Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Elasticsearch starts with security manager exceptions #21932

Closed
amishHammer opened this issue Dec 2, 2016 · 18 comments
Closed

Elasticsearch starts with security manager exceptions #21932

amishHammer opened this issue Dec 2, 2016 · 18 comments
Assignees
@dougnelas

Comments

@amishHammer
Copy link

amishHammer commented Dec 2, 2016
edited
Loading

Elasticsearch version: 5.0.2

Plugins installed: []

JVM version: openjdk version "1.8.0_112"

OS version: FreeBSD 10.3-RELEASE-p4 amd64

Description of the problem including expected versus actual behavior: Elasticsearch starts with security manager exceptions related to installing MBeans. Possibly caused by #21716

Steps to reproduce:

  1. Install elasticsearch
  2. Start service

Provide logs (if relevant):

2016-12-02 11:23:11,825 main ERROR Could not register mbeans java.security.AccessControlException: access denied ("javax.management.MBeanTrustPermission" "register")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:585)
at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.checkMBeanTrustPermission(DefaultMBeanServerInterceptor.java:1848)
at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.registerMBean(DefaultMBeanServerInterceptor.java:322)
at com.sun.jmx.mbeanserver.JmxMBeanServer.registerMBean(JmxMBeanServer.java:522)
at org.apache.logging.log4j.core.jmx.Server.register(Server.java:390)
at org.apache.logging.log4j.core.jmx.Server.reregisterMBeansAfterReconfigure(Server.java:167)
at org.apache.logging.log4j.core.jmx.Server.reregisterMBeansAfterReconfigure(Server.java:140)
at org.apache.logging.log4j.core.LoggerContext.setConfiguration(LoggerContext.java:507)
at org.apache.logging.log4j.core.LoggerContext.start(LoggerContext.java:249)
at org.apache.logging.log4j.core.impl.Log4jContextFactory.getContext(Log4jContextFactory.java:206)
at org.apache.logging.log4j.core.config.Configurator.initialize(Configurator.java:219)
at org.apache.logging.log4j.core.config.Configurator.initialize(Configurator.java:196)
at org.elasticsearch.common.logging.LogConfigurator.configureStatusLogger(LogConfigurator.java:125)
at org.elasticsearch.common.logging.LogConfigurator.configureWithoutConfig(LogConfigurator.java:67)
at org.elasticsearch.cli.Command.main(Command.java:59)
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:89)
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:82)

2016-12-02 11:23:12,121 main ERROR Could not register mbeans java.security.AccessControlException: access denied ("javax.management.MBeanTrustPermission" "register")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:585)
at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.checkMBeanTrustPermission(DefaultMBeanServerInterceptor.java:1848)
at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.registerMBean(DefaultMBeanServerInterceptor.java:322)
at com.sun.jmx.mbeanserver.JmxMBeanServer.registerMBean(JmxMBeanServer.java:522)
at org.apache.logging.log4j.core.jmx.Server.register(Server.java:390)
at org.apache.logging.log4j.core.jmx.Server.reregisterMBeansAfterReconfigure(Server.java:167)
at org.apache.logging.log4j.core.jmx.Server.reregisterMBeansAfterReconfigure(Server.java:140)
at org.apache.logging.log4j.core.LoggerContext.setConfiguration(LoggerContext.java:507)
at org.apache.logging.log4j.core.LoggerContext.start(LoggerContext.java:249)
at org.elasticsearch.common.logging.LogConfigurator.configure(LogConfigurator.java:116)
at org.elasticsearch.common.logging.LogConfigurator.configure(LogConfigurator.java:83)
at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:254)
at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:121)
at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:112)
at org.elasticsearch.cli.SettingCommand.execute(SettingCommand.java:54)
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:96)
at org.elasticsearch.cli.Command.main(Command.java:62)
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:89)
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:82)

Exception: java.security.AccessControlException thrown from the UncaughtExceptionHandler in thread "Thread-2"
@amishHammer amishHammer changed the title Elasticsearch fails to start with security manager exceptions Elasticsearch starts with security manager exceptions Dec 2, 2016
@jasontedor
Copy link
Member

jasontedor commented Dec 2, 2016
edited
Loading

Elasticsearch ships a default jvm.options file that includes the option -Dlog4j2.disable.jmx=true. I think that you are starting Elasticsearch without this option being passed to the JVM (either you modified this file or you are not starting Elasticsearch with the default jvm.options file).

@amishHammer
Copy link
Author

Great thanks I didn't notice that the updated rc script and elasticsearch.in.sh was not pulling this in correctly, I will fix the FreeBSD port. Thanks!

@9012wushuang
Copy link

what answer about this question ?

@binjo
Copy link

binjo commented Feb 8, 2017

@bifenghui try to check your elasticsearch directory owner, I just got this error and found chown -R to proper user fixed it.

@9012wushuang
Copy link

@binjo Thank you, I have solved this problem。As you reply

@zhaozhenxiang
Copy link

@binjo Your answer is help me.

@jacobweber jacobweber mentioned this issue Jul 23, 2017
Closed
@saliormoon
Copy link

@binjo I have the same problem, but I can't resolve it with above means.

