Home Explore Help
Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

Grant read access to the config dir (#123882) (#123913)

This matches what Security Manager permissions Elasticsearch had for all
plugins.

Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Ryan Ernst 7 months ago
parent
ec188b8297
commit
214887c970
2 changed files with 11 additions and 3 deletions
Split View Show Diff Stats
  1. 3 1
      libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/FileAccessTree.java
  2. 8 2
      libs/entitlement/src/test/java/org/elasticsearch/entitlement/runtime/policy/FileAccessTreeTests.java

+ 3 - 1
libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/FileAccessTree.java
View File 

@@ -138,8 +138,10 @@ public final class FileAccessTree {
 
             });
 
         }
 
 
-        // everything has access to the temp dir and the jdk
 
+        // everything has access to the temp dir, config dir and the jdk
 
         addPathAndMaybeLink.accept(pathLookup.tempDir(), Mode.READ_WRITE);
 
+        // TODO: this grants read access to the config dir for all modules until explicit read entitlements can be added
 
+        addPathAndMaybeLink.accept(pathLookup.configDir(), Mode.READ);
 
 
         // TODO: watcher uses javax.activation which looks for known mime types configuration, should this be global or explicit in watcher?
 
         Path jdk = Paths.get(System.getProperty("java.home"));

+ 8 - 2
libs/entitlement/src/test/java/org/elasticsearch/entitlement/runtime/policy/FileAccessTreeTests.java
View File 

@@ -135,7 +135,7 @@ public class FileAccessTreeTests extends ESTestCase {
 
     }
 
 
     public void testReadWithRelativePath() {
 
-        for (var dir : List.of("config", "home")) {
 
+        for (var dir : List.of("home")) {
 
             var tree = accessTree(entitlement(Map.of("relative_path", "foo", "mode", "read", "relative_to", dir)), List.of());
 
             assertThat(tree.canRead(path("foo")), is(false));
 
 
@@ -152,7 +152,7 @@ public class FileAccessTreeTests extends ESTestCase {
 
     }
 
 
     public void testWriteWithRelativePath() {
 
-        for (var dir : List.of("config", "home")) {
 
+        for (var dir : List.of("home")) {
 
             var tree = accessTree(entitlement(Map.of("relative_path", "foo", "mode", "read_write", "relative_to", dir)), List.of());
 
             assertThat(tree.canWrite(path("/" + dir + "/foo")), is(true));
 
             assertThat(tree.canWrite(path("/" + dir + "/foo/subdir")), is(true));
 
@@ -263,6 +263,12 @@ public class FileAccessTreeTests extends ESTestCase {
 
         assertThat(tree.canWrite(TEST_PATH_LOOKUP.tempDir()), is(true));
 
     }
 
 
+    public void testConfigDirAccess() {
 
+        var tree = FileAccessTree.of("test-component", "test-module", FilesEntitlement.EMPTY, TEST_PATH_LOOKUP, List.of());
 
+        assertThat(tree.canRead(TEST_PATH_LOOKUP.configDir()), is(true));
 
+        assertThat(tree.canWrite(TEST_PATH_LOOKUP.configDir()), is(false));
 
+    }
 
+
 
     public void testBasicExclusiveAccess() {
 
         var tree = accessTree(entitlement("foo", "read"), exclusivePaths("test-component", "test-module", "foo"));
 
         assertThat(tree.canRead(path("foo")), is(true));