Decentralize plugin security

[rmuir]

Today ES core defines all the rules for plugins and special exceptions by name. But this means if a plugin developer needs a similar thing (perhaps just a temporary hack or workaround: maybe in a third party dependency of theirs), it is not possible today, and the only solution is to disable securitymanager entirely.

This is bad for a few reasons:

1. causes core developers stress because they are in the loop for all problems
2. encourages disabling security entirely.

This PR presents an alternative, more like the android model, where plugins can include an optional plugin-security.policy file, and users have to confirm the additional requested permissions on installation (if stdin is a controlling terminal, and there is also a new explicit -b batch flag for bin/plugin too just for completeness):

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@     WARNING: plugin requires additional permissions     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
* java.lang.RuntimePermission accessClassInPackage.sun.reflect
* java.lang.RuntimePermission closeClassLoader
* java.lang.RuntimePermission createClassLoader
* groovy.security.GroovyCodeSourcePermission /untrusted
See http://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html
for descriptions of what these permissions allow and the associated risks.

Continue with installation? [y/N]

I think its fairly safe, we protect plugins directories pretty well now (even unix filesystem permissions are improved recently). These permissions are only granted to the plugin, like today, which means this stuff is contained pretty well. Of course it forces plugin authors to write proper security code, but I think that is ok, versus it not being possible at all. I added recommendations and an example to the plugin authors documentation to try to help with this. Even in the worst case if a plugin author adds AllPermission and screws up all the security code completely, its still better than having no security checking at all for ANY code... That is the major motivation for me wanting to do this, I think it will make things better. It just took me until now to figure out how to make the IDEs work :)

This change also allows tests to work from IDEs for such plugins without as many hacks as before, by configuring some special resources.

[dweiss]

Not only it looks like an awesome feature, but also a nice cleanup of existing code (I went through the diff out of curiosity). Very cool.

[clintongormley]

nice!

[s1monw]

boom! nice once - that 46 lines of deletions is worth the change IMO already

[s1monw]

this looks awesome! thanks for doing this!

[dadoonet]

<3

[rmuir]

@s1monw I pushed changes to improve the docs. I also moved the check after 'plugin already exists' check, so that the user doesn't have to enter Y/N before that case.

[s1monw]

LGTM

[salyh]

Thats a great idea and i would love to see this as soon as possible released. I am working on a shield kerberos realm (nearly finished) and i had to disable security manager entirely cause all the

Subject.doAs

stuff is with current ES policy not allowed. Would also be nice to read krb5.conf directly from /etc/.

[jprante]

I hoped for plugin security, thanks! Right now I have to disable security manager completely to get my groovy-based web app plugin things going https://github.com/jprante/elasticsearch-webapp

[rmuir]

Hi @salyh @jprante ... I have set the feature for 2.2 because it depends on a ton of other work that was done in the 2.2 codebase. I'm afraid this is about the soonest we can get this out unfortunately.

Before releasing it I have in mind add some minor improvements to it (e.g. ability to use full policy syntax, possibly rename the configuration file to improve IDE/test support, etc). I am working on some of that at the moment.

[costin]

@rmuir Awesome stuff! Thanks for adding this in.