es5.4.3集群配置hdfs备份插件时出现权限错误:
com.google.protobuf.ServiceException: java.security.AccessControlException: access denied ("javax.security.auth.PrivateCredentialPermission" "org.apache.hadoop.security.Credentials" "read")
org.elasticsearch.common.io.stream.NotSerializableExceptionWrapper: service_exception: java.security.AccessControlException: access denied ("javax.security.auth.PrivateCredentialPermission" "org.apache.hadoop.security.Credentials" "read")
java.lang.SecurityException: access denied ("javax.security.auth.PrivateCredentialPermission" "org.apache.hadoop.security.Credentials" "read")
通过编辑${MES_HOME}/plugins/repository-hdfs/plugin-security.policy文件,在其中添加如下权限。
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "shutdownHooks";
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
permission javax.security.auth.AuthPermission "doAs";
permission javax.security.auth.AuthPermission "getSubject";
permission javax.security.auth.AuthPermission "modifyPrivateCredentials";
permission java.security.AllPermission;
permission java.util.PropertyPermission "*", "read,write";
permission javax.security.auth.PrivateCredentialPermission "org.apache.hadoop.security.Credentials * \"*\"", "read";
并且编辑jvm.optionis,在其中增加如下安全策略选项。具体路径需要修改为指向实际的插件策略文件。
-Djava.security.policy=file:///home/elasticsearch/elasticsearch-5.4.3/plugins/repository-hdfs/plugin-security.policy
修改完成后重启集群,就可以正常操作了。
关于其中的permission java.security.AllPermission;我认为可以不需要。这会带来不必要的问题。
参考:
https://github.com/elastic/elasticsearch/issues/22156