Fix JSM policy for arrow-flight-rpc module

Signed-off-by: Rishabh Maurya <[email protected]>
rishabhmaurya · Nov 25, 2024 · 10c1466 · 10c1466
1 parent 12ad318
commit 10c1466
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 15 deletions.
diff --git a/...s/arrow-flight-rpc/src/main/java/org/opensearch/arrow/flight/bootstrap/FlightService.java b/...s/arrow-flight-rpc/src/main/java/org/opensearch/arrow/flight/bootstrap/FlightService.java
@@ -31,6 +31,9 @@
 import org.opensearch.threadpool.ThreadPool;
 
 import java.io.IOException;
+import java.security.AccessController;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
 import java.util.Objects;
 
 /**
@@ -55,7 +58,14 @@ public class FlightService extends AbstractLifecycleComponent {
      * @param settings The settings for the FlightService.
      */
     public FlightService(Settings settings) {
-        ServerConfig.init(settings);
+        try {
+            AccessController.doPrivileged((PrivilegedExceptionAction<Void>) () -> {
+                ServerConfig.init(settings);
+                return null;
+            });
+        } catch (Exception e) {
+            throw new RuntimeException("Failed to initialize Arrow Flight server", e);
+        }
     }
 
     /**
@@ -89,7 +99,10 @@ public void setSecureTransportSettingsProvider(SecureTransportSettingsProvider s
     @Override
     protected void doStart() {
         try {
-            allocator = new RootAllocator(Integer.MAX_VALUE);
+            allocator = AccessController.doPrivileged(
+                (PrivilegedExceptionAction<BufferAllocator>) () -> new RootAllocator(Integer.MAX_VALUE)
+            );
+
             BaseFlightProducer producer = new BaseFlightProducer(clientManager, streamManager, allocator);
             FlightServerBuilder builder = new FlightServerBuilder(threadPool.get(), () -> allocator, producer, sslContextProvider);
             server = builder.build();
@@ -98,6 +111,8 @@ protected void doStart() {
         } catch (IOException e) {
             logger.error("Failed to start Arrow Flight server", e);
             throw new RuntimeException("Failed to start Arrow Flight server", e);
+        } catch (PrivilegedActionException e) {
+            throw new RuntimeException(e);
         }
     }
 

diff --git a/modules/arrow-flight-rpc/src/main/plugin-metadata/plugin-security.policy b/modules/arrow-flight-rpc/src/main/plugin-metadata/plugin-security.policy
@@ -0,0 +1,20 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+grant codeBase "${codebase.arrow-flight-rpc}" {
+  // arrow flight service permissions
+  permission java.util.PropertyPermission "arrow.allocation.manager.type", "write";
+  permission java.util.PropertyPermission "arrow.enable_null_check_for_get", "write";
+  permission java.util.PropertyPermission "arrow.enable_unsafe_memory_access", "write";
+  permission java.util.PropertyPermission "arrow.memory.debug.allocator", "write";
+
+  permission java.util.PropertyPermission "io.netty.tryReflectionSetAccessible", "write";
+  permission java.util.PropertyPermission "io.netty.allocator.numDirectArenas", "write";
+  permission java.util.PropertyPermission "io.netty.noUnsafe", "write";
+  permission java.util.PropertyPermission "io.netty.tryUnsafe", "write";
+};
diff --git a/server/src/main/resources/org/opensearch/bootstrap/security.policy b/server/src/main/resources/org/opensearch/bootstrap/security.policy
@@ -98,15 +98,13 @@ grant {
 
   // needed by vendored Guice
   permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.vm.annotation";
-  permission java.lang.RuntimePermission "accessDeclaredMembers";
-  permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
+
   // checked by scripting engines, and before hacks and other issues in
   // third party code, to safeguard these against unprivileged code like scripts.
   permission org.opensearch.SpecialPermission;
 
   // Allow host/ip name service lookups
   permission java.net.SocketPermission "*", "resolve";
-  permission java.net.SocketPermission "*", "accept";
 
   // Allow reading and setting socket keepalive options
   permission jdk.net.NetworkPermission "getOption.TCP_KEEPIDLE";
@@ -198,14 +196,6 @@ grant {
   permission java.io.FilePermission "/sys/fs/cgroup/memory", "read";
   permission java.io.FilePermission "/sys/fs/cgroup/memory/-", "read";
 
-  // arrow flight server permissions
-  permission java.security.AllPermission;
-  permission java.util.PropertyPermission "arrow.allocation.manager.type", "write";
-  permission java.util.PropertyPermission "arrow.enable_null_check_for_get", "write";
-  permission java.util.PropertyPermission "io.netty.tryReflectionSetAccessible", "write";
-  permission java.util.PropertyPermission "arrow.enable_unsafe_memory_access", "write";
-  permission java.util.PropertyPermission "io.netty.allocator.numDirectArenas", "write";
-  permission java.util.PropertyPermission "io.netty.noUnsafe", "write";
-  permission java.util.PropertyPermission "io.netty.tryUnsafe", "write";
-  permission java.util.PropertyPermission "arrow.memory.debug.allocator", "write";
+  // Needed for netty based arrow flight server for netty configs related to buffer allocator
+  permission java.security.AllPermission "modifyThreadGroup";
 };