Elasticsearch on Docker - file permission issues

Question

I am trying to test LDAP in elasticsearch/kibana by running it in Docker on Windows 10.

I pulled the image down:

docker pull docker.elastic.co/elasticsearch/elasticsearch:7.10.0

And ran it:

docker run -p 9200:9200 -p 9300:9300 -e "discovery.type=single-node" docker.elastic.co/elasticsearch/elasticsearch:7.10.0

I did the same with Kibana and everything came up as expected. I then upgraded the elastic licence and started the 30 day trial to get the LDAP features in X-Pack.

I opened a shell to the container and updated the elasticsearch.yml file with my LDAP information and set the path to the role_mapping.yml file. I also updated role_mapping.yml file with the LDAP informaiton. I followed the instructions here: https://www.elastic.co/guide/en/elasticsearch/reference/7.10/ldap-realm.html

Now when I restart the elasticsearch container I get the following error then the container halts:

uncaught exception in thread [main]    
java.lang.IllegalStateException: security initialization failed
Likely root cause: java.security.AccessControlException: access denied ("java.io.FilePermission" "/role_mapping.yml" "read")
at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at java.base/java.security.AccessController.checkPermission(AccessController.java:1036)
at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:408)
at java.base/java.lang.SecurityManager.checkRead(SecurityManager.java:747)
at java.base/sun.nio.fs.UnixPath.checkRead(UnixPath.java:810)
at java.base/sun.nio.fs.UnixFileSystemProvider.exists(UnixFileSystemProvider.java:524)
at java.base/java.nio.file.Files.exists(Files.java:2514)
at org.elasticsearch.xpack.core.XPackPlugin.resolveConfigFile(XPackPlugin.java:361)
at org.elasticsearch.xpack.security.authc.support.DnRoleMapper.resolveFile(DnRoleMapper.java:86)
at org.elasticsearch.xpack.security.authc.support.RoleMappingFileBootstrapCheck.create(RoleMappingFileBootstrapCheck.java:47)

I overwrote the elasticsearch.yml file by copying a version with the LDAP config commented out so I could start the container. When I did this I checked the file permissions and both elasticsearch.yml and role_mapping.yml have the same:

-rw-rw---- 1 elasticsearch root  199 Dec  2 15:51 elasticsearch.keystore
-rwxr-xr-x 1 root          root  568 Dec  2 18:36 elasticsearch.yml
-rw-rw---- 1 elasticsearch root 2301 Nov  9 21:28 jvm.options
drwxrwxr-x 2 elasticsearch root 4096 Nov  9 21:32 jvm.options.d
-rw-rw---- 1 elasticsearch root 8451 Nov  9 21:35 log4j2.properties
-rwxr-xr-x 1 elasticsearch root  502 Dec  2 20:15 role_mapping.yml
-rw-rw---- 1 elasticsearch root  197 Dec  2 20:10 roles.yml
-rw-rw---- 1 elasticsearch root    0 Nov  9 21:32 users
-rw-rw---- 1 elasticsearch root    0 Nov  9 21:32 users_roles

I even tried CHMODing the role_mapping.yml file to 777 but I still get the same result.

I feel like I'm missing something obvious...

score 1 · Accepted Answer · answered Dec 03 '20 at 14:50

1

I have discovered the issue, the path to the role_mapping.yml file was incorrect in elaticsearch.yml. I had to use the full path /usr/share/elasticsearch/config/role_mapping.yml

answered Dec 03 '20 at 14:50

Joel

21
5

Elasticsearch on Docker - file permission issues

1 Answers1