Hi All,
I am trying to write a plugin for ES 2.2.0. When I start elasticsearch with plugin installed, this is what I get -
Likely root cause: java.security.AccessControlException: access denied ("javax.management.MBeanServerPermission" "createMBeanServer")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at java.security.AccessController.checkPermission(AccessController.java:884)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.management.ManagementFactory.getPlatformMBeanServer(ManagementFactory.java:465)
at com.yammer.metrics.reporting.JmxReporter.(JmxReporter.java:388)
at com.yammer.metrics.reporting.JmxReporter.startDefault(JmxReporter.java:340)
at com.yammer.metrics.Metrics.(Metrics.java:20)
This is my plugin-security.policy file -
grant {
permission javax.management.MBeanServerPermission "createMBeanServer";
};
I have seen a similar exception in cloud-aws plugin as well, so I am not sure if this is supposed to work. Am I missing something?
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:457)
at java.security.AccessController.checkPermission(AccessController.java:884)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at org.elasticsearch.SecureSM.checkThreadGroupAccess(SecureSM.java:166)
at org.elasticsearch.SecureSM.checkAccess(SecureSM.java:113)
at java.lang.ThreadGroup.checkAccess(ThreadGroup.java:315)
at java.lang.ThreadGroup.getParent(ThreadGroup.java:167)
at com.carrotsearch.randomizedtesting.Threads.getTopThreadGroup(Threads.java:113)
at com.carrotsearch.randomizedtesting.Threads.getAllThreads(Threads.java:97)
at com.carrotsearch.randomizedtesting.ThreadLeakControl.<init>(ThreadLeakControl.java:346)
at com.carrotsearch.randomizedtesting.RandomizedRunner.runSuite(RandomizedRunner.java:654)
at com.carrotsearch.randomizedtesting.RandomizedRunner.access$200(RandomizedRunner.java:138)
at com.carrotsearch.randomizedtesting.RandomizedRunner$1.run(RandomizedRunner.java:579)
and
java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "setDefaultUncaughtExceptionHandler")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:457)
at java.security.AccessController.checkPermission(AccessController.java:884)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.Thread.setDefaultUncaughtExceptionHandler(Thread.java:1893)
at com.carrotsearch.randomizedtesting.RandomizedRunner.runSuite(RandomizedRunner.java:602)
at com.carrotsearch.randomizedtesting.RandomizedRunner.run(RandomizedRunner.java:444)
We tried to follow instructions by adding a plugin-security.policy in src/main/plugin-metadata (we tried also in src/main/resources or src/test/resources) with the following rules, without any luck:
grant {
permission org.elasticsearch.ThreadPermission "modifyArbitraryThreadGroup";
permission java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler";
};
renaud1,
I was able to get rid of the error today...
There are two things that need to be done - one is to ensure proper permissions in plugin-security.policy and second is to wrap your code which needs special permissions with
AccessController.doPrivileged()
Here is a snippet from ES help -
// ES permission you should check before doPrivileged() blocks
import org.elasticsearch.SpecialPermission;
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
// unprivileged code such as scripts do not have SpecialPermission
sm.checkPermission(new SpecialPermission());
}
AccessController.doPrivileged(
// sensitive operation
);
the issue however does not come from my code, but from the elasticsearch test framework.
We managed to progress a bit. The permission issue we had with com.carrotsearch.randomizedtesting was due to having the com.carrotsearch.randomizedtesting dependency not set to version 2.2.0. After using this dependency in my application, the permission errors were gone.
However, we stumble upon a new permission issue (see below). Looks like elasticsearch test framework does not have file permission policy for my target test directory. From what I understand, permissions defined in plugin-security.policy are granted only to the plugin itself, not to elasticsearch test framework. The only way I found to make it work is to specify my own policy at runtime using -Djava.security.policy=my_policy which does not sound right.
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:457)
at java.security.AccessController.checkPermission(AccessController.java:884)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.SecurityManager.checkWrite(SecurityManager.java:979)
at sun.nio.fs.UnixPath.checkWrite(UnixPath.java:801)
at sun.nio.fs.UnixFileSystemProvider.createDirectory(UnixFileSystemProvider.java:376)
at org.apache.lucene.mockfile.FilterFileSystemProvider.createDirectory(FilterFileSystemProvider.java:133)
at org.apache.lucene.mockfile.FilterFileSystemProvider.createDirectory(FilterFileSystemProvider.java:133)
at org.apache.lucene.mockfile.FilterFileSystemProvider.createDirectory(FilterFileSystemProvider.java:133)
at org.apache.lucene.mockfile.FilterFileSystemProvider.createDirectory(FilterFileSystemProvider.java:133)
at java.nio.file.Files.createDirectory(Files.java:674)
at java.nio.file.Files.createAndCheckIsDirectory(Files.java:781)
at java.nio.file.Files.createDirectories(Files.java:727)
at org.elasticsearch.env.NodeEnvironment.<init>(NodeEnvironment.java:168)
at org.elasticsearch.node.Node.<init>(Node.java:153)
at org.elasticsearch.node.MockNode.<init>(MockNode.java:43)
at org.elasticsearch.test.InternalTestCluster.buildNode(InternalTestCluster.java:606)
at org.elasticsearch.test.InternalTestCluster.reset(InternalTestCluster.java:957)
at org.elasticsearch.test.InternalTestCluster.beforeTest(InternalTestCluster.java:925)
at org.elasticsearch.test.ESIntegTestCase.beforeInternal(ESIntegTestCase.java:345)
at org.elasticsearch.test.ESIntegTestCase.before(ESIntegTestCase.java:1953)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at com.carrotsearch.randomizedtesting.RandomizedRunner.invoke(RandomizedRunner.java:1660)
at com.carrotsearch.randomizedtesting.RandomizedRunner$9.evaluate(RandomizedRunner.java:900)
at com.carrotsearch.randomizedtesting.RandomizedRunner$10.evaluate(RandomizedRunner.java:916)
at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36)
at org.apache.lucene.util.TestRuleSetupTeardownChained$1.evaluate(TestRuleSetupTeardownChained.java:50)
at org.apache.lucene.util.AbstractBeforeAfterRule$1.evaluate(AbstractBeforeAfterRule.java:46)
at org.apache.lucene.util.TestRuleThreadAndTestName$1.evaluate(TestRuleThreadAndTestName.java:49)
at org.apache.lucene.util.TestRuleIgnoreAfterMaxFailures$1.evaluate(TestRuleIgnoreAfterMaxFailures.java:65)
at org.apache.lucene.util.TestRuleMarkFailure$1.evaluate(TestRuleMarkFailure.java:48)
...
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.