diff --git a/modules/arrow-flight-rpc/src/main/java/org/opensearch/arrow/flight/bootstrap/FlightService.java b/modules/arrow-flight-rpc/src/main/java/org/opensearch/arrow/flight/bootstrap/FlightService.java index f9ad8f4437757..010bb07cfdbe3 100644 --- a/modules/arrow-flight-rpc/src/main/java/org/opensearch/arrow/flight/bootstrap/FlightService.java +++ b/modules/arrow-flight-rpc/src/main/java/org/opensearch/arrow/flight/bootstrap/FlightService.java @@ -31,6 +31,9 @@ import org.opensearch.threadpool.ThreadPool; import java.io.IOException; +import java.security.AccessController; +import java.security.PrivilegedActionException; +import java.security.PrivilegedExceptionAction; import java.util.Objects; /** @@ -55,7 +58,14 @@ public class FlightService extends AbstractLifecycleComponent { * @param settings The settings for the FlightService. */ public FlightService(Settings settings) { - ServerConfig.init(settings); + try { + AccessController.doPrivileged((PrivilegedExceptionAction) () -> { + ServerConfig.init(settings); + return null; + }); + } catch (Exception e) { + throw new RuntimeException("Failed to initialize Arrow Flight server", e); + } } /** @@ -89,7 +99,10 @@ public void setSecureTransportSettingsProvider(SecureTransportSettingsProvider s @Override protected void doStart() { try { - allocator = new RootAllocator(Integer.MAX_VALUE); + allocator = AccessController.doPrivileged( + (PrivilegedExceptionAction) () -> new RootAllocator(Integer.MAX_VALUE) + ); + BaseFlightProducer producer = new BaseFlightProducer(clientManager, streamManager, allocator); FlightServerBuilder builder = new FlightServerBuilder(threadPool.get(), () -> allocator, producer, sslContextProvider); server = builder.build(); @@ -98,6 +111,8 @@ protected void doStart() { } catch (IOException e) { logger.error("Failed to start Arrow Flight server", e); throw new RuntimeException("Failed to start Arrow Flight server", e); + } catch (PrivilegedActionException e) { + throw new RuntimeException(e); } } diff --git a/modules/arrow-flight-rpc/src/main/plugin-metadata/plugin-security.policy b/modules/arrow-flight-rpc/src/main/plugin-metadata/plugin-security.policy new file mode 100644 index 0000000000000..cff9156f3e6c9 --- /dev/null +++ b/modules/arrow-flight-rpc/src/main/plugin-metadata/plugin-security.policy @@ -0,0 +1,20 @@ +/* + * SPDX-License-Identifier: Apache-2.0 + * + * The OpenSearch Contributors require contributions made to + * this file be licensed under the Apache-2.0 license or a + * compatible open source license. + */ + +grant codeBase "${codebase.arrow-flight-rpc}" { + // arrow flight service permissions + permission java.util.PropertyPermission "arrow.allocation.manager.type", "write"; + permission java.util.PropertyPermission "arrow.enable_null_check_for_get", "write"; + permission java.util.PropertyPermission "arrow.enable_unsafe_memory_access", "write"; + permission java.util.PropertyPermission "arrow.memory.debug.allocator", "write"; + + permission java.util.PropertyPermission "io.netty.tryReflectionSetAccessible", "write"; + permission java.util.PropertyPermission "io.netty.allocator.numDirectArenas", "write"; + permission java.util.PropertyPermission "io.netty.noUnsafe", "write"; + permission java.util.PropertyPermission "io.netty.tryUnsafe", "write"; +}; diff --git a/server/src/main/resources/org/opensearch/bootstrap/security.policy b/server/src/main/resources/org/opensearch/bootstrap/security.policy index 11fb84099c2c5..6bf3b490b6203 100644 --- a/server/src/main/resources/org/opensearch/bootstrap/security.policy +++ b/server/src/main/resources/org/opensearch/bootstrap/security.policy @@ -98,15 +98,13 @@ grant { // needed by vendored Guice permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.vm.annotation"; - permission java.lang.RuntimePermission "accessDeclaredMembers"; - permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; + // checked by scripting engines, and before hacks and other issues in // third party code, to safeguard these against unprivileged code like scripts. permission org.opensearch.SpecialPermission; // Allow host/ip name service lookups permission java.net.SocketPermission "*", "resolve"; - permission java.net.SocketPermission "*", "accept"; // Allow reading and setting socket keepalive options permission jdk.net.NetworkPermission "getOption.TCP_KEEPIDLE"; @@ -198,14 +196,6 @@ grant { permission java.io.FilePermission "/sys/fs/cgroup/memory", "read"; permission java.io.FilePermission "/sys/fs/cgroup/memory/-", "read"; - // arrow flight server permissions - permission java.security.AllPermission; - permission java.util.PropertyPermission "arrow.allocation.manager.type", "write"; - permission java.util.PropertyPermission "arrow.enable_null_check_for_get", "write"; - permission java.util.PropertyPermission "io.netty.tryReflectionSetAccessible", "write"; - permission java.util.PropertyPermission "arrow.enable_unsafe_memory_access", "write"; - permission java.util.PropertyPermission "io.netty.allocator.numDirectArenas", "write"; - permission java.util.PropertyPermission "io.netty.noUnsafe", "write"; - permission java.util.PropertyPermission "io.netty.tryUnsafe", "write"; - permission java.util.PropertyPermission "arrow.memory.debug.allocator", "write"; + // Needed for netty based arrow flight server for netty configs related to buffer allocator + permission java.security.AllPermission "modifyThreadGroup"; };