OpenSearch: [BUG] [Searchable Snapshot] SpecialPermission error when using a scripted query
Describe the bug A clear and concise description of what the bug is. When performing a scripted query on a remote index, a security exception is thrown. This occurs on 2.7.0 snapshot and also using released 2.5.0.
Seems related to how OS/ES handles evaluated permissions.
To Reproduce Steps to reproduce the behavior:
- Restore an index where
storage_typeis set to remote_snapshot - Perform a scripted search using
painless - A security exception is thrown. On a normal index, no exception occurs.
Expected behavior A clear and concise description of what you expected to happen.
Plugins Please list all plugins currently enabled.
Screenshots If applicable, add screenshots to help explain your problem.
Caused by: java.lang.SecurityException: access denied ("org.opensearch.SpecialPermission" "*")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:485) ~[?:?]
at java.security.AccessController.checkPermission(AccessController.java:1068) ~[?:?]
at java.lang.SecurityManager.checkPermission(SecurityManager.java:416) ~[?:?]
at org.opensearch.SpecialPermission.check(SpecialPermission.java:104) ~[opensearch-2.5.0.jar:2.5.0]
at org.opensearch.repositories.azure.SocketAccess.doPrivilegedException(SocketAccess.java:68) ~[?:?]
at org.opensearch.repositories.azure.AzureBlobStore.getInputStream(AzureBlobStore.java:282) ~[?:?]
at org.opensearch.repositories.azure.AzureBlobContainer.openInputStream(AzureBlobContainer.java:104) ~[?:?]
at org.opensearch.repositories.azure.AzureBlobContainer.readBlob(AzureBlobContainer.java:122) ~[?:?]
at org.opensearch.index.store.remote.utils.TransferManager.fetchBlob(TransferManager.java:59) ~[opensearch-2.5.0.jar:2.5.0]
at org.opensearch.index.store.remote.file.OnDemandBlockSnapshotIndexInput.fetchBlock(OnDemandBlockSnapshotIndexInput.java:151) ~[opensearch-2.5.0.jar:2.5.0]
at org.opensearch.index.store.remote.file.OnDemandBlockIndexInput.demandBlock(OnDemandBlockIndexInput.java:347) ~[opensearch-2.5.0.jar:2.5.0]
at org.opensearch.index.store.remote.file.OnDemandBlockIndexInput.seekInternal(OnDemandBlockIndexInput.java:318) ~[opensearch-2.5.0.jar:2.5.0]
at org.opensearch.index.store.remote.file.OnDemandBlockIndexInput.seek(OnDemandBlockIndexInput.java:216) ~[opensearch-2.5.0.jar:2.5.0]
at org.opensearch.index.store.remote.file.OnDemandBlockSnapshotIndexInput.seek(OnDemandBlockSnapshotIndexInput.java:30) ~[opensearch-2.5.0.jar:2.5.0]
Host/Environment (please complete the following information):
- OS: [e.g. iOS] Ubuntu
- Version [e.g. 22]
Additional context Add any other context about the problem here.
About this issue
- Original URL
- State: closed
- Created a year ago
- Comments: 15 (7 by maintainers)
Thanks @kotwanikunal . We tested #6914 and works.
@dgilling You can test the feature out on a development environment with the added permission. I am still looking into a fix for this.
~@kotwanikunal plugins have their own dedicated permissions which are registered with Java Security Manager via security policy file. This blog post talks about it in detail[1]~ Ignore me you’ve already got there 😃. Its mostly about the caller’s context matters which is azure plugin (not painless script) who does not have the elevated permissions. Lets try adding it to the policy ?
@dgilling assuming you are using repository-azure from this repo, could you modify the plugin-security.policy[2] file and add
org.opensearch.SpecialPermissionto the list? ~[1] https://opensearch.org/blog/plugins-intro/~ [2] https://github.com/opensearch-project/OpenSearch/blob/e4d9fb50b74a0b4e7f9b7bb1315e92c1f136efde/plugins/repository-azure/src/main/plugin-metadata/plugin-security.policy