6

I am writing an elasticsearch plugin which relies on reading data from a file on disk. When I try to access this file in my code, I get the following exception.

Caused by: java.security.AccessControlException: access denied ("java.io.FilePermission" "patient_similarity/codes.txt" "read")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at java.security.AccessController.checkPermission(AccessController.java:884)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
at java.io.FileInputStream.<init>(FileInputStream.java:127)
at org.gatech.lucene.search.store.DotProductStore.<init>(DotProductStore.java:22)
at org.gatech.lucene.search.store.DotProductStore.newInstance(DotProductStore.java:71)
at org.gatech.elasticsearch.CommonsPlugin.onModule(CommonsPlugin.java:39)

Is there any recommended method of accessing files in elasticsearch plugins? Is there any quick workaround to access the file in my plugin?

Apurv
  • 4,458
  • 2
  • 21
  • 31

2 Answers2

17

One way to do this is to start the Elasticsearch process by disabling the security manager, like this:

 bin/elasticsearch -Dsecurity.manager.enabled=false

Since ES 2.x, the Java security manager is enabled by default, it was disabled earlier. Note, though, that this option will be removed in 2.3 because it makes your ES process vulnerable.

The correct way of doing this is to customize your security policy and specify the file(s) you want to access using policy files:

grant { 
    permission java.io.FilePermission "/tmp/patient_similarity/codes.txt", "read,write";
};

You can add this policy in four different locations:

  1. either system wide in $JAVA_HOME/lib/security/java.policy
  2. or for just the elasticsearch user in /home/elasticsearch/.java.policy
  3. or from a file specified on the command line: -Djava.security.policy=someURL
  4. or in the plugin-security.policy file included in your plugin.

Since you're developing a plugin, you should of course use option 4.

Val
  • 207,596
  • 13
  • 358
  • 360
  • In ES 6.x docs the security manager stuff is mentioned but the details have been removed. Adding the policy file is now the only way to do this. – Mnebuerquo Jan 23 '18 at 18:42
  • We are using ES version 7.x with Java 12 and we need to read and write in a directory. Please provide us the solution. – Hardik Dobariya Oct 10 '19 at 13:07
  • @HardikDobariya this question is closed, feel free to ask a new one by referencing this one. – Val Oct 10 '19 at 13:53
  • @Val: Thank you. I have opened a new question. https://stackoverflow.com/questions/58326513/read-and-write-files-to-a-folder-in-elastic-search-plugin – Hardik Dobariya Oct 10 '19 at 15:37
  • When using puppet one can implement option 3: `elasticsearch::jvm_options: - '-Djava.security.policy=someUrl'` – feskr Nov 13 '19 at 12:10
  • 1
    @user18154574 no you don't have that level of control over the JVM on Elastic Cloud and you don't have access to the filesystem either – Val Jun 07 '23 at 08:21
0

I had a similar issue in my elasticsearch RestHandler plugin and I was reading the file content from some url say "http://google.com/content.json" I resolved it via below approach -

 `
String url = "http://google.com/content.json";
URL fileUrl = new URL(url);
InputStream is = fileUrl.openStream();
`
Devendra Singh
  • 81
  • 1
  • 2
  • 9