Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing doPriviliged in deprecation logger #81708

Closed
pgomulka opened this issue Dec 14, 2021 · 2 comments · Fixed by #81819
Closed

Missing doPriviliged in deprecation logger #81708

pgomulka opened this issue Dec 14, 2021 · 2 comments · Fixed by #81819
Labels
>bug :Core/Infra/Core Core issues without another label :Core/Infra/Scripting Scripting abstractions, Painless, and Mustache Team:Core/Infra Meta label for core/infra team v7.16.0 v8.0.0-rc1 v8.1.0

Comments

@pgomulka
Copy link
Contributor

possibly a doPriviliged in deprecation logger together with a test DeprecationLoggerTests.testLogPermissions
were accidentally removed.
This is possibly a regression.

Scripts run under reduced privileges. (can @elastic/es-core-infra help?) and
the test was introduced to verify deprecation logger not violating Security Manager permission when rolling over the files.
7.0+
https://github.com/elastic/elasticsearch/pull/37281/files#diff-70de5a6ba5c637e7f19c51341417760d6e957beb5a1fa5703049095ea2719ee0R322

However the doPriviliged call in deprecation logger was removed in (7.10+) https://github.com/elastic/elasticsearch/pull/55941/files#diff-593ea478a0a8d462fd38ad70838ee6e4a28673478d28812c48d9ed5cf768c132L249

The test itself was removed in 7.10+
https://github.com/elastic/elasticsearch/pull/61474/files#diff-70de5a6ba5c637e7f19c51341417760d6e957beb5a1fa5703049095ea2719ee0L47

@stu-elastic or @jdconrad do you remember more context about this? Do you think this should be fixed?
@pgomulka pgomulka added >bug :Core/Infra/Core Core issues without another label :Core/Infra/Scripting Scripting abstractions, Painless, and Mustache v8.0.0 needs:triage Requires assignment of a team area label v7.16.0 v8.1.0 labels Dec 14, 2021
@elasticmachine elasticmachine added Team:Core/Infra Meta label for core/infra team labels Dec 14, 2021
@pgomulka pgomulka mentioned this issue Dec 14, 2021
Closed
@jdconrad
Copy link
Contributor

@pgomulka It does indeed appear this is a regression based on your findings here. Reading back through (#28485) and (#37281) confirms log rollover will fail w/o the doPrivileged call if executed directly from a script. This is going to be necessary until security manager is removed in its entirety.

@nik9000 Would you please take a look at this to make sure I haven't overlooked anything?

@nik9000
Copy link
Member

nik9000 commented Dec 14, 2021

I think you are correct, we should revive this test and get it passing.

@nik9000 nik9000 removed the needs:triage Requires assignment of a team area label label Dec 14, 2021
pgomulka added a commit to pgomulka/elasticsearch that referenced this issue Dec 16, 2021
@pgomulka
Add doPrivileged section in deprecation logger
ac82678 
Scripts using deprecation logger can trigger log files rolling over.
Scripts also run with a very limited permissions and without
doPrivileged section would cause SM exception

closes elastic#81708
@pgomulka pgomulka mentioned this issue Dec 16, 2021
Merged
pgomulka added a commit that referenced this issue Dec 17, 2021
@pgomulka
Add doPrivileged section in deprecation logger (#81819)
f954919 
Scripts using deprecation logger can trigger log files rolling over.
Scripts also run with a very limited permissions and without
doPrivileged section would cause SM exception

closes #81708
pgomulka added a commit to pgomulka/elasticsearch that referenced this issue Dec 17, 2021
@pgomulka
Add doPrivileged section in deprecation logger (elastic#81819)
9e936de 
Scripts using deprecation logger can trigger log files rolling over.
Scripts also run with a very limited permissions and without
doPrivileged section would cause SM exception

closes elastic#81708
pgomulka added a commit to pgomulka/elasticsearch that referenced this issue Dec 20, 2021
@pgomulka
Add doPrivileged section in deprecation logger elastic#81819
3464668 
Scripts using deprecation logger can trigger log files rolling over.
Scripts also run with a very limited permissions and without
doPrivileged section would cause SM exception

closes elastic#81708
@pgomulka pgomulka mentioned this issue Dec 20, 2021
Merged
pgomulka added a commit that referenced this issue Dec 20, 2021
@pgomulka
Add doPrivileged section in deprecation logger backport(#81819) (#81844)
3648ecf 
Scripts using deprecation logger can trigger log files rolling over.
Scripts also run with a very limited permissions and without
doPrivileged section would cause SM exception

closes #81708
pgomulka added a commit that referenced this issue Dec 23, 2021
@pgomulka
[7.17] Add doPrivileged section in deprecation logger backport(#81819) (
7463a18 
#81922)

Scripts using deprecation logger can trigger log files rolling over.
Scripts also run with a very limited permissions and without
doPrivileged section would cause SM exception

closes #81708
backport #81819
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
>bug :Core/Infra/Core Core issues without another label :Core/Infra/Scripting Scripting abstractions, Painless, and Mustache Team:Core/Infra Meta label for core/infra team v7.16.0 v8.0.0-rc1 v8.1.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add doPrivileged section in deprecation logger pgomulka/elasticsearch
5 participants
@nik9000 @jdconrad @mark-vieira @pgomulka @elasticmachine