Skip to content

Commit 0100715

Browse files
moschemosche
committed
fix ingest-attachment with entitlements
1 parent e5347b4 commit 0100715

File tree

1 file changed

+12
-3
lines changed
  • modules/ingest-attachment/src/main/java/org/elasticsearch/ingest/attachment

1 file changed

+12
-3
lines changed

modules/ingest-attachment/src/main/java/org/elasticsearch/ingest/attachment/TikaImpl.java

Lines changed: 12 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -18,9 +18,11 @@
1818
import org.apache.tika.parser.ParserDecorator;
1919
import org.elasticsearch.SpecialPermission;
2020
import org.elasticsearch.bootstrap.FilePermissionUtils;
21+
import org.elasticsearch.core.Booleans;
2122
import org.elasticsearch.core.PathUtils;
2223
import org.elasticsearch.core.SuppressForbidden;
2324
import org.elasticsearch.jdk.JarHell;
25+
import org.elasticsearch.jdk.RuntimeVersionFeature;
2426

2527
import java.io.ByteArrayInputStream;
2628
import java.io.IOException;
@@ -122,15 +124,22 @@ static String parse(final byte content[], final Metadata metadata, final int lim
122124

123125
// apply additional containment for parsers, this is intersected with the current permissions
124126
// its hairy, but worth it so we don't have some XML flaw reading random crap from the FS
125-
private static final AccessControlContext RESTRICTED_CONTEXT = new AccessControlContext(
126-
new ProtectionDomain[] { new ProtectionDomain(null, getRestrictedPermissions()) }
127-
);
127+
private static final AccessControlContext RESTRICTED_CONTEXT = isUsingSecurityManager()
128+
? new AccessControlContext(new ProtectionDomain[] { new ProtectionDomain(null, getRestrictedPermissions()) })
129+
: null;
130+
131+
private static boolean isUsingSecurityManager() {
132+
boolean entitlementsEnabled = Booleans.parseBoolean(System.getProperty("es.entitlements.enabled"), false)
133+
|| RuntimeVersionFeature.isSecurityManagerAvailable() == false;
134+
return entitlementsEnabled == false;
135+
}
128136

129137
// compute some minimal permissions for parsers. they only get r/w access to the java temp directory,
130138
// the ability to load some resources from JARs, and read sysprops
131139
@SuppressForbidden(reason = "adds access to tmp directory")
132140
static PermissionCollection getRestrictedPermissions() {
133141
Permissions perms = new Permissions();
142+
134143
// property/env access needed for parsing
135144
perms.add(new PropertyPermission("*", "read"));
136145
perms.add(new RuntimePermission("getenv.TIKA_CONFIG"));

0 commit comments

Comments
 (0)