I have a Bamboo Specs repo that uses Azure KeyVault for fetching a few variables (passwords) used by build/deploy jobs.
I'm curious if anyone knows a way around the Access Control Exceptions
[ERROR] Failed to execute goal com.atlassian.bamboo:bamboo-specs-runner:6.5.0:run (default-cli) on project bamboo-specs-generator: Execution default-cli of goal com.atlassian.bamboo:bamboo-specs-runner:6.5.0:run failed: access denied ("java.net.NetPermission" "getProxySelector") -> [Help 1] org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal com.atlassian.bamboo:bamboo-specs-runner:6.5.0:run (default-cli) on project bamboo-specs-generator: Execution default-cli of goal com.atlassian.bamboo:bamboo-specs-runner:6.5.0:run failed: access denied ("java.net.NetPermission" "getProxySelector") at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:213) at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:154) at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:146) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:117) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:81) at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:51) at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:128) at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:309) at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:194) at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:107) at org.apache.maven.cli.MavenCli.execute(MavenCli.java:993) at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:345) at org.apache.maven.cli.MavenCli.main(MavenCli.java:191) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:289) at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:229) at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:415) at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:356) Caused by: org.apache.maven.plugin.PluginExecutionException: Execution default-cli of goal com.atlassian.bamboo:bamboo-specs-runner:6.5.0:run failed: access denied ("java.net.NetPermission" "getProxySelector") at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:145) at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:208) ... 20 more Caused by: java.security.AccessControlException: access denied ("java.net.NetPermission" "getProxySelector") at java.security.AccessControlContext.checkPermission(AccessControlContext.java:457) at java.security.AccessController.checkPermission(AccessController.java:884) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at com.atlassian.bamboo.specs.maven.sandbox.AbstractThreadPermissionVerifier.checkPermission(AbstractThreadPermissionVerifier.java:18) at com.atlassian.bamboo.specs.maven.sandbox.BambooSpecsSecurityManager.checkPermission(BambooSpecsSecurityManager.java:37) at java.net.ProxySelector.getDefault(ProxySelector.java:94) at okhttp3.OkHttpClient$Builder.<init>(OkHttpClient.java:425) at com.microsoft.azure.AzureServiceClient.<init>(AzureServiceClient.java:25) at com.microsoft.azure.keyvault.KeyVaultClientImpl.<init>(KeyVaultClientImpl.java:203) at com.microsoft.azure.keyvault.KeyVaultClientImpl.<init>(KeyVaultClientImpl.java:193) at com.microsoft.azure.keyvault.KeyVaultClient.<init>(KeyVaultClient.java:179) at com.hiscox.plan.Default.<init>(Default.java:28) at com.hiscox.plan.DockerComposeCommon.<init>(DockerComposeCommon.java:35) at com.hiscox.plan.DockerComposeCommon.<init>(DockerComposeCommon.java:40) at com.hiscox.PlanSpec.main(PlanSpec.java:22) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at com.atlassian.bamboo.specs.maven.sandbox.SpecsRunner.callMainMethod(SpecsRunner.java:95) at com.atlassian.bamboo.specs.maven.sandbox.SpecsRunner.runSpecsInternal(SpecsRunner.java:76) at com.atlassian.bamboo.specs.maven.sandbox.SpecsRunner$$Lambda$13/1222908765.get(Unknown Source) at com.atlassian.bamboo.specs.maven.sandbox.SecureMethodInvoker.lambda$invokeInternal$0(SecureMethodInvoker.java:34) at com.atlassian.bamboo.specs.maven.sandbox.SecureMethodInvoker$$Lambda$14/1331644236.run(Unknown Source) at java.lang.Thread.run(Thread.java:745)
Edit:
bamboo 6.5
I see documents reference a Enable secure Specs processing setting but I'm not seeing it in Security settings
Reference: https://confluence.atlassian.com/bamboo/repository-stored-bamboo-specs-security-938844473.html
@Dakota Brown not sure if this would still help you in any way given the time since your question, but it might help others.
I don't know much about your context, but it seems to me your Bamboo installation is running Tomcat (i.e. Catalina) in security mode (have a look at the bin/catalina.sh file in your installation directory, where security mode is selected). When this is the case, the security policies as defined in the file conf/catalina.policy are in place.
Your Bamboo specs are being executed by the bamboo specs runner (see jar at https://mvnrepository.com/artifact/com.atlassian.bamboo/bamboo-specs-runner/6.5.0) in some kind of sandbox environment. Your dependency on the Azure Key Vault triggers network communication from bamboo-specs-runner-6.0.5.jar, for which I cannot find an exception in catalina.policy, hence the exception.
So the solution would be to adjust the catalina.policy file and include the following permission:
permission java.net.NetPermission "getProxySelector";
For bamboo-specs-runner-6.0.5.jar.
Mind that I did not try this and I'm not an expert on Catalina security policies.
As an alternative, there is now a plugin (note that I am the author!) which avoids the need to fetch secret variables from your specs, it rather resolves them at build and deploy time by reference. See https://marketplace.atlassian.com/apps/1221965/secret-managers-for-bamboo
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.