Hi
I’m trying to switch my ODFE 1.3.0 RPM cluster into ODFE 1.13.3 Docker cluster. (Upgrading to latest ODFE version before upgrading to OpenSearch 1.3.2)
On an empty cluster, I tried to restore my RPM cluster snapshot into latest ODFE version docker cluster but I have an error : Access denied Java IO FilePermission
[2022-06-23T09:29:59,086][WARN ][o.e.i.c.IndicesClusterStateService] [hostname] [metadata_index][3] marking and sending shard failed due to [failed to create index]
java.security.AccessControlException: access denied ("java.io.FilePermission" "/etc/elasticsearch/synonyms.txt" "read")
It’s really similar to this post : https://discuss.elastic.co/t/how-to-update-java-file-permission-for-elasticsearch-running-on-docker/234869
This error can be fixed for the OpenSearch version by adding a java security policy file, appended to jvm.options file.
But this doesn’t work for ODFE.
So :
- Any ideas to fix this java permission issue ?
- Is it forced to upgrade ODFE to 1.13.3 before migrating to OpenSearch 1.3.2 ?
Because it works if I just upgrade my ODFE 1.3.0 cluster to OpenSearch 1.3.2…
Any help would be appreciated !
Thi
Java security policy (Is it correct ?)
grant codebase "file:${java.home}/../lib/tools.jar" {
permission java.security.AllPermission;
};
grant codeBase "jrt:/jdk.attach" {
permission java.security.AllPermission;
};
grant codeBase "jrt:/jdk.internal.jvmstat" {
permission java.security.AllPermission;
};
grant {
permission java.io.FilePermission "/etc/elasticsearch/-", "read";
permission java.io.FilePermission "/etc/elasticsearch/", "read";
};
In docker-compose, volumes part
- /data/apps/opendistro/config/opendistro_security.policy:/usr/share/elasticsearch/config/opendistro_security.policy
- /data/apps/opendistro/config/jvm.options:/usr/share/elasticsearch/config/jvm.options.d/jvm.options
JVM options file, appended this line
-Djava.security.policy=file:///usr/share/elasticsearch/config/opendistro_security.policy
Inside Docker, java process cmdline
-Djava.security.policy=file:///usr/share/elasticsearch/config/opendistro_security.policy-Djava.security.policy=file:///usr/share/elasticsearch/performance-analyzer-rca/pa_config/es_security.policy
Ownership, permssions of files inside Docker
-rw-rw----. 1 elasticsearch root 2.3K Jan 13 2021 jvm.options
drwxrwx---. 1 elasticsearch root 4.0K Jun 23 09:20 jvm.options.d
-rw-r--r-x. 1 root root 2.6K Jun 22 13:51 config/jvm.options.d/jvm.options
Fixed the issue
If anyone has the same issue, you can’t load multiple java security policy file.
Because default ODFE docker loads pa_plugin performance analyzer java security policy, my security policy was not loaded.
I overwrote the pa_plugin java security policy file and my permissions were finally working.
Hope it helped someone !
Thi
Hi ! Can you explain the procedures in a sample file ?
Thanks !!!
Hi !
It’s been a while so I forgot every thing…
You should try to overwrite the file inside the container or directly on the host if you use RPM version : /usr/share/elasticsearch/plugins/opendistro_performance_analyzer/pa_config/es_security.policy
You put your policies accordingly to your needs.
Thi