[FIXED] Java IO FilePermission - files outside install directory (no choice)

Hi
I’m trying to switch my ODFE 1.3.0 RPM cluster into ODFE 1.13.3 Docker cluster. (Upgrading to latest ODFE version before upgrading to OpenSearch 1.3.2)

On an empty cluster, I tried to restore my RPM cluster snapshot into latest ODFE version docker cluster but I have an error : Access denied Java IO FilePermission

[2022-06-23T09:29:59,086][WARN ][o.e.i.c.IndicesClusterStateService] [hostname] [metadata_index][3] marking and sending shard failed due to [failed to create index]
java.security.AccessControlException: access denied ("java.io.FilePermission" "/etc/elasticsearch/synonyms.txt" "read")

It’s really similar to this post : https://discuss.elastic.co/t/how-to-update-java-file-permission-for-elasticsearch-running-on-docker/234869

This error can be fixed for the OpenSearch version by adding a java security policy file, appended to jvm.options file.
But this doesn’t work for ODFE.

So :

  1. Any ideas to fix this java permission issue ?
  2. Is it forced to upgrade ODFE to 1.13.3 before migrating to OpenSearch 1.3.2 ?
    Because it works if I just upgrade my ODFE 1.3.0 cluster to OpenSearch 1.3.2…

Any help would be appreciated !
Thi

Java security policy (Is it correct ?)

grant codebase "file:${java.home}/../lib/tools.jar" {
  permission java.security.AllPermission;
};

grant codeBase "jrt:/jdk.attach" {
    permission java.security.AllPermission;
};

grant codeBase "jrt:/jdk.internal.jvmstat" {
    permission java.security.AllPermission;
};

grant {
    permission java.io.FilePermission "/etc/elasticsearch/-", "read";
    permission java.io.FilePermission "/etc/elasticsearch/", "read";
};

In docker-compose, volumes part

      - /data/apps/opendistro/config/opendistro_security.policy:/usr/share/elasticsearch/config/opendistro_security.policy
      - /data/apps/opendistro/config/jvm.options:/usr/share/elasticsearch/config/jvm.options.d/jvm.options

JVM options file, appended this line
-Djava.security.policy=file:///usr/share/elasticsearch/config/opendistro_security.policy

Inside Docker, java process cmdline

-Djava.security.policy=file:///usr/share/elasticsearch/config/opendistro_security.policy-Djava.security.policy=file:///usr/share/elasticsearch/performance-analyzer-rca/pa_config/es_security.policy

Ownership, permssions of files inside Docker

-rw-rw----. 1 elasticsearch root 2.3K Jan 13  2021 jvm.options
drwxrwx---. 1 elasticsearch root 4.0K Jun 23 09:20 jvm.options.d

-rw-r--r-x. 1 root root 2.6K Jun 22 13:51 config/jvm.options.d/jvm.options

Fixed the issue

If anyone has the same issue, you can’t load multiple java security policy file.
Because default ODFE docker loads pa_plugin performance analyzer java security policy, my security policy was not loaded.

I overwrote the pa_plugin java security policy file and my permissions were finally working.

Hope it helped someone !
Thi

Hi ! Can you explain the procedures in a sample file ?
Thanks !!!

Hi !
It’s been a while so I forgot every thing…

You should try to overwrite the file inside the container or directly on the host if you use RPM version : /usr/share/elasticsearch/plugins/opendistro_performance_analyzer/pa_config/es_security.policy

You put your policies accordingly to your needs.

Thi