Access Denied Exception in elasticsearch v5.6

Hi, i have a cluster with 3 nodes. elasticsearch UID is different and their GID is same, But when I get the information of the snapshot on the Kibana, all the processes failed, here is part of the logs of the snapshot:

nested: ElasticsearchException[failed to create blob container]; nested: AccessDeniedException

can you share the full exception from the elasticsearch logs? Thank you!

Thank you for your reply, error is:

 "error": {
"root_cause": [
  {
    "type": "repository_verification_exception",
"reason": "[backup] [[ldGSpx-ZQe6fBmgwI_hrgQ, 'RemoteTransportException[[....184:9300][internal:admin/repository/verify]];
nested: RepositoryMissingException[[backup] missing];'], [MWHreh4FQLmMa_yzbjKthQ, 'RemoteTransportException[[...][....183:9300][internal:admin/repository/verify]];
nested: RepositoryVerificationException[[backup] store location [/mnt/elasticsearch]
 is not accessible on the node [{...}{MWHreh4FQLmMa_yzbjKthQ}{jwAAK-D2RquuiohxDfLSmw}{....183}{....183:9300}]]; 
 nested: AccessDeniedException[/mnt/elasticsearch/tests-dDepnDzCIA/data-MWHrLmMa_yzbjKthQ.dat];']]"
  }
]
},
"status": 500

{...} is my host names or ip, [/mnt/elasticsearch] is NAS storage.

and this error:

Caused by: java.nio.file.AccessDeniedException: /mnt/elasticsearch/backup/tests-6xN....W_KZQ/data-M.....dat

Is /mnt/elasticsearch accessible on that host? Did you configure the path.repo setting?

yes, yml file is configured, 2 nodes (..184 and ..185) can write on /mnt/elasticsearch/ but ..183 cant create file on this repo.

can you store a file there as the user running elasticsearch in a shell?

yes, elasticsearch user can read and write files in a shell, but elasticsearch service can't!!!

just to verify: how exactly did you test this?

with "sudo -H -u elasticsearch bash -c 'vim test.txt'" command on /mnt/elasticsearch/

have you tried to write/read the resource mentioned in the exception?

Sorry I don't understand what you mean

The exception refers to a file it tries to write at /mnt/elasticsearch/tests-dDepnDzCIA/data-MWHrLmMa_yzbjKthQ.dat - can you try to create that resource via touch on the command line?

Thanks for your answer
yes i can do it, when i force node 185 to create file on /mnt/elasticsearch/backup1/ it is done, and when i force node 183 to create file on /mnt/elasticsearch/backup/ it is done too,
but when node 185 is going to create /mnt/elasticsearch/backup/ then node 183 can not read/write files on this dir.
note: primary gid related to elasticsearch on 183 is not equal to node 185, but there is another group on node 183 which is same as primary gid of elasticsearch on 185.
in all nodes UMask of elasticsearch proccess is set to: 0002

Thanks for testing. This means, that your system is not set up the same on all nodes. I suppose you need to fix your network storage setup then (or your network file system), as it does not look like an Elasticsearch issue to me. Mapping the GIDs sounds like a good start, but it's hard to tell without knowing the exact setup.

1 Like

Thanks for your support

if i change primary GID of elasticsearch user, What will be happened?

I don't know, as there might be a uid/gid mapping in your network file system that I am not aware off. Also, you may need to change some permissions of your elasticsearch installation (purging the package might make sense in this case). Best would be to test this out in a staging system.