Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add bouncycastle permissions to security.policy #9770

Closed
wants to merge 5 commits into from
Closed

Add bouncycastle permissions to security.policy #9770

wants to merge 5 commits into from

Conversation

cwperks
Copy link
Member

@cwperks cwperks commented Sep 5, 2023
edited
Loading

Description

Adds bouncycastle permissions into core's security.policy file. With the introduction of opensearch-encryption-sdk, the bouncycastle provider (bcprovp-jdk15to18) is now a dependency of core. The security plugin also has a direct dependency on the same artifact and has permissions in its plugin-security.policy file to grant the security plugin permission to add the bouncy castle provider.

There is an issue bringing up a node with the security plugin installed and TLS enabled because the permissions are not present in bootstrap/security.policy and the dependency has now been moved to core

Related Issues

Resolves opensearch-project/security#3309

Check List

  • New functionality includes testing.
    • All tests pass
  • New functionality has been documented.
    • New functionality has javadoc added
  • Commits are signed per the DCO using --signoff
  • Commit changes are listed out in CHANGELOG.md file (See: Changelog)

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@cwperks
Copy link
Member Author

cwperks commented Sep 5, 2023

@peternied @reta @Bukhtawar @gbbafna @vikasvb90

@cwperks
Add CHANGELOG entry
a3f35b2 
Signed-off-by: Craig Perkins <[email protected]>
@cwperks
Copy link
Member Author

cwperks commented Sep 5, 2023

Tested by performing plugin install manually of the security plugin.

  • Make a local distribution of core: ./gradlew localDistro
  • cd build/distribution/local/opensearch-3.0.0-SNAPSHOT
  • Make a snapshot of the security plugin. From the root directory of the security repo run ./gradlew assemble
  • Plugin output is at <OPENSEARCH_SECURITY_HOME>/build/distributions/opensearch-security-3.0.0.0-SNAPSHOT.zip
  • Install the plugin. Example: ./bin/opensearch-plugin install file:/Users/cwperx/Projects/opensearch/security/build/distributions/opensearch-security-3.0.0.0-SNAPSHOT.zip
  • Run the install_demo_configuration.sh script and answer 'y' to all questions: ./plugins/opensearch-security/tools/install_demo_configuration.sh
  • Run OpenSearch node: ./bin/opensearch

There should be no errors on startup. The security plugin has an automated CI check for plugin install, but the check will not work until this PR is merged.

peternied
peternied reviewed Sep 5, 2023
View reviewed changes
Copy link
Member

@peternied peternied left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a danger that this lowers the security posture of the SSL in such a way that any plugins can manipulate the SSL configuration, whereas previously this was isolated to plugins with this policy?

@cwperks
Copy link
Member Author

cwperks commented Sep 5, 2023

Is there a danger that this lowers the security posture of the SSL in such a way that any plugins can manipulate the SSL configuration, whereas previously this was isolated to plugins with this policy?

Yes that's correct. Any plugin would be able to execute this same block as the security plugin: https://github.com/opensearch-project/security/blob/main/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java#L334-L342

With the plugin-security.policy file, cluster admins installing plugins will accept a policy when installing a plugin. That is not the case with the policy file in this PR. The security.policy file in this PR is applicable to core and plugins.

RyanL1997
RyanL1997 reviewed Sep 5, 2023
View reviewed changes
server/src/main/resources/org/opensearch/bootstrap/security.policy
@@ -85,6 +85,12 @@ grant codeBase "${codebase.zstd-jni}" {
permission java.lang.RuntimePermission "loadLibrary.*";
};

grant codeBase "${codebase.bcprov-jdk15to18}" {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need this for jdk 11?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the way that bouncycastle releases artifacts. Until last month the securityplugin was using jdk15on, but then switched to jdk15to18 (PR where it was changed: opensearch-project/security#2901). I plan to open an issue about using jdk18on.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, this is due to #9289, the BC has moved to core and now we need this permission to manage security providers.

