Open vkhazin opened 7 years ago
Hi @vkhazin,
Could you set the armor.key_path
with a path where ES could write the node key and try again?
By default, the path is set to '.'
Thanks
Hi @jmaitrehenry,
Thank you for the suggestion! Seems like something else is missing...
/etc/elasticsearch/elasticsearch.yml
armor.key_path: /data/elasticsearch/armor
ls /data/elasticsearch/armor -la
total 8
drwxr-xr-x 2 elasticsearch root 4096 Sep 6 18:38 .
drwxr-xr-x 5 elasticsearch root 4096 Sep 6 18:38 ..
sudo service elasticsearch start
Starting elasticsearch: Exception in thread "main" ElasticsearchException[java.security.AccessControlException: access denied ("java.io.FilePermission" "/data/elasticsearch/armor/armor_node_key.key" "read")]
at com.petalmd.armor.service.ArmorService.<init>(ArmorService.java:162)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
at <<<guice>>>
at org.elasticsearch.node.Node.<init>(Node.java:213)
at org.elasticsearch.node.Node.<init>(Node.java:140)
at org.elasticsearch.node.NodeBuilder.build(NodeBuilder.java:143)
at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:178)
at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:270)
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:35)
Another question: where '.' is located: / /etc/elasticsearch /usr/share/elasticsearch /usr/share/elasticsearch/bin /usr/share/elasticsearch/plugins /usr/share/elasticsearch/plugins/armor /{data folder} /{log folder}
After running around the system for a while with
sudo chmod 777 -R ...
Removing open jdk and installing Oracle jdk, jumping from the ground floor level few times and going postal on the floor...
It turns out that it is not linux io permissions so much as the plugin policy file does not seem to be picked up:
/usr/share/elasticsearch/plugins/armor/plugin-security.policy
grant {
permission java.security.SecurityPermission "createAccessControlContext";
permission java.io.FilePermission "${armor.key_path}", "read,readlink,write";
permission java.io.FilePermission "./-", "read,readlink,write";
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
permission java.lang.RuntimePermission "accessDeclaredMembers";
};
To resolve/workaround I had to modify the system wide java policy file: /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/lib/security/java.policy
adding following lines at the end:
...
permission java.io.FilePermission "/data/elasticsearch/armor", "read,write";
permission java.io.FilePermission "/data/elasticsearch/armor/*", "read,write";
};
Is it possible that the issue is specific to ec2 amzn linux?
After building the package using maven as standard plugin installation did not work, ElasticSearch service will fail on start:
sudo service elasticsearch start