Java Security Policy does not work


(Yuxuan Zong) #1

Hi all,

I add some files in “modules/transport-netty4”, and use a thrid party jar as dependency. When I start up elasticsearch, it failed, and error message shows in log file:

//ERROR org.elasticsearch.bootstrap.ElasticsearchUncaughtExceptionHandler: fatal error in thread [main], exiting java.lang.ExceptionInInitializerError: null
//Caused by: java.security.AccessControlException: access denied ("java.io.FilePermission" "/opt/dap_security/application.properties" "read")

So I modify "plugin-security.policy" in "modules/transport-netty4" (The thrid party jar also in this directory):
grant {
permission Java.io.FilePermission "/opt/dap_security/application.properties", "read";
};
But it does not work, error message still exists.

I want to know how to make java security policy files useful? Or other ways to solve the above problem?

elasticsearch version: v5.4.0

Thanks.


(Yuxuan Zong) #2

It seems that I should modify "security.policy" in elasticsearch.x.jar instead of "plugin-security.policy".


(Nik Everett) #3

I'm not sure, but I believe the idea is to stick configuration files under /etc/elasticsearch where we already have the right to read them. I think symlinks are respected but haven't tried it in a few years and am kind of going from memory here. But I'm sure that changing the contents of the jars is going to be a maintenance nightmare.


(Ryan Ernst) #4

Dropping additional jars into a plugin or module is unsupported. Additionally, modifying the security policy of any part of elasticsearch won't work, as permissions alone will not solve the problem: there must be an associated code change to make use of the granted permission.

Can you please explain what you are trying to do with this additional jar and we can help you find a better way to achieve the goal?


(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.