@github-actions
Copy link
Contributor

github-actions bot commented Sep 5, 2023

Compatibility status:

Checks if related components are compatible with change 8c85f27

Incompatible components

Incompatible components: [https://github.com/opensearch-project/neural-search.git, https://github.com/opensearch-project/sql.git, https://github.com/opensearch-project/anomaly-detection.git]

Skipped components

Compatible components

Compatible components: [https://github.com/opensearch-project/geospatial.git, https://github.com/opensearch-project/security.git, https://github.com/opensearch-project/notifications.git, https://github.com/opensearch-project/index-management.git, https://github.com/opensearch-project/security-analytics.git, https://github.com/opensearch-project/observability.git, https://github.com/opensearch-project/job-scheduler.git, https://github.com/opensearch-project/opensearch-oci-object-storage.git, https://github.com/opensearch-project/k-nn.git, https://github.com/opensearch-project/cross-cluster-replication.git, https://github.com/opensearch-project/alerting.git, https://github.com/opensearch-project/asynchronous-search.git, https://github.com/opensearch-project/ml-commons.git, https://github.com/opensearch-project/performance-analyzer.git, https://github.com/opensearch-project/common-utils.git, https://github.com/opensearch-project/performance-analyzer-rca.git, https://github.com/opensearch-project/reporting.git]

@github-actions
Copy link
Contributor

github-actions bot commented Sep 5, 2023

Compatibility status:

Checks if related components are compatible with change a3f35b2

Incompatible components

Incompatible components: [https://github.com/opensearch-project/neural-search.git, https://github.com/opensearch-project/sql.git, https://github.com/opensearch-project/anomaly-detection.git]

Skipped components

Compatible components

Compatible components: [https://github.com/opensearch-project/geospatial.git, https://github.com/opensearch-project/security.git, https://github.com/opensearch-project/notifications.git, https://github.com/opensearch-project/index-management.git, https://github.com/opensearch-project/security-analytics.git, https://github.com/opensearch-project/observability.git, https://github.com/opensearch-project/job-scheduler.git, https://github.com/opensearch-project/opensearch-oci-object-storage.git, https://github.com/opensearch-project/k-nn.git, https://github.com/opensearch-project/cross-cluster-replication.git, https://github.com/opensearch-project/alerting.git, https://github.com/opensearch-project/asynchronous-search.git, https://github.com/opensearch-project/performance-analyzer.git, https://github.com/opensearch-project/ml-commons.git, https://github.com/opensearch-project/common-utils.git, https://github.com/opensearch-project/performance-analyzer-rca.git, https://github.com/opensearch-project/reporting.git]

@github-actions
Copy link
Contributor

github-actions bot commented Sep 5, 2023

Gradle Check (Jenkins) Run Completed with:

@codecov
Copy link

codecov bot commented Sep 5, 2023
edited
Loading

Codecov Report

Merging #9770 (a3f35b2) into main (19a13f0) will increase coverage by 0.04%.
Report is 4 commits behind head on main.
The diff coverage is n/a.

❗ Current head a3f35b2 differs from pull request most recent head 037efca. Consider uploading reports for the commit 037efca to get more accurate results

@@             Coverage Diff              @@
##               main    #9770      +/-   ##
============================================
+ Coverage     71.14%   71.19%   +0.04%     
+ Complexity    57973    57965       -8     
============================================
  Files          4825     4825              
  Lines        273348   273348              
  Branches      39841    39841              
============================================
+ Hits         194473   194598     +125     
+ Misses        62523    62371     -152     
- Partials      16352    16379      +27

see 470 files with indirect coverage changes

@github-actions
Copy link
Contributor

github-actions bot commented Sep 5, 2023

Gradle Check (Jenkins) Run Completed with:

@reta
Copy link
Collaborator

reta commented Sep 5, 2023

Yes that's correct. Any plugin would be able to execute this same block as the security plugin: https://github.com/opensearch-project/security/blob/main/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java#L334-L342

@cwperks I think this is a good moment to fix that, we know that plugins should not be adding security providers for a two reasons:

  • the order plugins are loaded makes it predictable (the first one will load and others will fail)
  • since this is in core now, we should let core load it (only libs/opensearch-encryption-sdk should do that)

@cwperks cwperks mentioned this pull request Sep 5, 2023
Closed
3 tasks
@willyborankin
Copy link
Contributor

Is there a danger that this lowers the security posture of the SSL in such a way that any plugins can manipulate the SSL configuration, whereas previously this was isolated to plugins with this policy?

Thats why it is a workaround for 2.10. But it needs to be addressed asap.

@reta
Copy link
Collaborator

reta commented Sep 5, 2023

Is there a danger that this lowers the security posture of the SSL in such a way that any plugins can manipulate the SSL configuration, whereas previously this was isolated to plugins with this policy?

Thats why it is a workaround for 2.10. But it needs to be addressed asap.

