Permission denied error in plugin for ES 2.2.0

mkelkar · February 3, 2016, 9:43pm

Hi All,
I am trying to write a plugin for ES 2.2.0. When I start elasticsearch with plugin installed, this is what I get -

Likely root cause: java.security.AccessControlException: access denied ("javax.management.MBeanServerPermission" "createMBeanServer")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at java.security.AccessController.checkPermission(AccessController.java:884)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.management.ManagementFactory.getPlatformMBeanServer(ManagementFactory.java:465)
at com.yammer.metrics.reporting.JmxReporter.(JmxReporter.java:388)
at com.yammer.metrics.reporting.JmxReporter.startDefault(JmxReporter.java:340)
at com.yammer.metrics.Metrics.(Metrics.java:20)

This is my plugin-security.policy file -

grant {
permission javax.management.MBeanServerPermission "createMBeanServer";
};

I have seen a similar exception in cloud-aws plugin as well, so I am not sure if this is supposed to work. Am I missing something?

Thanks,
Madhav

renaud1 · February 4, 2016, 10:29am

Hi,

We have similar problem with our plugins,
when trying to run any unit tests, we get the following errors:

java.security.AccessControlException: access denied ("org.elasticsearch.ThreadPermission" "modifyArbitraryThreadGroup")

at java.security.AccessControlContext.checkPermission(AccessControlContext.java:457)
at java.security.AccessController.checkPermission(AccessController.java:884)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at org.elasticsearch.SecureSM.checkThreadGroupAccess(SecureSM.java:166)
at org.elasticsearch.SecureSM.checkAccess(SecureSM.java:113)
at java.lang.ThreadGroup.checkAccess(ThreadGroup.java:315)
at java.lang.ThreadGroup.getParent(ThreadGroup.java:167)
at com.carrotsearch.randomizedtesting.Threads.getTopThreadGroup(Threads.java:113)
at com.carrotsearch.randomizedtesting.Threads.getAllThreads(Threads.java:97)
at com.carrotsearch.randomizedtesting.ThreadLeakControl.<init>(ThreadLeakControl.java:346)
at com.carrotsearch.randomizedtesting.RandomizedRunner.runSuite(RandomizedRunner.java:654)
at com.carrotsearch.randomizedtesting.RandomizedRunner.access$200(RandomizedRunner.java:138)
at com.carrotsearch.randomizedtesting.RandomizedRunner$1.run(RandomizedRunner.java:579)

and

java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "setDefaultUncaughtExceptionHandler")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:457)
at java.security.AccessController.checkPermission(AccessController.java:884)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.Thread.setDefaultUncaughtExceptionHandler(Thread.java:1893)
at com.carrotsearch.randomizedtesting.RandomizedRunner.runSuite(RandomizedRunner.java:602)
at com.carrotsearch.randomizedtesting.RandomizedRunner.run(RandomizedRunner.java:444)

We tried to follow instructions by adding a plugin-security.policy in src/main/plugin-metadata (we tried also in src/main/resources or src/test/resources) with the following rules, without any luck:

grant {
permission org.elasticsearch.ThreadPermission "modifyArbitraryThreadGroup";
permission java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler";
};

mkelkar · February 4, 2016, 11:47pm

renaud1,
I was able to get rid of the error today...
There are two things that need to be done - one is to ensure proper permissions in plugin-security.policy and second is to wrap your code which needs special permissions with

AccessController.doPrivileged()

Here is a snippet from ES help -

// ES permission you should check before doPrivileged() blocks
import org.elasticsearch.SpecialPermission;

SecurityManager sm = System.getSecurityManager();
if (sm != null) {
  // unprivileged code such as scripts do not have SpecialPermission
  sm.checkPermission(new SpecialPermission());
}
AccessController.doPrivileged(
  // sensitive operation
);

More info here - https://www.elastic.co/guide/en/elasticsearch/plugins/2.2/plugin-authors.html#_java_security_permissions

Thanks,
Madhav.

renaud1 · February 5, 2016, 11:49am

Thanks Madhav for the info,

the issue however does not come from my code, but from the elasticsearch test framework.
We managed to progress a bit. The permission issue we had with com.carrotsearch.randomizedtesting was due to having the com.carrotsearch.randomizedtesting dependency not set to version 2.2.0. After using this dependency in my application, the permission errors were gone.

