Force property expansion for security policy (#87396) (#87489)

rjernst · web-flow · commit 1f2a9060476d · 2022-06-07T20:05:06.000-04:00
When resolving the security policy files for server and components of
Elasticsearch, each jar file location is put into a special system
property value so that policy files may contain codeBase specific
grants. The mechanism for substituting system properties is part of the
JDK's policy parser. However, a security property exists,
policy.expandProperties, which controls whether properties will actually
be expanded. If a user ends up setting this, Elasticsearch will fail to
start.

This commit forces the value of the security property to ensure the
policy files can always be parsed correctly.
diff --git a/docs/changelog/87396.yaml b/docs/changelog/87396.yaml
@@ -0,0 +1,5 @@
+pr: 87396
+summary: Force property expansion for security policy
+area: Infra/Core
+type: enhancement
+issues: []
diff --git a/server/src/main/java/org/elasticsearch/bootstrap/Elasticsearch.java b/server/src/main/java/org/elasticsearch/bootstrap/Elasticsearch.java
@@ -59,7 +59,7 @@ class Elasticsearch extends EnvironmentAwareCommand {
      * Main entry point for starting elasticsearch
      */
     public static void main(final String[] args) throws Exception {
-        overrideDnsCachePolicyProperties();
+        bootstrapSecurityProperties();
         org.elasticsearch.bootstrap.Security.prepopulateSecurityCaller();
 
         /*
@@ -103,7 +103,7 @@ static void printLogsSuggestion() {
         }
     }
 
-    private static void overrideDnsCachePolicyProperties() {
+    private static void bootstrapSecurityProperties() {
         for (final String property : new String[] { "networkaddress.cache.ttl", "networkaddress.cache.negative.ttl" }) {
             final String overrideProperty = "es." + property;
             final String overrideValue = System.getProperty(overrideProperty);
@@ -116,6 +116,9 @@ private static void overrideDnsCachePolicyProperties() {
                 }
             }
         }
+
+        // policy file codebase declarations in security.policy rely on property expansion, see PolicyUtil.readPolicy
+        Security.setProperty("policy.expandProperties", "true");
     }
 
     static int main(final String[] args, final Elasticsearch elasticsearch, final Terminal terminal) throws Exception {

Original file line number	Diff line number	Diff line change
`@@ -59,7 +59,7 @@ class Elasticsearch extends EnvironmentAwareCommand {`
`59`	`59`	`* Main entry point for starting elasticsearch`
`60`	`60`	`*/`
`61`	`61`	`public static void main(final String[] args) throws Exception {`
`62`		`- overrideDnsCachePolicyProperties();`
	`62`	`+ bootstrapSecurityProperties();`
`63`	`63`	`org.elasticsearch.bootstrap.Security.prepopulateSecurityCaller();`
`64`	`64`
`65`	`65`	`/*`
`@@ -103,7 +103,7 @@ static void printLogsSuggestion() {`
`103`	`103`	`}`
`104`	`104`	`}`
`105`	`105`
`106`		`- private static void overrideDnsCachePolicyProperties() {`
	`106`	`+ private static void bootstrapSecurityProperties() {`
`107`	`107`	`for (final String property : new String[] { "networkaddress.cache.ttl", "networkaddress.cache.negative.ttl" }) {`
`108`	`108`	`final String overrideProperty = "es." + property;`
`109`	`109`	`final String overrideValue = System.getProperty(overrideProperty);`
`@@ -116,6 +116,9 @@ private static void overrideDnsCachePolicyProperties() {`
`116`	`116`	`}`
`117`	`117`	`}`
`118`	`118`	`}`
	`119`	`+`
	`120`	`+ // policy file codebase declarations in security.policy rely on property expansion, see PolicyUtil.readPolicy`
	`121`	`+ Security.setProperty("policy.expandProperties", "true");`
`119`	`122`	`}`
`120`	`123`
`121`	`124`	`static int main(final String[] args, final Elasticsearch elasticsearch, final Terminal terminal) throws Exception {`