@peternied @cwperks @willyborankin the problem is more severe than that, the permissions in this pull request only grant the add/remove provider privileges, but we need much more, the plugin will fail down the line, for example I just added this small piece of code into security plugin initialization sequence:

       import org.bouncycastle.jcajce.provider.symmetric.util.GcmSpecUtil;
 
       ...
        if (GcmSpecUtil.gcmSpecExists()) {
            System.out.println("GcmSpec exists");
        }

It fails with java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessDeclaredMembers") because, well, bcprov needs reflection access as well.

@github-actions
Copy link
Contributor

github-actions bot commented Sep 5, 2023

Compatibility status:

Checks if related components are compatible with change 9e43830

Incompatible components

Incompatible components: [https://github.com/opensearch-project/sql.git, https://github.com/opensearch-project/anomaly-detection.git, https://github.com/opensearch-project/neural-search.git]

Skipped components

Compatible components

Compatible components: [https://github.com/opensearch-project/security.git, https://github.com/opensearch-project/alerting.git, https://github.com/opensearch-project/index-management.git, https://github.com/opensearch-project/job-scheduler.git, https://github.com/opensearch-project/asynchronous-search.git, https://github.com/opensearch-project/observability.git, https://github.com/opensearch-project/common-utils.git, https://github.com/opensearch-project/k-nn.git, https://github.com/opensearch-project/reporting.git, https://github.com/opensearch-project/cross-cluster-replication.git, https://github.com/opensearch-project/geospatial.git, https://github.com/opensearch-project/performance-analyzer.git, https://github.com/opensearch-project/notifications.git, https://github.com/opensearch-project/ml-commons.git, https://github.com/opensearch-project/performance-analyzer-rca.git, https://github.com/opensearch-project/security-analytics.git, https://github.com/opensearch-project/opensearch-oci-object-storage.git]

@willyborankin
Copy link
Contributor

willyborankin commented Sep 5, 2023
edited
Loading

Is there a danger that this lowers the security posture of the SSL in such a way that any plugins can manipulate the SSL configuration, whereas previously this was isolated to plugins with this policy?

Thats why it is a workaround for 2.10. But it needs to be addressed asap.

@peternied @cwperks @willyborankin the problem is more severe than that, the permissions in this pull request only grant the add/remove provider privileges, but we need much more, the plugin will fail down the line, for example I just added this small piece of code into security plugin initialization sequence:

       import org.bouncycastle.jcajce.provider.symmetric.util.GcmSpecUtil;
 
       ...
        if (GcmSpecUtil.gcmSpecExists()) {
            System.out.println("GcmSpec exists");
        }

It fails with java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessDeclaredMembers") because, well, bcprov needs reflection access as well.

I'm afraid not only the sec plugin. Oh boy oh boy. This is a security hole. Since technically any plugin can chnage SSL behave for example or revoke access to the important functionality.

@cwperks
Copy link
Member Author

cwperks commented Sep 5, 2023
edited
Loading

@willyborankin I see you mentioned there is a performance hit if the security plugin explicitly passes in a provider in calls that take a provider. opensearch-project/security#3317 (comment)

i.e.

Cipher cipher = Cipher.getInstance("DESede/CBC/NoPadding", BouncyCastleProvider.PROVIDER_NAME)

instead of

Cipher cipher = Cipher.getInstance("DESede/CBC/NoPadding");

If the provider is passed in explicitly within the security plugin to calls that need one, which policy file is in effect? Any idea what the performance tax is for explicitly passing the provider in each call?

@github-actions
Copy link
Contributor

github-actions bot commented Sep 5, 2023

Gradle Check (Jenkins) Run Completed with:

@willyborankin
Copy link
Contributor

@willyborankin I see you mentioned there is a performance hit if the security plugin explicitly passes in a provider in calls that take a provider. opensearch-project/security#3317 (comment)

i.e.

Cipher cipher = Cipher.getInstance("DESede/CBC/NoPadding", BouncyCastleProvider.PROVIDER_NAME)

instead of

Cipher cipher = Cipher.getInstance("DESede/CBC/NoPadding");

If the provider is passed in explicitly within the security plugin to calls that need one, which policy file is in effect? Any idea what the performance tax is for explicitly passing the provider in each call?

the policy file is OpenSerach requirements. If library is in libs the policy will be shared between all plugins otherwise each plugin is responsible for the policy it needs. We need a better solution in case of crypto-sdk nothing more but I do not know how it should look like.

peternied
peternied requested changes Sep 5, 2023
View reviewed changes
Copy link
Member

@peternied peternied left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From the dialog I see on this issue it looks like this is creating a new category of risk where previously only individual plugins needed to modify their policy file to gain access to restricted APIs, but by adding this privilege up to core there is no longer a clear isolation.

