Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AccessControlException when registering an azure repository #25931

Closed
dadoonet opened this issue Jul 27, 2017 · 2 comments

Comments

Projects
None yet
4 participants
@dadoonet
Copy link
Member

commented Jul 27, 2017

Elasticsearch version: 6.0.0-beta1 (545138b)

Plugins installed: [ repository-azure ]

Description of the problem including expected versus actual behavior: Unable to register an azure repository

Steps to reproduce:

  1. Start elasticsearch with:
bin/elasticsearch -Ecloud.azure.storage.default.account=ACCOUNT -Ecloud.azure.storage.default.key=KEY

Or add the following in config/elasticsearch.yml

cloud.azure.storage.default.account: ACCOUNT
cloud.azure.storage.default.key: KEY
  1. Register a repository:
curl -XDELETE 127.0.0.1:9200/_snapshot/azure?pretty
curl -XPUT '127.0.0.1:9200/_snapshot/azure?pretty' -H 'Content-Type: application/json' -d'
{
  "type": "azure"
}'

Provide logs (if relevant):

[2017-07-27T11:47:14,704][WARN ][r.suppressed             ] path: /_snapshot/azure, params: {pretty=, repository=azure}
java.lang.RuntimeException: java.security.AccessControlException: access denied ("java.net.SocketPermission" "dpi24329.blob.core.windows.net:443" "connect,resolve")
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1488) ~[?:?]
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1474) ~[?:?]
	at sun.net.www.protocol.http.HttpURLConnection.getHeaderField(HttpURLConnection.java:3018) ~[?:?]
	at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:489) ~[?:1.8.0_121]
	at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:338) ~[?:?]
	at com.microsoft.azure.storage.StorageException.translateException(StorageException.java:76) ~[?:?]
	at com.microsoft.azure.storage.core.ExecutionEngine.executeWithRetry(ExecutionEngine.java:199) ~[?:?]
	at com.microsoft.azure.storage.blob.CloudBlobContainer.exists(CloudBlobContainer.java:769) ~[?:?]
	at com.microsoft.azure.storage.blob.CloudBlobContainer.exists(CloudBlobContainer.java:756) ~[?:?]
	at com.microsoft.azure.storage.blob.CloudBlobContainer.exists(CloudBlobContainer.java:730) ~[?:?]
	at org.elasticsearch.cloud.azure.storage.AzureStorageServiceImpl.blobExists(AzureStorageServiceImpl.java:237) ~[?:?]
	at org.elasticsearch.cloud.azure.blobstore.AzureBlobStore.blobExists(AzureBlobStore.java:116) ~[?:?]
	at org.elasticsearch.cloud.azure.blobstore.AzureBlobContainer.blobExists(AzureBlobContainer.java:61) ~[?:?]
	at org.elasticsearch.cloud.azure.blobstore.AzureBlobContainer.writeBlob(AzureBlobContainer.java:96) ~[?:?]
	at org.elasticsearch.repositories.blobstore.BlobStoreRepository.startVerification(BlobStoreRepository.java:581) ~[elasticsearch-6.0.0-beta1.jar:6.0.0-beta1]
	at org.elasticsearch.repositories.RepositoriesService.verifyRepository(RepositoriesService.java:211) [elasticsearch-6.0.0-beta1.jar:6.0.0-beta1]
	at org.elasticsearch.repositories.RepositoriesService$VerifyingRegisterRepositoryListener.onResponse(RepositoriesService.java:414) [elasticsearch-6.0.0-beta1.jar:6.0.0-beta1]
	at org.elasticsearch.repositories.RepositoriesService$VerifyingRegisterRepositoryListener.onResponse(RepositoriesService.java:399) [elasticsearch-6.0.0-beta1.jar:6.0.0-beta1]
	at org.elasticsearch.cluster.AckedClusterStateUpdateTask.onAllNodesAcked(AckedClusterStateUpdateTask.java:64) [elasticsearch-6.0.0-beta1.jar:6.0.0-beta1]
	at org.elasticsearch.cluster.service.MasterService$SafeAckedClusterStateTaskListener.onAllNodesAcked(MasterService.java:523) [elasticsearch-6.0.0-beta1.jar:6.0.0-beta1]
	at org.elasticsearch.cluster.service.MasterService$AckCountDownListener.onNodeAck(MasterService.java:623) [elasticsearch-6.0.0-beta1.jar:6.0.0-beta1]
	at org.elasticsearch.cluster.service.MasterService$DelegetingAckListener.onNodeAck(MasterService.java:563) [elasticsearch-6.0.0-beta1.jar:6.0.0-beta1]
	at org.elasticsearch.discovery.zen.ZenDiscovery$1.onNewClusterStateProcessed(ZenDiscovery.java:346) [elasticsearch-6.0.0-beta1.jar:6.0.0-beta1]
	at org.elasticsearch.discovery.zen.PendingClusterStatesQueue.markAsProcessed(PendingClusterStatesQueue.java:177) [elasticsearch-6.0.0-beta1.jar:6.0.0-beta1]
	at org.elasticsearch.discovery.zen.ZenDiscovery$3.clusterStateProcessed(ZenDiscovery.java:819) [elasticsearch-6.0.0-beta1.jar:6.0.0-beta1]
	at org.elasticsearch.cluster.service.ClusterApplierService$SafeClusterStateTaskListener.clusterStateProcessed(ClusterApplierService.java:534) [elasticsearch-6.0.0-beta1.jar:6.0.0-beta1]
	at org.elasticsearch.cluster.service.ClusterApplierService.applyChanges(ClusterApplierService.java:485) [elasticsearch-6.0.0-beta1.jar:6.0.0-beta1]
	at org.elasticsearch.cluster.service.ClusterApplierService.runTask(ClusterApplierService.java:426) [elasticsearch-6.0.0-beta1.jar:6.0.0-beta1]
	at org.elasticsearch.cluster.service.ClusterApplierService$UpdateTask.run(ClusterApplierService.java:155) [elasticsearch-6.0.0-beta1.jar:6.0.0-beta1]
	at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:569) [elasticsearch-6.0.0-beta1.jar:6.0.0-beta1]
	at org.elasticsearch.common.util.concurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunnable.runAndClean(PrioritizedEsThreadPoolExecutor.java:247) [elasticsearch-6.0.0-beta1.jar:6.0.0-beta1]
	at org.elasticsearch.common.util.concurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunnable.run(PrioritizedEsThreadPoolExecutor.java:210) [elasticsearch-6.0.0-beta1.jar:6.0.0-beta1]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [?:1.8.0_121]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [?:1.8.0_121]
	at java.lang.Thread.run(Thread.java:745) [?:1.8.0_121]
Caused by: java.security.AccessControlException: access denied ("java.net.SocketPermission" "dpi24329.blob.core.windows.net:443" "connect,resolve")
	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) ~[?:1.8.0_121]
	at java.security.AccessController.checkPermission(AccessController.java:884) ~[?:1.8.0_121]
	at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) ~[?:1.8.0_121]
	at java.lang.SecurityManager.checkConnect(SecurityManager.java:1051) ~[?:1.8.0_121]
	at sun.net.www.http.HttpClient.openServer(HttpClient.java:510) ~[?:?]
	at sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:264) ~[?:?]
	at sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:367) ~[?:?]
	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191) ~[?:?]
	at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1138) ~[?:?]
	at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1032) ~[?:?]
	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177) ~[?:?]
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1546) ~[?:?]
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1474) ~[?:?]
	at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480) ~[?:1.8.0_121]
	at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:338) ~[?:?]
	at com.microsoft.azure.storage.core.ExecutionEngine.executeWithRetry(ExecutionEngine.java:119) ~[?:?]
	... 28 more
@jasontedor

