[
https://issues.apache.org/jira/browse/LUCENE-6542?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Hoss Man updated LUCENE-6542:
-----------------------------
Attachment: LUCENE-6542.patch
Trejkaz,
I couldn't really make sense of your "TestSecurity" example -- nothing in it
seems to be enforcing the "deny write access" part of the issue, it's just
allowing more things (notably: read access for all files) then the default
policy ... at first I thought maybe you were assuming the default policy was
automatically going to deny writes, and had just meant "write" instead of
"read" in your FilePermission to start allowing it during the test -- but that
didn't match up with the assertions you had, and the exceptions you were
expecting from Files.isWritable.
In any case -- the key to my question wasn't just "how can any junit test
change the SecurityManager" it was specifically about _lucene_ tests, and
whether we already had any helper code for this in the lucene test-framework to
aid in this.
I couldn't find any, so i tried to create a test that used a custom
SecurityManager after building an index in an FSDirectory. My hope was that i
could get it working, and then refactor the SecurityManager into LuceneTestCase
with helper methods to specify Permission objects at runtime that should be
used to "deny" Permission checks before defaulting to the system configured
access policy.
Unfortunately, the results have been confusing.
Some seeds pass as expected -- but also (confusingly) pass even if i revert
your suggested changes to FSDirectory....
{noformat}
ant test -Dtestcase=TestReadOnlyIndex -Dtests.seed=32CF43854EF86591
-Dtests.slow=true -Dtests.locale=tr_TR -Dtests.timezone=NST
-Dtests.asserts=true -Dtests.file.encoding=UTF-8
{noformat}
Other seeds fail consistently with strange access errors relating to reading
JVM resource bundles -- even though nothing about the custom security manager
should be affecting these permissions...
{noformat}
ant test -Dtestcase=TestReadOnlyIndex -Dtests.seed=1DF78A66DF6175D3
-Dtests.slow=true -Dtests.locale=es_US -Dtests.timezone=Africa/Johannesburg
-Dtests.asserts=true -Dtests.file.encoding=UTF-8
{noformat}
...
{noformat}
[junit4] Started J0 PID(8937@localhost).
[junit4] Suite: org.apache.lucene.index.TestReadOnlyIndex
[junit4] 2> NOTE: reproduce with: ant test -Dtestcase=TestReadOnlyIndex
-Dtests.method=testReadOnlyIndex -Dtests.seed=1DF78A66DF6175D3
-Dtests.slow=true -Dtests.locale=es_US -Dtests.timezone=Africa/Johannesburg
-Dtests.asserts=true -Dtests.file.encoding=UTF-8
[junit4] ERROR 0.16s | TestReadOnlyIndex.testReadOnlyIndex <<<
[junit4] > Throwable #1: java.lang.BootstrapMethodError: call site
initialization exception
[junit4] > at
__randomizedtesting.SeedInfo.seed([1DF78A66DF6175D3:A472513897A23BC1]:0)
[junit4] > at java.lang.invoke.CallSite.makeSite(CallSite.java:341)
[junit4] > at
java.lang.invoke.MethodHandleNatives.linkCallSiteImpl(MethodHandleNatives.java:307)
[junit4] > at
java.lang.invoke.MethodHandleNatives.linkCallSite(MethodHandleNatives.java:297)
[junit4] > at
org.apache.lucene.store.MMapDirectory.<clinit>(MMapDirectory.java:165)
[junit4] > at
org.apache.lucene.store.FSDirectory.open(FSDirectory.java:163)
[junit4] > at
org.apache.lucene.store.FSDirectory.open(FSDirectory.java:157)
[junit4] > at
org.apache.lucene.index.TestReadOnlyIndex.testReadOnlyIndex(TestReadOnlyIndex.java:82)
[junit4] > at java.lang.Thread.run(Thread.java:745)
[junit4] > Caused by: java.util.MissingResourceException: Can't find
bundle for base name sun.util.resources.CurrencyNames, locale es_US
[junit4] > at
java.util.ResourceBundle.throwMissingResourceException(ResourceBundle.java:1564)
[junit4] > at
java.util.ResourceBundle.getBundleImpl(ResourceBundle.java:1387)
[junit4] > at
java.util.ResourceBundle.getBundle(ResourceBundle.java:890)
[junit4] > at
sun.util.resources.LocaleData$1.run(LocaleData.java:164)
[junit4] > at
sun.util.resources.LocaleData$1.run(LocaleData.java:160)
[junit4] > at java.security.AccessController.doPrivileged(Native
Method)
[junit4] > at
sun.util.resources.LocaleData.getBundle(LocaleData.java:160)
[junit4] > at
sun.util.resources.LocaleData.getCurrencyNames(LocaleData.java:84)
[junit4] > at
sun.util.locale.provider.LocaleResources.getCurrencyName(LocaleResources.java:216)
[junit4] > at
sun.util.locale.provider.CurrencyNameProviderImpl.getString(CurrencyNameProviderImpl.java:122)
[junit4] > at
sun.util.locale.provider.CurrencyNameProviderImpl.getSymbol(CurrencyNameProviderImpl.java:90)
[junit4] > at
java.util.Currency$CurrencyNameGetter.getObject(Currency.java:640)
[junit4] > at
java.util.Currency$CurrencyNameGetter.getObject(Currency.java:625)
[junit4] > at
sun.util.locale.provider.LocaleServiceProviderPool.getLocalizedObjectImpl(LocaleServiceProviderPool.java:281)
[junit4] > at
sun.util.locale.provider.LocaleServiceProviderPool.getLocalizedObject(LocaleServiceProviderPool.java:265)
[junit4] > at java.util.Currency.getSymbol(Currency.java:505)
[junit4] > at
java.text.DecimalFormatSymbols.initialize(DecimalFormatSymbols.java:648)
