Elastic Search AllPermission security manager issue ...continued

Vishal_Goel · December 3, 2018, 5:48am

Hi,

This is in continuation to following post:

[2018-09-15T00:04:42,632][ERROR][o.e.b.Bootstrap ] [PC-VISHALG] node validation exception
[1] bootstrap checks failed
[1]: granting the all permission effectively disables security

I am getting this error while running ES (6.3.1) from local drive setup also. I am using JavaBuilder to run ES. On some machines, it run successfully but onothers it give above error (all machines are WIN 10).
Ryan mentioned that it is Java permission poilcy file issue. What are the permissions that ES need to start and if I can provide them to ES in Java policy file?

Thanks

spinscale · December 3, 2018, 9:53am

you do not need to provide any sample policy file. Elasticsearch has everything included in its distribution.

It seems you are trying to run with a custom policy file - you should not do this and stick to the default. The first step should be to find out if that is the case and try to disable it.

Vishal_Goel · December 3, 2018, 10:08am

Thanks Alex. I don't think I am running with any custom file. Any way to find about it?
I don't give any policy file during ES run.

Vishal_Goel · December 5, 2018, 7:16am

Any update here please.

rjernst · December 6, 2018, 1:09am

You can check the default policy file (which elasticsearch builds upon) locations according to these java docs:
https://docs.oracle.com/javase/7/docs/technotes/guides/security/PolicyFiles.html#DefaultLocs

Something is granting the elasticsearch jar AllPermission, which defeats the purpose of using the SecurityManager. Do you manage your own environment, or does someone else? I have seen IT orgs do this granting via the system policy to "make things easy" before.

Vishal_Goel · December 6, 2018, 5:52am

You got it right. I have .java.policy file in my user.home. How can I specify policy file during ES startup?
I tried giving using
"ES_JAVA_OPTS", "-Djava.security.policy=" + System.getProperty("java.home") + File.separator + "lib" + File.separator + "security" + File.separator + "java.policy"
but it still is having issue. If i remove .java.policy from user.home, it works fine.

Vishal_Goel · December 6, 2018, 6:06am

It is fixed now with following (== instaed of =):
"ES_JAVA_OPTS" = "-Djava.security.policy==" + System.getProperty("java.home") + File.separator + "lib" + File.separator + "security" + File.separator + "java.policy"

rjernst · December 8, 2018, 12:04am

I believe using == works not because of any special syntax, but because the path to the policy file then looks like it begins with = (which is of course an invalid path), and java is lax on failures there. You are effectively disabling using your system policy by using an invalid path.

Vishal_Goel · December 8, 2018, 5:24am

Ok. But when I used single = and provided java home security policy file, it still picked user.home .java.policy.

system · January 5, 2019, 5:24am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.