Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add getProperty.org.bouncycastle.ec.max_f2m_field_size to plugin-security.policy #4269

Merged
merged 1 commit into from
Apr 19, 2024

Conversation

cwperks
Copy link
Member

@cwperks cwperks commented Apr 19, 2024

Description

Fixes issue related to bouncycastle upgrade where starting up a node with security plugin installed and SAML Authentication enabled resulted in:

Caused by: java.lang.InternalError: cannot create instance of org.bouncycastle.jcajce.provider.keystore.PKCS12$Mappings : java.security.AccessControlException: access denied ("java.security.SecurityPermission" "getProperty.org.bouncycastle.ec.max_f2m_field_sizet")
	at com.amazon.dlic.auth.http.saml.HTTPSamlAuthenticator.<init>(HTTPSamlAuthenticator.java:154) ~[opensearch-security-3.0.0.0-SNAPSHOT.jar:3.0.0.0-SNAPSHOT]
	at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
        ...

Ref: https://github.com/opensearch-project/security-dashboards-plugin/actions/runs/8744995738/job/23999073639?pr=1899

  • Category

Maintenance

Check List

  • New functionality includes testing
  • New functionality has been documented
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

…rity.policy

Signed-off-by: Craig Perkins <cwperx@amazon.com>
@cwperks
Copy link
Member Author

cwperks commented Apr 19, 2024

@reta This permission also needs to be added for SAML authentication. Is there a good way to systematically identify the new permissions that need to be added?

This was caught from e2e tests in the security-dashboards-plugin.

@reta
Copy link
Collaborator

reta commented Apr 19, 2024

Is there a good way to systematically identify the new permissions that need to be added?

Good question, I think we just need more tests since we don't know exactly what permission is needed in what case(s)?

Copy link
Collaborator

@derek-ho derek-ho left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for catching this!

@cwperks cwperks added the backport 2.x backport to 2.x branch label Apr 19, 2024
@cwperks cwperks merged commit b214255 into opensearch-project:main Apr 19, 2024
79 checks passed
opensearch-trigger-bot bot pushed a commit that referenced this pull request Apr 19, 2024
…rity.policy (#4269)

Signed-off-by: Craig Perkins <cwperx@amazon.com>
(cherry picked from commit b214255)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
dlin2028 pushed a commit to dlin2028/security that referenced this pull request May 1, 2024
…rity.policy (opensearch-project#4269)

Signed-off-by: Craig Perkins <cwperx@amazon.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport 2.x backport to 2.x branch
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants