Hi,
I want to use a groovy script:
1.) to calculate a value (this works) and
2.) to add the newly calculated value to the document using the update API
The script is stored in /etc/elasticsearch/scripts and I understood that in this case I do not have to think about the Java Security Manager. Is this right?
The first part of the script is working fine. However things are not working when I add the second part of the script:
def url = "http://elk:9200/testindex/testdocument/" + doc['id'] + "/_update"
def json = '{ "doc": { "testvalue":"999" } }'
def response = ["curl", "-X", "POST", "-H", "Content-Type: application/json", "-d", "${json}", "${url}"].execute().text
Executing the script I get following error message:
1.)Output from script
"reason": {
"caused_by": {
"reason": "access denied ("java.io.FilePermission" "<>" "execute")",
"type": "access_control_exception"
},
"reason": "failed to run file script [vm_lifetime_deleted] using lang [groovy]",
"type": "script_exception"
2.) In /var/log/elasticsearch/elasticsearch.log
[2016-04-27 10:05:12,435][DEBUG][action.search ] [elk] [8] Failed to execute fetch phase
RemoteTransportException[[elk][192.168.100.29:9300][indices:data/read/search[phase/fetch/id]]]; nested: ScriptException[failed to run file script [vm_lifetime_deleted] using lang [groovy]]; nested: AccessControlException[access denied ("java.io.FilePermission" "<>" "execute")];
Caused by: ScriptException[failed to run file script [vm_lifetime_deleted] using lang [groovy]]; nested: AccessControlException[access denied ("java.io.FilePermission" "<>" "execute")];
at org.elasticsearch.script.groovy.GroovyScriptEngineService$GroovyScript.run(GroovyScriptEngineService.java:320)
at org.elasticsearch.search.fetch.script.ScriptFieldsFetchSubPhase.hitExecute(ScriptFieldsFetchSubPhase.java:85)
at org.elasticsearch.search.fetch.FetchPhase.execute(FetchPhase.java:188)
at org.elasticsearch.search.SearchService.executeFetchPhase(SearchService.java:592)
at org.elasticsearch.search.action.SearchServiceTransportAction$FetchByIdTransportHandler.messageReceived(SearchServiceTransportAction.java:408)
at org.elasticsearch.search.action.SearchServiceTransportAction$FetchByIdTransportHandler.messageReceived(SearchServiceTransportAction.java:405)
at org.elasticsearch.transport.TransportRequestHandler.messageReceived(TransportRequestHandler.java:33)
at org.elasticsearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:75)
at org.elasticsearch.transport.TransportService$4.doRun(TransportService.java:376)
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.security.AccessControlException: access denied ("java.io.FilePermission" "<>" "execute")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at java.security.AccessController.checkPermission(AccessController.java:884)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.SecurityManager.checkExec(SecurityManager.java:799)
at java.lang.ProcessBuilder.start(ProcessBuilder.java:1018)
at java.lang.Runtime.exec(Runtime.java:620)
at java.lang.Runtime.exec(Runtime.java:485)
at org.codehaus.groovy.runtime.ProcessGroovyMethods.execute(ProcessGroovyMethods.java:595)
at org.codehaus.groovy.runtime.ProcessGroovyMethods.execute(ProcessGroovyMethods.java:662)
at org.codehaus.groovy.runtime.dgm$895.doMethodInvoke(Unknown Source)
at org.codehaus.groovy.vmplugin.v7.IndyInterface.selectMethod(IndyInterface.java:228)
at 4aa35ba4549f50461ab4f8d973c9bf622b1510ec.run(4aa35ba4549f50461ab4f8d973c9bf622b1510ec:13)
at org.elasticsearch.script.groovy.GroovyScriptEngineService$GroovyScript$1.run(GroovyScriptEngineService.java:313)
at java.security.AccessController.doPrivileged(Native Method)
at org.elasticsearch.script.groovy.GroovyScriptEngineService$GroovyScript.run(GroovyScriptEngineService.java:310)
The same script works fine If I run it from within groovyConsole. In addtion, I tried to define a java.policy which grants all permissions (although this is not needed to my understanding).
$JAVA_HOME/lib/security/java.policy:
grant {
permission java.security.AllPermission;
};
But I still get the error message.
I highly appreciate any help.
Cheers