Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AccessControlException after installing armor plugin #20

Open
vkhazin opened this issue Sep 6, 2016 · 5 comments
Open

AccessControlException after installing armor plugin #20

vkhazin opened this issue Sep 6, 2016 · 5 comments

Comments

@vkhazin
Copy link

vkhazin commented Sep 6, 2016
edited
Loading

After building the package using maven as standard plugin installation did not work, ElasticSearch service will fail on start:

sudo service elasticsearch start

Starting elasticsearch: Exception in thread "main" ElasticsearchException[java.security.AccessControlException: access denied ("java.io.FilePermission" "." "read")]
    at com.petalmd.armor.service.ArmorService.<init>(ArmorService.java:162)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
    at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
    at <<<guice>>>
    at org.elasticsearch.node.Node.<init>(Node.java:213)
    at org.elasticsearch.node.Node.<init>(Node.java:140)
    at org.elasticsearch.node.NodeBuilder.build(NodeBuilder.java:143)
    at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:178)
    at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:270)
    at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:35)
@jmaitrehenry
Copy link
Contributor

Hi @vkhazin,
Could you set the armor.key_path with a path where ES could write the node key and try again?
By default, the path is set to '.'

Thanks

@vkhazin
Copy link
Author

vkhazin commented Sep 6, 2016
edited
Loading

Hi @jmaitrehenry,

Thank you for the suggestion!
Seems like something else is missing...

/etc/elasticsearch/elasticsearch.yml

armor.key_path: /data/elasticsearch/armor

ls /data/elasticsearch/armor -la

total 8
drwxr-xr-x 2 elasticsearch root 4096 Sep  6 18:38 .
drwxr-xr-x 5 elasticsearch root 4096 Sep  6 18:38 ..

sudo service elasticsearch start

Starting elasticsearch: Exception in thread "main" ElasticsearchException[java.security.AccessControlException: access denied ("java.io.FilePermission" "/data/elasticsearch/armor/armor_node_key.key" "read")]
    at com.petalmd.armor.service.ArmorService.<init>(ArmorService.java:162)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
    at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
    at <<<guice>>>
    at org.elasticsearch.node.Node.<init>(Node.java:213)
    at org.elasticsearch.node.Node.<init>(Node.java:140)
    at org.elasticsearch.node.NodeBuilder.build(NodeBuilder.java:143)
    at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:178)
    at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:270)
    at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:35)

@vkhazin
Copy link
Author

vkhazin commented Sep 6, 2016

Another question: where '.' is located:
/
/etc/elasticsearch
/usr/share/elasticsearch
/usr/share/elasticsearch/bin
/usr/share/elasticsearch/plugins
/usr/share/elasticsearch/plugins/armor
/{data folder}
/{log folder}

@vkhazin
Copy link
Author

vkhazin commented Sep 7, 2016
edited
Loading

After running around the system for a while with

sudo chmod 777 -R ...

Removing open jdk and installing Oracle jdk, jumping from the ground floor level few times and going postal on the floor...

It turns out that it is not linux io permissions so much as the plugin policy file does not seem to be picked up:

/usr/share/elasticsearch/plugins/armor/plugin-security.policy

grant {   
  permission java.security.SecurityPermission "createAccessControlContext";
  permission java.io.FilePermission "${armor.key_path}", "read,readlink,write";
  permission java.io.FilePermission "./-", "read,readlink,write";
  permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
  permission java.lang.RuntimePermission "accessDeclaredMembers";

};

To resolve/workaround I had to modify the system wide java policy file:
/usr/lib/jvm/jre-1.7.0-openjdk.x86_64/lib/security/java.policy

adding following lines at the end:

...
        permission java.io.FilePermission "/data/elasticsearch/armor", "read,write";
        permission java.io.FilePermission "/data/elasticsearch/armor/*", "read,write";
};

@vkhazin
Copy link
Author

vkhazin commented Sep 7, 2016

Is it possible that the issue is specific to ec2 amzn linux?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jmaitrehenry @vkhazin