A change to security posture needs to go through a security review process as opposed to an ad-hoc 11th hour patch.

@cwperks
Copy link
Member Author

cwperks commented Sep 5, 2023

Closing this PR. Any further discussion on this issue should happen in the security issue: opensearch-project/security#3309

@cwperks cwperks closed this Sep 5, 2023
@github-actions
Copy link
Contributor

github-actions bot commented Sep 5, 2023

Compatibility status:

Checks if related components are compatible with change 037efca

Incompatible components

Incompatible components: [https://github.com/opensearch-project/neural-search.git, https://github.com/opensearch-project/sql.git, https://github.com/opensearch-project/anomaly-detection.git]

Skipped components

Compatible components

Compatible components: [https://github.com/opensearch-project/geospatial.git, https://github.com/opensearch-project/security.git, https://github.com/opensearch-project/notifications.git, https://github.com/opensearch-project/index-management.git, https://github.com/opensearch-project/security-analytics.git, https://github.com/opensearch-project/job-scheduler.git, https://github.com/opensearch-project/observability.git, https://github.com/opensearch-project/opensearch-oci-object-storage.git, https://github.com/opensearch-project/k-nn.git, https://github.com/opensearch-project/cross-cluster-replication.git, https://github.com/opensearch-project/alerting.git, https://github.com/opensearch-project/asynchronous-search.git, https://github.com/opensearch-project/performance-analyzer.git, https://github.com/opensearch-project/ml-commons.git, https://github.com/opensearch-project/performance-analyzer-rca.git, https://github.com/opensearch-project/common-utils.git, https://github.com/opensearch-project/reporting.git]

@github-actions
Copy link
Contributor

github-actions bot commented Sep 5, 2023

Gradle Check (Jenkins) Run Completed with:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@RyanL1997 RyanL1997 RyanL1997 left review comments

@peternied peternied peternied requested changes

@reta reta Awaiting requested review from reta reta is a code owner

@anasalkouz anasalkouz Awaiting requested review from anasalkouz anasalkouz is a code owner

@andrross andrross Awaiting requested review from andrross andrross is a code owner

@Bukhtawar Bukhtawar Awaiting requested review from Bukhtawar Bukhtawar is a code owner

@CEHENKLE CEHENKLE Awaiting requested review from CEHENKLE CEHENKLE is a code owner

@dblock dblock Awaiting requested review from dblock dblock is a code owner

@gbbafna gbbafna Awaiting requested review from gbbafna gbbafna is a code owner

@setiah setiah Awaiting requested review from setiah

@kartg kartg Awaiting requested review from kartg

@kotwanikunal kotwanikunal Awaiting requested review from kotwanikunal kotwanikunal is a code owner

@mch2 mch2 Awaiting requested review from mch2 mch2 is a code owner

@nknize nknize Awaiting requested review from nknize nknize is a code owner

@owaiskazi19 owaiskazi19 Awaiting requested review from owaiskazi19 owaiskazi19 is a code owner

@Rishikesh1159 Rishikesh1159 Awaiting requested review from Rishikesh1159 Rishikesh1159 is a code owner

@ryanbogan ryanbogan Awaiting requested review from ryanbogan

@saratvemulapalli saratvemulapalli Awaiting requested review from saratvemulapalli saratvemulapalli is a code owner

@shwetathareja shwetathareja Awaiting requested review from shwetathareja shwetathareja is a code owner

@dreamer-89 dreamer-89 Awaiting requested review from dreamer-89

@tlfeng tlfeng Awaiting requested review from tlfeng

@VachaShah VachaShah Awaiting requested review from VachaShah VachaShah is a code owner

@dbwiddis dbwiddis Awaiting requested review from dbwiddis dbwiddis is a code owner

@sachinpkale sachinpkale Awaiting requested review from sachinpkale sachinpkale is a code owner

@sohami sohami Awaiting requested review from sohami sohami is a code owner

@msfroh msfroh Awaiting requested review from msfroh msfroh is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Security Plugin cannot startup due to AccessControlException: access denied
5 participants
@cwperks @reta @willyborankin @peternied @RyanL1997