java.io.FilePermission 에러

다음은 SSL 통신을 위한 엘라스틱 설정(elasticsearch.yml). 인증서 경로는 'D:/ELK/certutil'.

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate 
xpack.security.transport.ssl.key: D:/ELK/certutil/instance/instance.key 
xpack.security.transport.ssl.certificate: D:/ELKcertutil/instance/instance.crt 
xpack.security.transport.ssl.certificate_authorities: D:/ELK/certutil/ca/ca.crt
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: D:/ELK/certutil/instance/instance.key 
xpack.security.http.ssl.certificate: D:/ELK/certutil/instance/instance.crt 
xpack.security.http.ssl.certificate_authorities: D:/ELK/certutil/ca/ca.crt

실행했더니 에러 발생.

[2020-11-24T22:59:16,986][ERROR][o.e.b.ElasticsearchUncaughtExceptionHandler] [node-1] uncaught exception in thread [main]org.elasticsearch.bootstrap.StartupException: java.security.AccessControlException: access denied ("java.io.FilePermission" "D:\ELK\certutil\ca" "read")
        at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:174) ~[elasticsearch-7.10.0.jar:7.10.0]
        at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:161) ~[elasticsearch-7.10.0.jar:7.10.0]
        at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) ~[elasticsearch-7.10.0.jar:7.10.0]
        at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:127) ~[elasticsearch-cli-7.10.0.jar:7.10.0]
        at org.elasticsearch.cli.Command.main(Command.java:90) ~[elasticsearch-cli-7.10.0.jar:7.10.0]
        at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:126) ~[elasticsearch-7.10.0.jar:7.10.0]
        at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92) ~[elasticsearch-7.10.0.jar:7.10.0]Caused by: java.security.AccessControlException: access denied ("java.io.FilePermission" "D:\ELK\certutil\ca" "read")

인증서에 접근을 못한다. 이전 버전에서는 이러지 않았는데? 기억을 더듬어보니 인증서 위치가 'elasticsearch/config'일 때는 정상 동작했다. 내부적으로 그렇게 동작하도록 로직이 짜여진 모양.

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate 
xpack.security.transport.ssl.key: D:/ELK/elasticsearch-7.10.0/config/certutil/instance/instance.key 
xpack.security.transport.ssl.certificate: D:/ELK/elasticsearch-7.10.0/config/certutil/instance/instance.crt 
xpack.security.transport.ssl.certificate_authorities: D:/ELK/elasticsearch-7.10.0/config/certutil/ca/ca.crt
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: D:/ELK/elasticsearch-7.10.0/config/certutil/instance/instance.key 
xpack.security.http.ssl.certificate: D:/ELK/elasticsearch-7.10.0/config/certutil/instance/instance.crt 
xpack.security.http.ssl.certificate_authorities: D:/ELK/elasticsearch-7.10.0/config/certutil/ca/ca.crt

그래도 굳이 'elasticsearch/config'가 아닌 다른 곳에 인증서를 두고 싶다면 자바 보안 설정을 수정하면 된다.

자바를 못믿겠으면 경로를 지정해서 권한을 줄 수도 있음.

 

자세한 내용은 관련 문서를 참고하면 되는데 누가 설명 좀 해줬으면(..) 

관련 글

• SSL 적용 시 HTTPS 경고