This comment has been minimized.

Copy link
Member

commented Jul 27, 2017

This looks like a blocker to me. Can you look @tbrooks8?

tbrooks8 added a commit to tbrooks8/elasticsearch that referenced this issue Jul 27, 2017

Make calls to CloudBlobContainer#exists privileged
This is related to elastic#25931. In CloudBlobContainer#exists it is possible
that a socket connection will be opened. This commit ensures that those
calls have the proper socket privileges.
@tbrooks8

This comment has been minimized.

Copy link
Contributor

commented Jul 28, 2017

Closed by #25937.

@tbrooks8 tbrooks8 closed this Jul 28, 2017

tbrooks8 added a commit that referenced this issue Jul 28, 2017

Make calls to CloudBlobContainer#exists privileged (#25937)
This is related to #25931. In CloudBlobContainer#exists it is possible
that a socket connection will be opened. This commit ensures that those
calls have the proper socket privileges.

jasontedor added a commit that referenced this issue Jul 28, 2017

Make calls to CloudBlobContainer#exists privileged (#25937)
This is related to #25931. In CloudBlobContainer#exists it is possible
that a socket connection will be opened. This commit ensures that those
calls have the proper socket privileges.

jasontedor added a commit that referenced this issue Jul 28, 2017

Make calls to CloudBlobContainer#exists privileged (#25937)
This is related to #25931. In CloudBlobContainer#exists it is possible
that a socket connection will be opened. This commit ensures that those
calls have the proper socket privileges.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.