From 795563012dc60192513d1e245ae7d2004ea81116 Mon Sep 17 00:00:00 2001 From: Uwe Schindler Date: Mon, 9 Jan 2023 19:15:16 +0100 Subject: [PATCH] Correct permissions of jackson-databind "the correct way" --- .../resources/org/opensearch/bootstrap/security.policy | 9 ++++++--- .../common/settings/WriteableSettingTests.java | 2 ++ 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/server/src/main/resources/org/opensearch/bootstrap/security.policy b/server/src/main/resources/org/opensearch/bootstrap/security.policy index 256a0df187723..bdde9bdc4c462 100644 --- a/server/src/main/resources/org/opensearch/bootstrap/security.policy +++ b/server/src/main/resources/org/opensearch/bootstrap/security.policy @@ -79,6 +79,12 @@ grant codeBase "${codebase.jna}" { permission java.lang.RuntimePermission "accessDeclaredMembers"; }; +grant codeBase "${codebase.jackson-databind}" { + // Jackson Databind needs access to declared members and makes them visible + permission java.lang.RuntimePermission "accessDeclaredMembers"; + permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; +}; + //// Everything else: grant { @@ -100,9 +106,6 @@ grant { permission jdk.net.NetworkPermission "getOption.TCP_KEEPCOUNT"; permission jdk.net.NetworkPermission "setOption.TCP_KEEPCOUNT"; - permission java.lang.RuntimePermission "accessDeclaredMembers"; - permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; - // Allow read access to all system properties permission java.util.PropertyPermission "*", "read"; diff --git a/server/src/test/java/org/opensearch/common/settings/WriteableSettingTests.java b/server/src/test/java/org/opensearch/common/settings/WriteableSettingTests.java index 5e34f68539798..bc117c8727b94 100644 --- a/server/src/test/java/org/opensearch/common/settings/WriteableSettingTests.java +++ b/server/src/test/java/org/opensearch/common/settings/WriteableSettingTests.java @@ -9,6 +9,7 @@ package org.opensearch.common.settings; import org.junit.Before; +import org.junit.Ignore; import org.opensearch.Version; import org.opensearch.common.SuppressForbidden; import org.opensearch.common.bytes.BytesReference; @@ -462,6 +463,7 @@ public void testVersionSetting() throws IOException { } } + @Ignore("https://github.com/opensearch-project/OpenSearch/issues/5504") @SuppressForbidden(reason = "The only way to test these is via reflection") public void testExceptionHandling() throws NoSuchFieldException, SecurityException, IllegalArgumentException, IllegalAccessException { // abuse reflection to change default value, no way to do this with given Setting class