would only look for the simple |
I don't see this as leniency at all. It is not the policy parsers job to find if someone dropped a different version jar into lib. If we want to validate jars, there are other ways (don't use wildcard classpath, add jar signing). This is only about the arbitrary system property names we use to pass info between ES startup and the policy files. |
|
can we maybe reduce the scope here and say we only stip off |
|
to be honest I would be happy to really just fix this for |
I said for our JARs, it would not break plugins. I meant making this change only for our artifacts, it would not break external plugins at all. In the short term, since we can not easily identify our JARs:
In the long term:
|
It's not debatable. There's nothing that precludes a plugin author from using JAR-specific grants with the syntax that we use for the core policy file.
They do not. However, the syntax is in our core policy file, in the open source in our reindex module and the transport-netty4 modules do JAR-specific grants. In closed source, we do this in X-Pack. |
|
another option is to read the jars manifest and if it's a jar build by our build system (maybe just check for some |
|
Here's a version that implements what I'm suggesting and I think can be iterated on to work towards what @s1monw is suggesting with the manifest to identify our JARs (and eventually signed JARs): diff --git a/core/src/main/java/org/elasticsearch/bootstrap/Elasticsearch.java b/core/src/main/java/org/elasticsearch/bootstrap/Elasticsearch.java
index cfe73459a0..372458afb7 100644
--- a/core/src/main/java/org/elasticsearch/bootstrap/Elasticsearch.java
+++ b/core/src/main/java/org/elasticsearch/bootstrap/Elasticsearch.java
@@ -81,6 +81,7 @@ class Elasticsearch extends EnvironmentAwareCommand {
}
});
LogConfigurator.registerErrorListener();
+ System.setProperty("es.version", Version.CURRENT.toString() + (Build.CURRENT.isSnapshot() ? "-SNAPSHOT" : ""));
final Elasticsearch elasticsearch = new Elasticsearch();
int status = main(args, elasticsearch, Terminal.DEFAULT);
if (status != ExitCodes.OK) {
diff --git a/core/src/main/java/org/elasticsearch/bootstrap/Security.java b/core/src/main/java/org/elasticsearch/bootstrap/Security.java
index e5c326b8ee..4eb6b8de94 100644
--- a/core/src/main/java/org/elasticsearch/bootstrap/Security.java
+++ b/core/src/main/java/org/elasticsearch/bootstrap/Security.java
@@ -198,7 +198,15 @@ final class Security {
if (shortName.endsWith(".jar") == false) {
continue; // tests :(
}
- String previous = System.setProperty("codebase." + shortName, url.toString());
+ final String previous;
+ if (shortName.startsWith("elasticsearch-rest-client")) {
+ final String urlAsString = url.toString();
+ final int index = urlAsString.indexOf("-" + System.getProperty("es.version") + ".jar");
+ assert index >= 0;
+ previous = System.setProperty(policyPropertyName(shortName), urlAsString.substring(0, index));
+ } else {
+ previous = System.setProperty(policyPropertyName(shortName), url.toString());
+ }
if (previous != null) {
throw new IllegalStateException("codebase property already set: " + shortName + "->" + previous);
}
@@ -211,7 +219,7 @@ final class Security {
if (shortName.endsWith(".jar") == false) {
continue; // tests :(
}
- System.clearProperty("codebase." + shortName);
+ System.clearProperty(policyPropertyName(shortName));
}
}
} catch (NoSuchAlgorithmException | URISyntaxException e) {
@@ -219,6 +227,17 @@ final class Security {
}
}
+ private static String policyPropertyName(final String shortName) {
+ // hack for now until we can identify all of our jar
+ if (shortName.startsWith("elasticsearch-rest-client")) {
+ final int index = shortName.indexOf("-" + System.getProperty("es.version") + ".jar");
+ assert index >= 0;
+ return "codebase." + shortName.substring(0, index);
+ } else {
+ return "codebase." + shortName;
+ }
+ }
+
/** returns dynamic Permissions to configured paths and bind ports */
static Permissions createPermissions(Environment environment) throws IOException {
Permissions policy = new Permissions();
diff --git a/core/src/main/resources/org/elasticsearch/bootstrap/test-framework.policy b/core/src/main/resources/org/elasticsearch/bootstrap/test-framework.policy
index 79cb42214d..840f182ada 100644
--- a/core/src/main/resources/org/elasticsearch/bootstrap/test-framework.policy
+++ b/core/src/main/resources/org/elasticsearch/bootstrap/test-framework.policy
@@ -63,7 +63,7 @@ grant codeBase "${codebase.mocksocket-1.2.jar}" {
permission java.net.SocketPermission "*", "accept,connect";
};
-grant codeBase "${codebase.elasticsearch-rest-client-7.0.0-alpha1-SNAPSHOT.jar}" {
+grant codeBase "${codebase.elasticsearch-rest-client}-${es.version}.jar" {
// rest makes socket connections for rest tests
permission java.net.SocketPermission "*", "connect";
// rest client uses system properties which gets the default proxy
diff --git a/modules/reindex/src/main/plugin-metadata/plugin-security.policy b/modules/reindex/src/main/plugin-metadata/plugin-security.policy
index 39c1d77277..8f63708cbb 100644
--- a/modules/reindex/src/main/plugin-metadata/plugin-security.policy
+++ b/modules/reindex/src/main/plugin-metadata/plugin-security.policy
@@ -22,7 +22,7 @@ grant {
permission java.net.SocketPermission "*", "connect";
};
-grant codeBase "${codebase.elasticsearch-rest-client-7.0.0-alpha1-SNAPSHOT.jar}" {
+grant codeBase "${codebase.elasticsearch-rest-client}-${es.version}.jar" {
// rest client uses system properties which gets the default proxy
permission java.net.NetPermission "getProxySelector";
}; |
|
@jasontedor I pushed an update using your suggestion. I do not like it, but I am ok with it as a temporary solution. |
|
I think the version is adding unnecessary complexity here. Lets just use |
| } | ||
| String property = "codebase." + shortName; | ||
| propertiesSet.add(property); | ||
| String previous = System.setProperty(property, url.toString()); |
There was a problem hiding this comment.
