Access denied ("java.net.SocketPermission" "localhost:0" "listen,resolve")

i have a custom plugin processor with socket and i create file
grant {
permission java.net.SocketPermission “*”, “connect,resolve”;
};
still occur
access denied (“java.net.SocketPermission” “localhost:0” “listen,resolve”)
when i use my processor

Assuming you have a custom plugin for OpenSearch. You would need to set security policies to allow socket permissions.
Take a look at Anomaly Detection plugin example: https://github.com/opensearch-project/anomaly-detection/blob/main/src/main/plugin-metadata/plugin-security.policy#L6

You might have to use

grant {
permission java.net.SocketPermission “*”, “listen,resolve”;
};
1 Like

thanks for the reply, i have tried listen,resolve. but same error as before. my opensearch was started with docker-compose, so i installed plugin in docker cmdline

thanks already solved

Awesome, so how did you solve this problem?
It would probably help other folks lurking around in the forums.

any codes may used SecurityManager.checkxx should be writtern in AccessController.doPrivileged(()->{…});

grant {
permission java.net.SocketPermission “*”, “listen,resolve”;
};
is also needed

hi bro, i have a new question. :joy:
fatal error in thread [opensearch[opensearch-node1][management][T#3]], exiting
opensearch-node1 | java.lang.ExceptionInInitializerError
opensearch-node1 | at org.opensearch.cn.lsmsp.plugin.ForwardProcessor.lambda$execute$0(ForwardProcessor.java:55)
opensearch-node1 | at java.base/java.security.AccessController.doPrivileged(AccessController.java:312)
opensearch-node1 | at org.opensearch.cn.lsmsp.plugin.ForwardProcessor.execute(ForwardProcessor.java:54)
opensearch-node1 | at org.opensearch.ingest.Processor.execute(Processor.java:65)
opensearch-node1 | at org.opensearch.ingest.CompoundProcessor.innerExecute(CompoundProcessor.java:156)
opensearch-node1 | at org.opensearch.ingest.CompoundProcessor.execute(CompoundProcessor.java:142)
opensearch-node1 | at org.opensearch.ingest.Pipeline.execute(Pipeline.java:113)
opensearch-node1 | at org.opensearch.ingest.IngestDocument.executePipeline(IngestDocument.java:755)
opensearch-node1 | at org.opensearch.action.ingest.SimulateExecutionService.executeDocument(SimulateExecutionService.java:70)
opensearch-node1 | at org.opensearch.action.ingest.SimulateExecutionService.lambda$execute$3(SimulateExecutionService.java:95)
opensearch-node1 | at org.opensearch.action.ActionRunnable$2.doRun(ActionRunnable.java:86)
opensearch-node1 | at org.opensearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:756)
opensearch-node1 | at org.opensearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:50)
opensearch-node1 | at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
opensearch-node1 | at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
opensearch-node1 | at java.base/java.lang.Thread.run(Thread.java:832)
opensearch-node1 | Caused by: java.security.AccessControlException: access denied (“java.lang.reflect.ReflectPermission” “newProxyInPackage.org.graylog2.syslog4j.impl.unix”)
opensearch-node1 | at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
opensearch-node1 | at java.base/java.security.AccessController.checkPermission(AccessController.java:1036)
opensearch-node1 | at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:408)
opensearch-node1 | at java.base/java.lang.reflect.Proxy.checkNewProxyPermission(Proxy.java:1048)
opensearch-node1 | at java.base/java.lang.reflect.Proxy.newProxyInstance(Proxy.java:1019)
opensearch-node1 | at java.base/java.lang.reflect.Proxy.newProxyInstance(Proxy.java:1008)
opensearch-node1 | at com.sun.jna.Native.loadLibrary(Native.java:648)
opensearch-node1 | at com.sun.jna.Native.loadLibrary(Native.java:630)
opensearch-node1 | at org.graylog2.syslog4j.impl.unix.UnixSyslog.loadLibrary(UnixSyslog.java:53)
opensearch-node1 | at org.graylog2.syslog4j.impl.unix.UnixSyslog.initialize(UnixSyslog.java:65)
opensearch-node1 | at org.graylog2.syslog4j.impl.AbstractSyslog.initialize(AbstractSyslog.java:82)
opensearch-node1 | at org.graylog2.syslog4j.Syslog.createInstance(Syslog.java:196)
opensearch-node1 | at org.graylog2.syslog4j.Syslog.initialize(Syslog.java:213)
opensearch-node1 | at org.graylog2.syslog4j.Syslog.(Syslog.java:46)

i try
grant {
permission java.lang.reflect.ReflectPermission “newProxyInPackage.org.graylog2.syslog4j.impl.unix”;
}
and still code in AccessController.doPrivileged()
but it doesn’t work.
just find only one related issue with azure jdk
https://github.com/Azure/azure-sdk-for-java/issues/12829

can you help me to solve this? :joy:

Hello @feng! Can you update us if you have

grant {
  permission java.lang.RuntimePermission "accessDeclaredMembers";

in your security policy file of the plugin?