[junit4] > at
java.text.DecimalFormatSymbols.<init>(DecimalFormatSymbols.java:113)
[junit4] > at
sun.util.locale.provider.DecimalFormatSymbolsProviderImpl.getInstance(DecimalFormatSymbolsProviderImpl.java:85)
[junit4] > at
java.text.DecimalFormatSymbols.getInstance(DecimalFormatSymbols.java:180)
[junit4] > at java.util.Formatter.getZero(Formatter.java:2283)
[junit4] > at java.util.Formatter.<init>(Formatter.java:1892)
[junit4] > at java.util.Formatter.<init>(Formatter.java:1914)
[junit4] > at java.lang.String.format(String.java:2928)
[junit4] > at
java.lang.invoke.TypeConvertingMethodAdapter.boxingDescriptor(TypeConvertingMethodAdapter.java:134)
[junit4] > at
java.lang.invoke.TypeConvertingMethodAdapter.box(TypeConvertingMethodAdapter.java:161)
[junit4] > at
java.lang.invoke.TypeConvertingMethodAdapter.convertType(TypeConvertingMethodAdapter.java:236)
[junit4] > at
java.lang.invoke.InnerClassLambdaMetafactory$ForwardingMethodGenerator.generate(InnerClassLambdaMetafactory.java:476)
[junit4] > at
java.lang.invoke.InnerClassLambdaMetafactory.spinInnerClass(InnerClassLambdaMetafactory.java:288)
[junit4] > at
java.lang.invoke.InnerClassLambdaMetafactory.buildCallSite(InnerClassLambdaMetafactory.java:194)
[junit4] > at
java.lang.invoke.LambdaMetafactory.metafactory(LambdaMetafactory.java:304)
[junit4] > at java.lang.invoke.CallSite.makeSite(CallSite.java:302)
[junit4] > ... 42 more
[junit4] > Caused by: java.security.AccessControlException: access denied
("java.lang.RuntimePermission" "accessClassInPackage.sun.util.resources")
[junit4] > at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:457)
[junit4] > at
java.security.AccessController.checkPermission(AccessController.java:884)
[junit4] > at
java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
[junit4] > at
org.apache.lucene.index.TestReadOnlyIndex$RestrictiveSecurityManager.checkPermission(TestReadOnlyIndex.java:153)
[junit4] > at
java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1564)
[junit4] > at
sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:311)
[junit4] > at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
[junit4] > at
java.util.ResourceBundle$RBClassLoader.loadClass(ResourceBundle.java:503)
[junit4] > at
java.util.ResourceBundle$Control.newBundle(ResourceBundle.java:2640)
[junit4] > at
java.util.ResourceBundle.loadBundle(ResourceBundle.java:1501)
[junit4] > at
java.util.ResourceBundle.findBundle(ResourceBundle.java:1465)
[junit4] > at
java.util.ResourceBundle.findBundle(ResourceBundle.java:1419)
[junit4] > at
java.util.ResourceBundle.findBundle(ResourceBundle.java:1419)
[junit4] > at
java.util.ResourceBundle.getBundleImpl(ResourceBundle.java:1361)
[junit4] > ... 72 more
[junit4] OK 0.00s | TestReadOnlyIndex.testSanityCheckSecurityManager
[junit4] 2> NOTE: test params are: codec=Asserting(Lucene53):
{fieldname=Lucene50(blocksize=128)}, docValues:{},
sim=RandomSimilarityProvider(queryNorm=true,coord=no): {fieldname=DFR GL2},
locale=es_US, timezone=Africa/Johannesburg
[junit4] 2> NOTE: Linux 3.19.0-18-generic amd64/Oracle Corporation
1.8.0_45 (64-bit)/cpus=4,threads=1,free=207954744,total=249561088
[junit4] 2> NOTE: All tests run in this JVM: [TestReadOnlyIndex]
[junit4] Completed [1/1] in 0.78s, 2 tests, 1 error <<< FAILURES!
[junit4]
[junit4]
[junit4] Tests with failures:
[junit4] - org.apache.lucene.index.TestReadOnlyIndex.testReadOnlyIndex
[junit4]
[junit4]
[junit4] JVM J0: 0.73 .. 1.74 = 1.01s
[junit4] Execution time total: 1.77 sec.
[junit4] Tests summary: 1 suite, 2 tests, 1 error
{noformat}
...from what i can tell, these AccessControlException will happen just by
having a Security Manager subclass that overrides checKPermission, even if that
override does nothing but delegate to super...
{code}
@Override
public void checkPermission(Permission permission) {
// first see if the top level policy allows/prevents
super.checkPermission(permission);
// now explicitly deny things we're configured to deny
// if (deny.implies(permission)) {
// throw new SecurityException("explicitly denied by test");
// }
}
{code}
...so i'm really not sure what's going on here.
> FSDirectory throws AccessControlException unless you grant write access to
> the index
> ------------------------------------------------------------------------------------
>
> Key: LUCENE-6542
> URL: https://issues.apache.org/jira/browse/LUCENE-6542
> Project: Lucene - Core
> Issue Type: Bug
> Components: core/store
> Affects Versions: 5.1
> Reporter: Trejkaz
> Labels: regression
> Attachments: LUCENE-6542.patch, patch.txt
>
>
> Hit this during my attempted upgrade to Lucene 5.1.0. (Yeah, I know 5.2.0 is
> out, and we'll be using that in production anyway, but the merge takes time.)
> Various tests of ours test Directory stuff against methods which the security
> policy won't allow tests to write to. Changes in FSDirectory mean that it now
> demands write access to the directory. 4.10.4 permitted read-only access.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
