存档

文章标签 ‘ik AccessControlException’

elasticsearch ik socket access denied

2018年8月7日 没有评论

最近在使用elasticsearch,然后中分词选择使用ik,ik支持热加载分词,但是配置的时候总是失败。没有撸过java代码,所有对java在socket连接时居然还需要权限验证还是蛮吃惊的。我当初是用elasticsearch-plugin安装的,如果使用ik github上面提供的稳定版的发布包来手动安装就不会有这个问题,里面的”plugin-security.policy”已经包含了解决方案。

在启动es时,日志文件里面有如下错误信息。

[2018-08-07T14:52:26,004][WARN ][o.e.g.Gateway            ] [75Cwi4-] recovering index [index/Tmk_kfl-SqqeSSPx7vjXQw] failed - recovering as closed
java.security.AccessControlException: access denied ("java.net.SocketPermission" "120.77.217.214:80" "connect,resolve")
	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) ~[?:1.8.0_65]
	at java.security.AccessController.checkPermission(AccessController.java:884) ~[?:1.8.0_65]
	at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) ~[?:1.8.0_65]
	at java.lang.SecurityManager.checkConnect(SecurityManager.java:1051) ~[?:1.8.0_65]
	at java.net.Socket.connect(Socket.java:584) ~[?:1.8.0_65]
	at org.apache.http.conn.socket.PlainConnectionSocketFactory.connectSocket(PlainConnectionSocketFactory.java:74) ~[?:?]
	at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:141) ~[?:?]
	at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353) ~[?:?]
	at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380) ~[?:?]
	at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) ~[?:?]
	at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184) ~[?:?]
	at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88) ~[?:?]
	at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) ~[?:?]
	at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184) ~[?:?]
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) ~[?:?]
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107) ~[?:?]
	at org.wltea.analyzer.dic.Dictionary.getRemoteWords(Dictionary.java:470) ~[?:?]
	at org.wltea.analyzer.dic.Dictionary.loadRemoteExtDict(Dictionary.java:439) ~[?:?]
	at org.wltea.analyzer.dic.Dictionary.loadMainDict(Dictionary.java:380) ~[?:?]

这个错误是由java安全管理器SecurityManager引起的,相关的信息可以查看一下这篇《java安全管理器SecurityManager入门》。由于我对这方面的知识了解不多,就不再展开了。解决这个问题的思路是我们在SecurityManager配置文件里面允许这些socket连接。找到”java.policy”文件,我在mac上面的位置在”/Library/Java/JavaVirtualMachines/jdk1.8.0_65.jdk/Contents/Home/jre/lib/security/java.policy”,当然如果你是windows或者linux系统,可以搜索java.policy文件,注意不要修改成其他软件自带的jre中的配置文件。

grant {
    ...
    //默认配置省略
    permission java.net.SocketPermission "*", "connect,resolve";
}

在配置文件最后增加上面的权限相关的最后2行内容,然后重启es,一切就ok了!

分类: NoSQL 标签: ,