This doesn't work. Note that
"${codebase.elasticsearch-rest-client}-${es.version}.jar"
translates to
file:///path/to/elasticsearch-rest-client-7.0.0-alpha1-SNAPSHOT.jar-7.0.0-alpha1-SNAPSHOT.jar
because you're replacing codebase.elasticsearch-rest-client with the full URL string, and then appending the version (from es.version). I handled this in the diff I gave.
Note that we have to do the version parsing/handling anyway, to find the name |
This is what is unnecessary. It is not the policy parsing code's job to stop other jars from being dropped in place of existing deps. Let us leave that validation (which would be good) for a separate discussion. |
|
@s1monw @jasontedor I pushed another update. |
| if (shortName.startsWith("elasticsearch-rest-client")) { | ||
| final String esVersion = Version.CURRENT + (Build.CURRENT.isSnapshot() ? "-SNAPSHOT" : ""); | ||
| final int index = property.indexOf("-" + esVersion + ".jar"); | ||
| assert index >= 0; |
There was a problem hiding this comment.
can you put in a message for this?
| } | ||
| System.clearProperty("codebase." + shortName); | ||
| for (String property : propertiesSet) { | ||
| System.out.println("Unsetting " + property); |
rjernst
changed the title
…les (#26521) Security manager policy files contains grants for specific codebases, where a codebase is a jar file. We use a system property containing the name of the jar file to resolve the jar file location when parsing the policy file. However, this means the version of the jars must be modified when versions of dependencies change. This is particularly messy for elasticsearch, where we now have a dependency on the rest client, and need to support both a snapshot version for testing and non snapshot for release. This commit adds an alias for the elasticsearch rest client without a version to be used in policy files. That allows the policy files to not care whether the rest client is a snapshot or release.
…les (#26521) Security manager policy files contains grants for specific codebases, where a codebase is a jar file. We use a system property containing the name of the jar file to resolve the jar file location when parsing the policy file. However, this means the version of the jars must be modified when versions of dependencies change. This is particularly messy for elasticsearch, where we now have a dependency on the rest client, and need to support both a snapshot version for testing and non snapshot for release. This commit adds an alias for the elasticsearch rest client without a version to be used in policy files. That allows the policy files to not care whether the rest client is a snapshot or release.
…les (#26521) Security manager policy files contains grants for specific codebases, where a codebase is a jar file. We use a system property containing the name of the jar file to resolve the jar file location when parsing the policy file. However, this means the version of the jars must be modified when versions of dependencies change. This is particularly messy for elasticsearch, where we now have a dependency on the rest client, and need to support both a snapshot version for testing and non snapshot for release. This commit adds an alias for the elasticsearch rest client without a version to be used in policy files. That allows the policy files to not care whether the rest client is a snapshot or release.
…ties This is a followup to elastic#26521. This commit expands the alias added for the elasticsearch client codebase to all codebases. The original full jar name property is left intact. This only adds an alias without the version, which should help ease the pain in updating any versions (ES itself or dependencies).
…ties (#26756) This is a followup to #26521. This commit expands the alias added for the elasticsearch client codebase to all codebases. The original full jar name property is left intact. This only adds an alias without the version, which should help ease the pain in updating any versions (ES itself or dependencies).
…ties (#26756) This is a followup to #26521. This commit expands the alias added for the elasticsearch client codebase to all codebases. The original full jar name property is left intact. This only adds an alias without the version, which should help ease the pain in updating any versions (ES itself or dependencies).
Security manager policy files contains grants for specific codebases,
where a codebase is a jar file. We use a system property containing the
name of the jar file to resolve the jar file location when parsing the
policy file. However, this means the version of the jars must be
modified when versions of dependencies change. This is particularly
messy for elasticsearch, where we now have a dependency on the rest
client, and need to support both a snapshot version for testing and non
snapshot for release.
This commit removes the version portion of the jar file name. The
implications are we will no longer need to edit policy files when
dependencies change, and do not need any special handling for snapshot
vs release builds and their internal policy files in the core
elasticsearch jar.