search

Graylog2 / graylog2-server

Free and open log management
https://www.graylog.org
Other
7.33k stars 1.05k forks source link

File permission warnings on data-node startup. #15459

Closed luk-kaminski closed 10 months ago

luk-kaminski commented 1 year ago

Expected Behavior

There are no file permission warnings on data-node startup.

Current Behavior

There are a lot of file permission warnings on data-node startup: Screenshot 2023-05-09 at 14-57-48 Screenshot

Possible Solution

Steps to Reproduce (for bugs)

  1. Start data node.
  2. Check the logs : http://localhost:8999/logs/stdout
todvora commented 1 year ago

I can't reproduce the problem, but I do see a different error:

2023-06-16 09:32:04,400 INFO : org.graylog.datanode.management.OpensearchProcessImpl - [2023-06-16T09:32:04,399][INFO ][o.o.n.Node               ] [node1] version[2.5.0], pid[13068], build[tar/b8a8b6c4d7fc7a7e32eb2cb68ecad8057a4636ad/2023-01-18T23:48:48.981786100Z], OS[Linux/5.15.0-73-generic/amd64], JVM[Eclipse Adoptium/OpenJDK 64-Bit Server VM/17.0.5/17.0.5+8]
2023-06-16 09:32:04,412 INFO : org.graylog.datanode.management.OpensearchProcessImpl - 2023-06-16 09:32:04,410 main ERROR Could not define attribute view on path "/home/tomas/projects/graylog-project-repos/graylog2-server/data-node/bin/config/node1/datanode-cluster_server.json" got access denied ("java.lang.RuntimePermission" "accessUserInformation") java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessUserInformation")
2023-06-16 09:32:04,412 INFO : org.graylog.datanode.management.OpensearchProcessImpl -  at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:485)
2023-06-16 09:32:04,412 INFO : org.graylog.datanode.management.OpensearchProcessImpl -  at java.base/java.security.AccessController.checkPermission(AccessController.java:1068)
2023-06-16 09:32:04,412 INFO : org.graylog.datanode.management.OpensearchProcessImpl -  at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:416)
2023-06-16 09:32:04,412 INFO : org.graylog.datanode.management.OpensearchProcessImpl -  at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.checkWriteExtended(UnixFileAttributeViews.java:195)
2023-06-16 09:32:04,413 INFO : org.graylog.datanode.management.OpensearchProcessImpl -  at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.setMode(UnixFileAttributeViews.java:264)
2023-06-16 09:32:04,413 INFO : org.graylog.datanode.management.OpensearchProcessImpl -  at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.setPermissions(UnixFileAttributeViews.java:299)
2023-06-16 09:32:04,413 INFO : org.graylog.datanode.management.OpensearchProcessImpl -  at org.apache.logging.log4j.core.util.FileUtils.defineFilePosixAttributeView(FileUtils.java:177)

What's the latest state for you, @luk-kaminski?

luk-kaminski commented 1 year ago

Hi @todvora ,

Yes, it is now exactly as you say. I do not see the old errors any more.

dennisoelkers commented 1 year ago

@todvora: Can you please check if your error still exists and close the issue if not?

todvora commented 1 year ago

@dennisoelkers I still see the same error (=warning), we should find the source of the problem and fix it.

todvora commented 1 year ago

I experimented with the problem for a while and now I can't reproduce it anymore. Will investigate later when the problem appears again.

But the idea is that Opensearch uses a SecurityManager, which then controls the access to the log files. So we should allow it to adapt permissions on the log files via a security policy.