However, we stumble upon a new permission issue (see below). Looks like elasticsearch test framework does not have file permission policy for my target test directory. From what I understand, permissions defined in plugin-security.policy are granted only to the plugin itself, not to elasticsearch test framework. The only way I found to make it work is to specify my own policy at runtime using -Djava.security.policy=my_policy which does not sound right.

java.security.AccessControlException: access denied ("java.io.FilePermission" "./target/elasticsearch-test/data/SUITE-CHILD_VM=[0]-CLUSTER_SEED=[-3368555408586290560]-HASH=[4D23AA0D8173]-cluster/nodes/0" "write")

at java.security.AccessControlContext.checkPermission(AccessControlContext.java:457)
at java.security.AccessController.checkPermission(AccessController.java:884)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.SecurityManager.checkWrite(SecurityManager.java:979)
at sun.nio.fs.UnixPath.checkWrite(UnixPath.java:801)
at sun.nio.fs.UnixFileSystemProvider.createDirectory(UnixFileSystemProvider.java:376)
at org.apache.lucene.mockfile.FilterFileSystemProvider.createDirectory(FilterFileSystemProvider.java:133)
at org.apache.lucene.mockfile.FilterFileSystemProvider.createDirectory(FilterFileSystemProvider.java:133)
at org.apache.lucene.mockfile.FilterFileSystemProvider.createDirectory(FilterFileSystemProvider.java:133)
at org.apache.lucene.mockfile.FilterFileSystemProvider.createDirectory(FilterFileSystemProvider.java:133)
at java.nio.file.Files.createDirectory(Files.java:674)
at java.nio.file.Files.createAndCheckIsDirectory(Files.java:781)
at java.nio.file.Files.createDirectories(Files.java:727)
at org.elasticsearch.env.NodeEnvironment.<init>(NodeEnvironment.java:168)
at org.elasticsearch.node.Node.<init>(Node.java:153)
at org.elasticsearch.node.MockNode.<init>(MockNode.java:43)
at org.elasticsearch.test.InternalTestCluster.buildNode(InternalTestCluster.java:606)
at org.elasticsearch.test.InternalTestCluster.reset(InternalTestCluster.java:957)
at org.elasticsearch.test.InternalTestCluster.beforeTest(InternalTestCluster.java:925)
at org.elasticsearch.test.ESIntegTestCase.beforeInternal(ESIntegTestCase.java:345)
at org.elasticsearch.test.ESIntegTestCase.before(ESIntegTestCase.java:1953)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at com.carrotsearch.randomizedtesting.RandomizedRunner.invoke(RandomizedRunner.java:1660)
at com.carrotsearch.randomizedtesting.RandomizedRunner$9.evaluate(RandomizedRunner.java:900)
at com.carrotsearch.randomizedtesting.RandomizedRunner$10.evaluate(RandomizedRunner.java:916)
at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36)
at org.apache.lucene.util.TestRuleSetupTeardownChained$1.evaluate(TestRuleSetupTeardownChained.java:50)
at org.apache.lucene.util.AbstractBeforeAfterRule$1.evaluate(AbstractBeforeAfterRule.java:46)
at org.apache.lucene.util.TestRuleThreadAndTestName$1.evaluate(TestRuleThreadAndTestName.java:49)
at org.apache.lucene.util.TestRuleIgnoreAfterMaxFailures$1.evaluate(TestRuleIgnoreAfterMaxFailures.java:65)
at org.apache.lucene.util.TestRuleMarkFailure$1.evaluate(TestRuleMarkFailure.java:48)
...

mkelkar · February 5, 2016, 3:23pm

The plugin help mentions this -

If you are using the elasticsearch Maven build system, place this file in src/main/plugin-metadata and it will be applied during unit tests as well.

Also take a look at this PR for security settings - https://github.com/elastic/elasticsearch/pull/14108

Hope this helps!

Thanks,
Madhav.

renaud1 · February 8, 2016, 2:56pm

Thanks Madhav for the help, but I found a solution to my problem.

For other people encountering the same issue,
the cause of the FilePermission error was due to our custom path.data node setting in our unit tests:

  @Override
  protected Settings nodeSettings(int nodeOrdinal) {
    return settingsBuilder()
      .put("path.data", "./target/elasticsearch-test/data/")
      .put(super.nodeSettings(nodeOrdinal)).build();
  }

Removing this custom path.data setting solved the issue.