search

petalmd / armor

Apache License 2.0
15 stars 8 forks source link

AccessControlException after installing armor plugin #20

Open vkhazin opened 7 years ago

vkhazin commented 7 years ago

After building the package using maven as standard plugin installation did not work, ElasticSearch service will fail on start:

sudo service elasticsearch start

Starting elasticsearch: Exception in thread "main" ElasticsearchException[java.security.AccessControlException: access denied ("java.io.FilePermission" "." "read")]
    at com.petalmd.armor.service.ArmorService.<init>(ArmorService.java:162)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
    at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
    at <<<guice>>>
    at org.elasticsearch.node.Node.<init>(Node.java:213)
    at org.elasticsearch.node.Node.<init>(Node.java:140)
    at org.elasticsearch.node.NodeBuilder.build(NodeBuilder.java:143)
    at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:178)
    at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:270)
    at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:35)
jmaitrehenry commented 7 years ago

Hi @vkhazin, Could you set the armor.key_path with a path where ES could write the node key and try again? By default, the path is set to '.'

Thanks

vkhazin commented 7 years ago

Hi @jmaitrehenry,

Thank you for the suggestion! Seems like something else is missing...

/etc/elasticsearch/elasticsearch.yml

armor.key_path: /data/elasticsearch/armor

ls /data/elasticsearch/armor -la

total 8
drwxr-xr-x 2 elasticsearch root 4096 Sep  6 18:38 .
drwxr-xr-x 5 elasticsearch root 4096 Sep  6 18:38 ..

sudo service elasticsearch start

Starting elasticsearch: Exception in thread "main" ElasticsearchException[java.security.AccessControlException: access denied ("java.io.FilePermission" "/data/elasticsearch/armor/armor_node_key.key" "read")]
    at com.petalmd.armor.service.ArmorService.<init>(ArmorService.java:162)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
    at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
    at <<<guice>>>
    at org.elasticsearch.node.Node.<init>(Node.java:213)
    at org.elasticsearch.node.Node.<init>(Node.java:140)
    at org.elasticsearch.node.NodeBuilder.build(NodeBuilder.java:143)
    at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:178)
    at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:270)
    at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:35)
vkhazin commented 7 years ago

Another question: where '.' is located: / /etc/elasticsearch /usr/share/elasticsearch /usr/share/elasticsearch/bin /usr/share/elasticsearch/plugins /usr/share/elasticsearch/plugins/armor /{data folder} /{log folder}

vkhazin commented 7 years ago

After running around the system for a while with 

sudo chmod 777 -R ...

Removing open jdk and installing Oracle jdk, jumping from the ground floor level few times and going postal on the floor...

It turns out that it is not linux io permissions so much as the plugin policy file does not seem to be picked up:

/usr/share/elasticsearch/plugins/armor/plugin-security.policy

grant {   
  permission java.security.SecurityPermission "createAccessControlContext";
  permission java.io.FilePermission "${armor.key_path}", "read,readlink,write";
  permission java.io.FilePermission "./-", "read,readlink,write";
  permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
  permission java.lang.RuntimePermission "accessDeclaredMembers";

};

To resolve/workaround I had to modify the system wide java policy file: /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/lib/security/java.policy

adding following lines at the end:

...
        permission java.io.FilePermission "/data/elasticsearch/armor", "read,write";
        permission java.io.FilePermission "/data/elasticsearch/armor/*", "read,write";
};
vkhazin commented 7 years ago

Is it possible that the issue is specific to ec2 amzn linux?