@saliormoon
Copy link

saliormoon commented Aug 29, 2017
edited
Loading

When I start elasticsearch, I have the same problem:
Listening for transport dt_socket at address: 5005
2017-08-29 09:23:25,339 main ERROR Could not register mbeans java.security.AccessControlException: access denied ("javax.management.MBeanTrustPermission" "register")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:585)
at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.checkMBeanTrustPermission(DefaultMBeanServerInterceptor.java:1848)
at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.registerMBean(DefaultMBeanServerInterceptor.java:322)
at com.sun.jmx.mbeanserver.JmxMBeanServer.registerMBean(JmxMBeanServer.java:522)
at org.apache.logging.log4j.core.jmx.Server.register(Server.java:389)
at org.apache.logging.log4j.core.jmx.Server.reregisterMBeansAfterReconfigure(Server.java:167)
at org.apache.logging.log4j.core.jmx.Server.reregisterMBeansAfterReconfigure(Server.java:140)
at org.apache.logging.log4j.core.LoggerContext.setConfiguration(LoggerContext.java:556)
at org.apache.logging.log4j.core.LoggerContext.start(LoggerContext.java:261)
at org.apache.logging.log4j.core.impl.Log4jContextFactory.getContext(Log4jContextFactory.java:206)
at org.apache.logging.log4j.core.config.Configurator.initialize(Configurator.java:221)
at org.apache.logging.log4j.core.config.Configurator.initialize(Configurator.java:197)
at org.elasticsearch.common.logging.LogConfigurator.configureStatusLogger(LogConfigurator.java:175)
at org.elasticsearch.common.logging.LogConfigurator.configureWithoutConfig(LogConfigurator.java:99)
at org.elasticsearch.cli.Command.main(Command.java:85)
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:91)
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:84)

Exception in thread "main" java.lang.IllegalStateException: status logger logged an error before logging was configured
at org.elasticsearch.common.logging.LogConfigurator.checkErrorListener(LogConfigurator.java:128)
at org.elasticsearch.common.logging.LogConfigurator.configure(LogConfigurator.java:117)
at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:316)
at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:123)
at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:114)
at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:67)
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:122)
at org.elasticsearch.cli.Command.main(Command.java:88)
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:91)
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:84)
Refer to the log for complete error details.
How do you solve it?@jasontedor @binjo

@rajivkuriakose
Copy link

I have changed ownership of below folders and it worked for me

hown -R rajiv:mygroup /usr/share/elasticsearch
chown -R rajiv:mygroup /var/log/elasticsearch
chown -R rajiv:mygroup /var/lib/elasticsearch
chown -R rajiv:mygroup /etc/elasticsearch

chown -R rajiv:mygroup /var/run/elasticsearch/

Also changed below in /etc/init.d/elasticsearch

#ES_USER="elasticsearch"
ES_USER="rajiv"
#ES_GROUP="elasticsearch"
ES_GROUP="mygroup"

@jasontedor
Copy link
Member

@saliormoon @rajivkuriakose I think you have installed Elasticsearch from a package but are starting it by trying to invoke /usr/share/elasticsearch/bin/elasticsearch rather than starting from the service (e.g., systemctl start elasticsearch.service). This is flat out unsupported. If you can not use a service, do not install using a package; instead, install from an archive distribution. The error that is reported here either arises from:

  • modifying the jvm.options file to remove the disabling of Log4j functionality that we do not support
  • not starting with the jvm.options file
  • not having permissions to read the jvm.options file

@saliormoon
Copy link

Thanks,the problem has been resolved.

@grappler2
Copy link

Thanks!

@khakulov khakulov mentioned this issue Nov 16, 2017
Closed
@mikn mikn mentioned this issue Nov 22, 2017
Closed
@someone1 someone1 mentioned this issue Dec 14, 2017
Closed
@rajiv180984
Copy link

ElasticSeearch service is not allowed to run for "ROOT" user. That's why change the ownership of elasticsearch folder with below command:
$ sudo chown -R rajeev:rajeev elasticsearch-5.5.0
then start elasticsearch service. It is working form me perfectly.

@FaldeenOozeer
Copy link

Hello @rajiv180984 ,
Am currently having a similar issue. On the folder "/etc/elasticsearch", the current chown is set:
chown -R elasticsearch:elasticsearch elasticsearch

I have a doubt it may be coming from the jvm.options not being properly loaded or not having the proper access rights. Can you please help?

Am using the following command to start Elasticsearch , sudo -u elasticsearch /usr/share/elasticsearch/bin/elasticsearch

Thanks,

Faldeen

@rajiv180984
Copy link

Hi @FaldeenOozeer
I guess java home is not set for user "elasticsearch". Can you check java_HOME set for respective user by typing simple command $ java -version. If command return does'nt returen anything [details of java], then we shoud add set Java_home for current user by adding java_home in .profile file in linux.
Thanks

@tvernum
Copy link
Contributor

tvernum commented Feb 14, 2018

@FaldeenOozeer Please read Jason's comment here: #21932 (comment)

@gstolarz-euvic
Copy link

@tvernum

Please, explain me that. I've install ES 5.X from puppet module (https://forge.puppet.com/elasticsearch/elasticsearch) which could be run as service - it's started correctly but suddenly crash on:

Exception: java.security.AccessControlException thrown from the UncaughtExceptionHandler in thread "Thread-2"

I've already checked for ownership and it's correct. So, what could be? How could I fix it?

@jasontedor
Copy link
Member

@gstolarz-euvic Please use the forum. We use GitHub for verified bugs and feature requests, and use the forum for general questions.

nh2 referenced this issue in NixOS/nixpkgs Mar 15, 2018
@basvandijk @globin
elk: add elasticsearch6, logstash6, kibana6 and the beats at v6.1.0
3230645 
This change is backwards compatible since the ELK tools at version 5.x
remain unchanged.

The test suite now both tests ELK-5 and ELK-6.

(cherry picked from commit 803077e)
@dougnelas dougnelas self-assigned this Jun 27, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dougnelas dougnelas

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests