Couchbase Transport Plugin for Elasticsearch 2.x

TL;DR: Get it here: https://github.com/couchbaselabs/elasticsearch-transport-couchbase/releases

While the folks at Elasticsearch are busy working on version 5.0, I've now released updated versions of the Couchbase transport plugin for versions 2.x. Elasticsearch 2.0 brought a lot of changes to the security model, then more changes in 2.1 and then finally some major improvements in plugin security in 2.2. All that combined to quite a delay in pushing out the proper verions, especially since Elasticsearch plugins are version specific now. This means that for every minor version of ES, I need to build a minor version of the plugin.

We've updated the way the plugin versioning works, so it now tracks the ES minor releases. Plugin versions are now the format "2.<es_version>" to make it easier to figure out which one you should install.

If you're running ES 2.2 and higher, installing the plugin is as simple as it was before 2.0 - all you need to do is run:

bin/plugin install -b https://github.com/couchbaselabs/elasticsearch-transport-couchbase/releases/download/2.<ES_VERSION>/elasticsearch-transport-couchbase-2.<ES_VERSION>.zip

Where <ES_VERSION> is, obviously, the relevant Elasticsearch version. The -b flag tells the plugin installer to automatically accept all prompts. If you leave it out, the installer will ask you to grant the plugin extra security permissions, which you should say YES to.

If you're running ES 2.0 or 2.1, first of all you should consider upgrading. But if you're determined to install the plugin on it, you'll need to do a little extra work. In order to get the plugin to load, it is necessary to edit the system's default java.policy file, which is located in the %JAVA_HOME%/jre/lib/security directory. You can either edit this file directly, or use the policytool utility, which can be found in the %JAVA_HOME%/bin directory. Note that editing the policy file requires root permissions.
If you're editing the policy file directly, add the following to the end of the file:

grant codeBase "file:/<path to transport-couchbase plugin install directory>/*" {
  permission javax.security.auth.AuthPermission "modifyPrincipals";
  permission javax.security.auth.AuthPermission "modifyPrivateCredentials";
  permission javax.security.auth.AuthPermission "setReadOnly";
  permission java.lang.RuntimePermission "setContextClassLoader";
  permission java.net.SocketPermission "*", "listen,resolve";
  permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
};

Replace file:/<path>/* with the directory where you installed the plugin. For example, if you installed Elasticsearch from as a deb/rpm package on Linux, this would be file:/usr/share/elasticsearch/plugins/transport-couchbase/* - note the trailing *, which means that the policy will apply to all files in that directory.

If you prefer to use the GUI applet, run specify the location of the policy file with the -file parameter, for example:

sudo $JAVA_HOME/bin/policytool -file $JAVA_HOME/jre/lib/security/java.policy

When the applet window appears, verify that the Policy File textbox shows the name of the policy file you're going to edit. To add the required security settings click on the "Add Policy Entry" button. In the new "Policy Entry" window that will appear, fill in the CodeBase textbox with the URL path to the plugin's installation directory, as explained above.
Next, add each of the following permissions by clicking on the "Add Permission" button for each, then selecting the specified options:

1.)  permission javax.security.auth.AuthPermission "modifyPrincipals";

     From the "Permission:" dropdown select:

        AuthPermission

     From the "Target Name:" dropdown select:

        modifyPrincipals

     Click "Ok"

2.)  permission javax.security.auth.AuthPermission "modifyPrivateCredentials";

     From the "Permission:" dropdown select:

        AuthPermission

     From the "Target Name:" dropdown select:

        modifyPrivateCredentials

     Click "Ok"

3.)  permission javax.security.auth.AuthPermission "setReadOnly";

     From the "Permission:" dropdown select:

        AuthPermission

     From the "Target Name:" dropdown select:

        setReadOnly

     Click "Ok"

4.)  permission java.lang.RuntimePermission "setContextClassLoader";

     From the "Permission:" dropdown select:

        RuntimePermission

     From the "Target Name:" dropdown select:

        setContextClassLoader

     Click "Ok"

5.)  permission java.net.SocketPermission "*", "listen,resolve";

     From the "Permission:" dropdown select:

        SocketPermission

     In the "Target Name:" textbox type:

        *

     In the "Actions:" dropdown type:

        listen,resolve

     Click "Ok"

6.)  permission "java.lang.reflect.ReflectPermission" "suppressAccessChecks";

     From the "Permission:" dropdown select:

        ReflectPermission

     From the "Target Name:" dropdown select:

        suppressAccessChecks

     Click "Ok"

At the end of the process, your policy tool should look similar to this:

Policy Tool

Click "Done" to close the "Policy Entry" window and then select "Save" from the File menu of the "Policy Tool" window. Close the policytool utility when you're finished.

That's it. If you find any bugs, please file them in the projects issue tracker on github.

David Ostrovsky

I'm a level 38 Computer Geek, with experience in everything from databases to mobile apps. I'm also a Senior Solutions Architect at Couchbase, where I often keep clients happy by coding hard.

comments powered by Disqus