I am working on a custom authentication realm for Elasticsearch. In its current form I would like it to be able to read a secret key from a locally-readable Java keystone in JCEKS format. I have set up my ES plugin with settings to be able to find this file, and to access it via the keystore's password, which is passed into the custom realm as a secure string setting.
I am getting an error with this with this root cause:
java.security.AccessControlException: access denied ("java.io.FilePermission" "/var/lib/my-service/auth.jceks" "read")
I have checked the file on the local CentOS file system where ES is running, and it should be globally readable to all users. But the exception I am seeing suggests that it cannot be read nonetheless.
I assume this means that ES has put in place some kind of security policies that prevent it from reading this file system. Is that true? If so, can you please help me understand what options I have (if any) to grant access to the file(s) I need to read? If not, I'd appreciate any ideas to explain why this file cannot be read by my plugin.