-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Opensearch repository-s3 plugin cannot read ServiceAccount token #6312
Comments
I'm having the same issue. |
@DimitrisChristinakis @annasunny this is covered in documentation [1], the |
@reta Thank you Andriy! Could you help explain more on this: Where is the" SecurityManager policy settings", and how I can change it? |
Sure, the policy is located here
Please note that service restart is needed. [1] https://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html |
Thank you @reta! However, I'm not seeing the Instead, I'm running into another |
That's correct, as I mentioned, you may need to add this line manually:
|
@reta This is still a problem because:
My recommendation is to add EKS default token and Kubernetes default service account token mount path to allowed files in policy, after all its AWS related product. Or allow custom step between installing plugin and starting opensearch. |
@herrbpl we do have a viable approach using soft links [1], I will update the docs and plugin (if necessary), https://www.elastic.co/guide/en/elasticsearch/reference/8.6/repository-s3.html#iam-kubernetes-service-accounts
The OS plugins (at least core ones) should not have access to anything outside conf or its local installation folder. |
but how to solve issue that you cannot install plugin if target folder is not empty? |
The conf folder is outside of the plugin target folder (it is controlled by |
Hi @reta Andriy , After I link those two: Looks like the symlink in Elastic community won't fix for Opensearch. |
Hey @annasunny , You need a full path here (afaik the OPENSEARCH_PATH_CONFIG won't be expanded in
I have submitted the fix to make the exact case you are trying to wok just fine (#6390), but it is not yet merged. With it:
would work out of the box. |
Hi @reta , I am currently using Opensearch Operator to set up the cluster and I can verify that symlink works after adding it manually to every pod. Unfortunately I cannot find a way to automatically create the symlink or modify plugin-security.policy in order for this to work without modifying images, etc. I don't know if you have any ideas for this? |
Thanks for confirming @DimitrisChristinakis , the modification of the |
Describe the bug
I am running an Opensearch cluster using Opensearch Operator in AWS EKS. I have created a ServiceAccount in order to access an AWS S3 bucket to use for my snapshot but i get the following error:
"reason" : "amazon_client_exception: java.security.AccessControlException: access denied ("java.io.FilePermission" "/var/run/secrets/eks.amazonaws.com/serviceaccount/token" "read")",
"caused_by" : {
"type" : "security_exception",
"reason" : "access denied ("java.io.FilePermission" "/var/run/secrets/eks.amazonaws.com/serviceaccount/token" "read")"
The token has the following permissions:
lrwxrwxrwx 1 root root 12 Feb 13 18:21 /var/run/secrets/eks.amazonaws.com/serviceaccount/token -> ..data/token
If i copy this token under the plugin's directory it works normally:
/usr/share/opensearch/plugins/repository-s3/token
To Reproduce
Steps to reproduce the behavior:
Expected behavior
The plugin should be able to read the token
Plugins
repository-s3 plugin
Host/Environment (please complete the following information):
The text was updated successfully, but these errors were encountered: