[GitHub] [lucene] reta opened a new issue, #12304: VirtualMethod does unprivileged reflection access

[via GitHub]

reta opened a new issue, #12304:
URL: https://github.com/apache/lucene/issues/12304

   ### Description
   
   In OpenSearch, we've updated to the recent Apache Lucene 9.7 snapshots and 
got an number of tests failing with `java.security.AccessControlException`. The 
culprit is `org.apache.lucene.util.VirtualMethod` class that does a number of 
unprivileged calls to Reflection APIs without using 
`AccessController.doPrivileged`, a sample stack trace is below:
   
   ```
   Caused by: java.security.AccessControlException: access denied 
(\"java.lang.RuntimePermission\" \"accessDeclaredMembers\")
        at 
java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
        at 
java.base/java.security.AccessController.checkPermission(AccessController.java:897)
        at 
java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)
        at java.base/java.lang.Class.checkMemberAccess(Class.java:2847)
        at java.base/java.lang.Class.getDeclaredMethod(Class.java:2471)
        at 
org.apache.lucene.util.VirtualMethod.reflectImplementationDistance(VirtualMethod.java:139)
        at 
org.apache.lucene.util.VirtualMethod$1.computeValue(VirtualMethod.java:78)
        at 
org.apache.lucene.util.VirtualMethod$1.computeValue(VirtualMethod.java:75)
        at java.base/java.lang.ClassValue.getFromHashMap(ClassValue.java:228)
        at java.base/java.lang.ClassValue.getFromBackup(ClassValue.java:210)
        at java.base/java.lang.ClassValue.get(ClassValue.java:116)
        at 
org.apache.lucene.util.VirtualMethod.getImplementationDistance(VirtualMethod.java:111)
        at 
org.apache.lucene.util.VirtualMethod.compareImplementationDistance(VirtualMethod.java:168)
        at org.apache.lucene.search.Query.<init>(Query.java:54)
        at 
org.opensearch.join.query.HasChildQueryBuilder$LateParsingQuery.<init>(HasChildQueryBuilder.java:402)
        at 
org.opensearch.join.query.HasParentQueryBuilder.doToQuery(HasParentQueryBuilder.java:207)
        at 
org.opensearch.index.query.AbstractQueryBuilder.toQuery(AbstractQueryBuilder.java:117)
        at 
org.opensearch.index.query.QueryShardContext.lambda$toQuery$3(QueryShardContext.java:466)
        at 
org.opensearch.index.query.QueryShardContext.toQuery(QueryShardContext.java:478)
   ```
   
   I surely know that `SecurityManager` & co are deprecated but Apache Lucene / 
OpenSearch / Elasticsearch are still relying on it for the time being. 
   
   @uschindler @jpountz the fix is simple (happy to take it and submit a pull 
request) if there are no objections to make this change in general, cc @nknize 
   
   Sample failing tests:
    - 
https://build.ci.opensearch.org/job/gradle-check/15584/testReport/junit/org.opensearch.join/ParentChildClientYamlTestSuiteIT/test__yaml__11_parent_child_Parent_child_inner_hits_with_seq_no__3/
    - 
https://build.ci.opensearch.org/job/gradle-check/15584/testReport/junit/org.opensearch.join/ParentChildClientYamlTestSuiteIT/test__yaml__11_parent_child_Parent_child_inner_hits__2/
   
   ### Version and environment details
   
   Latest 9.7.0 snapshots (built of `branch_9x`)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org