Painless script : Appender deprecation_rolling java.security.AccessContaccess denied


(Aurélien) #1

Hello,

I setup a painless script in Kibana which generates the following error (full exception below):

AccessControlException: access denied ("java.io.FilePermission" "/opt/elasticsearch/elasticsearch-6.1.1/logs" "read")

Here is the painless script:

doc['time1'].date.getMillis() - (doc['time2'].date.getMillis() - 7200000)

Here the directory permissions:

drwxr-xr-x  2 elasticsearch elasticsearch 4,0K janv. 26 17:36 logs

The permissions of the log files:

-rw-r--r-- 1 elasticsearch elasticsearch 957K janv. 25 15:45 elasticsearch-2018-01-25-1.log.gz
-rw-r--r-- 1 elasticsearch elasticsearch 947K janv. 25 15:48 elasticsearch-2018-01-25-2.log.gz
-rw-r--r-- 1 elasticsearch elasticsearch 950K janv. 25 15:50 elasticsearch-2018-01-25-3.log.gz
-rw-r--r-- 1 elasticsearch elasticsearch 950K janv. 25 15:53 elasticsearch-2018-01-25-4.log.gz
-rw-r--r-- 1 elasticsearch elasticsearch 953K janv. 25 15:56 elasticsearch-2018-01-25-5.log.gz
-rw-r--r-- 1 elasticsearch elasticsearch 951K janv. 25 15:58 elasticsearch-2018-01-25-6.log.gz
-rw-r--r-- 1 elasticsearch elasticsearch 973K janv. 25 16:01 elasticsearch-2018-01-25-7.log.gz
-rw-r--r-- 1 elasticsearch elasticsearch 972K janv. 25 16:19 elasticsearch-2018-01-25-8.log.gz
-rw-r--r-- 1 elasticsearch elasticsearch 1,1M janv. 26 00:00 elasticsearch-2018-01-25-9.log.gz
-rw-r--r-- 1 elasticsearch elasticsearch 1,2M janv. 26 05:02 elasticsearch-2018-01-26-1.log.gz
-rw-r--r-- 1 elasticsearch elasticsearch 1,2M janv. 26 07:52 elasticsearch-2018-01-26-2.log.gz
-rw-r--r-- 1 elasticsearch elasticsearch 1,2M janv. 26 10:10 elasticsearch-2018-01-26-3.log.gz
-rw-r--r-- 1 elasticsearch elasticsearch 1,2M janv. 26 10:55 elasticsearch-2018-01-26-4.log.gz
-rw-r--r-- 1 elasticsearch elasticsearch 4,2M janv. 26 17:11 elasticsearch_deprecation-1.log.gz
-rw-r--r-- 1 elasticsearch elasticsearch 4,2M janv. 26 17:23 elasticsearch_deprecation-2.log.gz
-rw-r--r-- 1 elasticsearch elasticsearch 4,2M janv. 26 17:35 elasticsearch_deprecation-3.log.gz
-rw-r--r-- 1 elasticsearch elasticsearch 4,1M janv. 26 17:36 elasticsearch_deprecation-4.log.gz
-rw-r--r-- 1 elasticsearch elasticsearch 398M janv. 26 17:41 elasticsearch_deprecation.log
-rw-r--r-- 1 elasticsearch elasticsearch    0 janv. 25 00:40 elasticsearch_index_indexing_slowlog.log
-rw-r--r-- 1 elasticsearch elasticsearch    0 janv. 25 00:40 elasticsearch_index_search_slowlog.log
-rw-r--r-- 1 elasticsearch elasticsearch  49M janv. 26 17:11 elasticsearch.log

Elasticsearch is started under the elasticsearch user and group. I tried to set a chmod 777 on the logs directory but it changed nothing.

Here the exception (cutted in the middle because of text length restriction):

2018-01-26 17:21:48,554 elasticsearch[M55NQJo][search][T#1] ERROR An exception occurred processing Appender deprecation_rolling java.security.AccessControlException: access denied ("java.io.FilePermission" "/opt/elasticsearch/elasticsearch-6.1.1/logs" "read")
    	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
    	at java.security.AccessController.checkPermission(AccessController.java:884)
    	at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
    	at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
    	at java.io.File.exists(File.java:814)
    	at java.io.File.mkdirs(File.java:1340)
    	at org.apache.logging.log4j.core.appender.rolling.AbstractRolloverStrategy.getEligibleFiles(AbstractRolloverStrategy.java:106)
...
org.elasticsearch.common.logging.DeprecationLogger.deprecated(DeprecationLogger.java:129)
            	at org.elasticsearch.index.fielddata.ScriptDocValues$Dates.getDate(ScriptDocValues.java:207)
            	at org.elasticsearch.painless.PainlessScript$Script.lambda$0(boolean gte(Supplier s, def v) {return s.get() >= v} boolean lt(Supplier s, def v) {return s.get() < v}gte(() -> { doc['serverTime'].date.getMillis() - (doc['generationTime'].date.getMillis() - 7200000) }, params.gte) && lt(() -> { doc['serverTime'].date.g ...:133)
            	at org.elasticsearch.painless.PainlessScript$Script$$Lambda0.get(Unknown Source)
            	at org.elasticsearch.painless.PainlessScript$Script.gte(boolean gte(Supplier s, def v) {return s.get() >= v} boolean lt(Supplier s, def v) {return s.get() < v}gte(() -> { doc['serverTime'].date.getMillis() - (doc['generationTime'].date.getMillis() - 7200000) }, params.gte) && lt(() -> { doc['serverTime'].date.g ...:41)
            	at org.elasticsearch.painless.PainlessScript$Script.execute(boolean gte(Supplier s, def v) {return s.get() >= v} boolean lt(Supplier s, def v) {return s.get() < v}gte(() -> { doc['serverTime'].date.getMillis() - (doc['generationTime'].date.getMillis() - 7200000) }, params.gte) && lt(() -> { doc['serverTime'].date.g ...:213)
            	at org.elasticsearch.index.query.ScriptQueryBuilder$ScriptQuery$1$1.matches(ScriptQueryBuilder.java:188)

Any ideas ? Thanks.


(Nik Everett) #2

We're tracking this at https://github.com/elastic/elasticsearch/issues/28408

I've just started working on it this morning.


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.