Elastic Search AllPermission security manager issue ...continued


(Vishal Goel) #1

Hi,

This is in continuation to following post:

[2018-09-15T00:04:42,632][ERROR][o.e.b.Bootstrap ] [PC-VISHALG] node validation exception
[1] bootstrap checks failed
[1]: granting the all permission effectively disables security

I am getting this error while running ES (6.3.1) from local drive setup also. I am using JavaBuilder to run ES. On some machines, it run successfully but onothers it give above error (all machines are WIN 10).
Ryan mentioned that it is Java permission poilcy file issue. What are the permissions that ES need to start and if I can provide them to ES in Java policy file?

Thanks


(Alexander Reelsen) #2

you do not need to provide any sample policy file. Elasticsearch has everything included in its distribution.

It seems you are trying to run with a custom policy file - you should not do this and stick to the default. The first step should be to find out if that is the case and try to disable it.


(Vishal Goel) #3

Thanks Alex. I don't think I am running with any custom file. Any way to find about it?
I don't give any policy file during ES run.


(Vishal Goel) #4

Any update here please.


(Ryan Ernst) #5

You can check the default policy file (which elasticsearch builds upon) locations according to these java docs:
https://docs.oracle.com/javase/7/docs/technotes/guides/security/PolicyFiles.html#DefaultLocs

Something is granting the elasticsearch jar AllPermission, which defeats the purpose of using the SecurityManager. Do you manage your own environment, or does someone else? I have seen IT orgs do this granting via the system policy to "make things easy" before.


(Vishal Goel) #6

You got it right. I have .java.policy file in my user.home. How can I specify policy file during ES startup?
I tried giving using
"ES_JAVA_OPTS", "-Djava.security.policy=" + System.getProperty("java.home") + File.separator + "lib" + File.separator + "security" + File.separator + "java.policy"
but it still is having issue. If i remove .java.policy from user.home, it works fine.


(Vishal Goel) #7

It is fixed now with following (== instaed of =):
"ES_JAVA_OPTS" = "-Djava.security.policy==" + System.getProperty("java.home") + File.separator + "lib" + File.separator + "security" + File.separator + "java.policy"


(Ryan Ernst) #8

I believe using == works not because of any special syntax, but because the path to the policy file then looks like it begins with = (which is of course an invalid path), and java is lax on failures there. You are effectively disabling using your system policy by using an invalid path.


(Vishal Goel) #9

Ok. But when I used single = and provided java home security policy file, it still picked user.home .java.policy.