i have a custom plugin processor with socket and i create file
grant {
permission java.net.SocketPermission “*”, “connect,resolve”;
};
still occur
access denied (“java.net.SocketPermission” “localhost:0” “listen,resolve”)
when i use my processor
Assuming you have a custom plugin for OpenSearch. You would need to set security policies to allow socket permissions.
Take a look at Anomaly Detection plugin example: https://github.com/opensearch-project/anomaly-detection/blob/main/src/main/plugin-metadata/plugin-security.policy#L6
You might have to use
grant {
permission java.net.SocketPermission “*”, “listen,resolve”;
};
thanks for the reply, i have tried listen,resolve. but same error as before. my opensearch was started with docker-compose, so i installed plugin in docker cmdline
thanks already solved
Awesome, so how did you solve this problem?
It would probably help other folks lurking around in the forums.
any codes may used SecurityManager.checkxx should be writtern in AccessController.doPrivileged(()->{…});
grant {
permission java.net.SocketPermission “*”, “listen,resolve”;
};
is also needed
hi bro, i have a new question.
fatal error in thread [opensearch[opensearch-node1][management][T#3]], exiting
opensearch-node1 | java.lang.ExceptionInInitializerError
opensearch-node1 | at org.opensearch.cn.lsmsp.plugin.ForwardProcessor.lambda$execute$0(ForwardProcessor.java:55)
opensearch-node1 | at java.base/java.security.AccessController.doPrivileged(AccessController.java:312)
opensearch-node1 | at org.opensearch.cn.lsmsp.plugin.ForwardProcessor.execute(ForwardProcessor.java:54)
opensearch-node1 | at org.opensearch.ingest.Processor.execute(Processor.java:65)
opensearch-node1 | at org.opensearch.ingest.CompoundProcessor.innerExecute(CompoundProcessor.java:156)
opensearch-node1 | at org.opensearch.ingest.CompoundProcessor.execute(CompoundProcessor.java:142)
opensearch-node1 | at org.opensearch.ingest.Pipeline.execute(Pipeline.java:113)
opensearch-node1 | at org.opensearch.ingest.IngestDocument.executePipeline(IngestDocument.java:755)
opensearch-node1 | at org.opensearch.action.ingest.SimulateExecutionService.executeDocument(SimulateExecutionService.java:70)
opensearch-node1 | at org.opensearch.action.ingest.SimulateExecutionService.lambda$execute$3(SimulateExecutionService.java:95)
opensearch-node1 | at org.opensearch.action.ActionRunnable$2.doRun(ActionRunnable.java:86)
opensearch-node1 | at org.opensearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:756)
opensearch-node1 | at org.opensearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:50)
opensearch-node1 | at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
opensearch-node1 | at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
opensearch-node1 | at java.base/java.lang.Thread.run(Thread.java:832)
opensearch-node1 | Caused by: java.security.AccessControlException: access denied (“java.lang.reflect.ReflectPermission” “newProxyInPackage.org.graylog2.syslog4j.impl.unix”)
opensearch-node1 | at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
opensearch-node1 | at java.base/java.security.AccessController.checkPermission(AccessController.java:1036)
opensearch-node1 | at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:408)
opensearch-node1 | at java.base/java.lang.reflect.Proxy.checkNewProxyPermission(Proxy.java:1048)
opensearch-node1 | at java.base/java.lang.reflect.Proxy.newProxyInstance(Proxy.java:1019)
opensearch-node1 | at java.base/java.lang.reflect.Proxy.newProxyInstance(Proxy.java:1008)
opensearch-node1 | at com.sun.jna.Native.loadLibrary(Native.java:648)
opensearch-node1 | at com.sun.jna.Native.loadLibrary(Native.java:630)
opensearch-node1 | at org.graylog2.syslog4j.impl.unix.UnixSyslog.loadLibrary(UnixSyslog.java:53)
opensearch-node1 | at org.graylog2.syslog4j.impl.unix.UnixSyslog.initialize(UnixSyslog.java:65)
opensearch-node1 | at org.graylog2.syslog4j.impl.AbstractSyslog.initialize(AbstractSyslog.java:82)
opensearch-node1 | at org.graylog2.syslog4j.Syslog.createInstance(Syslog.java:196)
opensearch-node1 | at org.graylog2.syslog4j.Syslog.initialize(Syslog.java:213)
opensearch-node1 | at org.graylog2.syslog4j.Syslog.(Syslog.java:46)
i try
grant {
permission java.lang.reflect.ReflectPermission “newProxyInPackage.org.graylog2.syslog4j.impl.unix”;
}
and still code in AccessController.doPrivileged()
but it doesn’t work.
just find only one related issue with azure jdk
https://github.com/Azure/azure-sdk-for-java/issues/12829
can you help me to solve this?
Hello @feng! Can you update us if you have
grant {
permission java.lang.RuntimePermission "accessDeclaredMembers";
in your security policy file of the plugin?