-
Notifications
You must be signed in to change notification settings - Fork 282
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Somehow security plugin rewrites permissions for other plugins which use Bouncy Castle #3213
Comments
[Triage] Hi @willyborankin, thank you for filing this issue. The first step to addressing this issue may be determining a mitigation strategy based on the potential for the Security plugin to restrict other components. Seems the first item for this issue will be determining the extent of the issue and whether we can work around the problem. Leaving untriaged pending actionable tasks--but for the interim this will require diagnosis. |
Could be related to the recent bump in the plugin policy? |
Reproduced it with 1.3.12 something is on OS side |
@peternied @cwperks @scrawfor99 so we find out the issue which is essentially related to the way Java allows to add the security providers. The
This is global per JVM and, in fact, could replaced by other plugin later on. That is one issue but the another one is that if any other plugin invokes JCE APIs, like for example here:
It will be using the
|
The problem seems in general unsolvable if relying on
It may partially solve the issue. |
@willyborankin could the JJWT issue experienced on 2.x be the same problem here? We made a PR to wrap the call to create the JJWT JwtParser with It was complaining it couldn't find the following permission:
but this permission is defined in the Recapping the permissions issues we've seen recently:
|
@cwperks Yes looks closer. I took a look in JJWT |
@cwperks I think these issues are unrelated:
|
Ok, I see why the JJWT The reason it was not required on main (but was on 2.x) is because the fix for the SAML permissions issue after upgrade to OpenSAML 4.3.0 wrapped the Relevant lines: df07bea#diff-f1cdacfc69b9ee7a3348e9a20a39ea0c284eff6386f3c660fc58a5874e8e071aR402-R406
|
[Triage] @reta could you provide details on what next steps look like for this issue? |
FYI This is now blocking the build on main:
Example: https://github.com/cwperks/security/actions/runs/6086141514/job/16511809613 |
Hm ... we have the security policy set:
I think we may need to add one for bouncycastle jars as well:
? |
[Triage] Resolved by #3289. |
What is the bug?
Use case:
2 plugins which use BC.
OpenSearch
starts plugins on the node in the alphabetic order.The plugin which starts first uses right permissions for PC to execute its operations.
After the sec plugin started permissions changed as result the first plugin can't use its permissions.
What is the expected behavior?
Permissions should not be changed.
What is your host/environment?
The text was updated successfully, but these errors were encountered: