access denied to solr home lib dir

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

access denied to solr home lib dir

Charles Moad-2
    I have been trying to get a new solr install setup on Ubuntu 9.10
using tomcat6.  I have tried the solr 1.4 release and the latest svn
for good measure.  No matter what, I am running into the following
permission error.  I removed all the lib includes from solrconfig.xml.
I have created the "/opt/solr/steve/lib" directory and all permissions
are good.  This directory is optional, but I just cannot get past
this.  I've installed solr 1.3 many times without running into this on
redhat boxes.

Thanks,
    Charlie

Nov 22, 2009 2:48:53 PM org.apache.catalina.core.StandardContext filterStart
SEVERE: Exception starting filter SolrRequestFilter
org.apache.solr.common.SolrException:
java.security.AccessControlException: access denied
(java.io.FilePermission /opt/solr/steve/./lib read)
       at org.apache.solr.servlet.SolrDispatchFilter.<init>(SolrDispatchFilter.java:68)
       at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
       at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
       at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
       at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
       at java.lang.Class.newInstance0(Class.java:355)
       at java.lang.Class.newInstance(Class.java:308)
       at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:255)
       at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:397)
       at org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:108)
       at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:3800)
       at org.apache.catalina.core.StandardContext.start(StandardContext.java:4450)
       at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
       at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:123)
       at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
       at java.security.AccessController.doPrivileged(Native Method)
       at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:769)
       at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526)
       at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:630)
       at org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:556)
       at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:491)
       at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1206)
       at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:314)
       at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
       at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
       at org.apache.catalina.core.StandardHost.start(StandardHost.java:722)
       at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
       at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
       at org.apache.catalina.core.StandardService.start(StandardService.java:516)
       at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
       at org.apache.catalina.startup.Catalina.start(Catalina.java:583)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:288)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at org.apache.commons.daemon.support.DaemonLoader.start(DaemonLoader.java:177)
Caused by: java.security.AccessControlException: access denied
(java.io.FilePermission /opt/solr/steve/./lib read)
       at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
       at java.security.AccessController.checkPermission(AccessController.java:546)
       at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
       at java.lang.SecurityManager.checkRead(SecurityManager.java:871)
       at java.io.File.canRead(File.java:689)
       at org.apache.solr.core.SolrResourceLoader.replaceClassLoader(SolrResourceLoader.java:157)
       at org.apache.solr.core.SolrResourceLoader.addToClassLoader(SolrResourceLoader.java:128)
       at org.apache.solr.core.SolrResourceLoader.<init>(SolrResourceLoader.java:97)
       at org.apache.solr.core.SolrResourceLoader.<init>(SolrResourceLoader.java:195)
       at org.apache.solr.core.Config.<init>(Config.java:93)
       at org.apache.solr.servlet.SolrDispatchFilter.<init>(SolrDispatchFilter.java:65)
       ... 40 more
Reply | Threaded
Open this post in threaded view
|

Re: access denied to solr home lib dir

Yonik Seeley
Maybe ensuring that the full parent path (all parent directories) have
"rx" permissions?

-Yonik
http://www.lucidimagination.com

On Sun, Nov 22, 2009 at 2:59 PM, Charles Moad <[hidden email]> wrote:

>    I have been trying to get a new solr install setup on Ubuntu 9.10
> using tomcat6.  I have tried the solr 1.4 release and the latest svn
> for good measure.  No matter what, I am running into the following
> permission error.  I removed all the lib includes from solrconfig.xml.
> I have created the "/opt/solr/steve/lib" directory and all permissions
> are good.  This directory is optional, but I just cannot get past
> this.  I've installed solr 1.3 many times without running into this on
> redhat boxes.
>
> Thanks,
>    Charlie
>
> Nov 22, 2009 2:48:53 PM org.apache.catalina.core.StandardContext filterStart
> SEVERE: Exception starting filter SolrRequestFilter
> org.apache.solr.common.SolrException:
> java.security.AccessControlException: access denied
> (java.io.FilePermission /opt/solr/steve/./lib read)
>       at org.apache.solr.servlet.SolrDispatchFilter.<init>(SolrDispatchFilter.java:68)
>       at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
>       at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
>       at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
>       at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
>       at java.lang.Class.newInstance0(Class.java:355)
>       at java.lang.Class.newInstance(Class.java:308)
>       at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:255)
>       at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:397)
>       at org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:108)
>       at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:3800)
>       at org.apache.catalina.core.StandardContext.start(StandardContext.java:4450)
>       at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
>       at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:123)
>       at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
>       at java.security.AccessController.doPrivileged(Native Method)
>       at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:769)
>       at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526)
>       at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:630)
>       at org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:556)
>       at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:491)
>       at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1206)
>       at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:314)
>       at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
>       at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
>       at org.apache.catalina.core.StandardHost.start(StandardHost.java:722)
>       at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
>       at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
>       at org.apache.catalina.core.StandardService.start(StandardService.java:516)
>       at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
>       at org.apache.catalina.startup.Catalina.start(Catalina.java:583)
>       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>       at java.lang.reflect.Method.invoke(Method.java:597)
>       at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:288)
>       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>       at java.lang.reflect.Method.invoke(Method.java:597)
>       at org.apache.commons.daemon.support.DaemonLoader.start(DaemonLoader.java:177)
> Caused by: java.security.AccessControlException: access denied
> (java.io.FilePermission /opt/solr/steve/./lib read)
>       at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
>       at java.security.AccessController.checkPermission(AccessController.java:546)
>       at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
>       at java.lang.SecurityManager.checkRead(SecurityManager.java:871)
>       at java.io.File.canRead(File.java:689)
>       at org.apache.solr.core.SolrResourceLoader.replaceClassLoader(SolrResourceLoader.java:157)
>       at org.apache.solr.core.SolrResourceLoader.addToClassLoader(SolrResourceLoader.java:128)
>       at org.apache.solr.core.SolrResourceLoader.<init>(SolrResourceLoader.java:97)
>       at org.apache.solr.core.SolrResourceLoader.<init>(SolrResourceLoader.java:195)
>       at org.apache.solr.core.Config.<init>(Config.java:93)
>       at org.apache.solr.servlet.SolrDispatchFilter.<init>(SolrDispatchFilter.java:65)
>       ... 40 more
>
Reply | Threaded
Open this post in threaded view
|

Re: access denied to solr home lib dir

Charles Moad-2
Check.  I even verified that the tomcat user could create the
directory (i.e. "sudo -u tomcat6 mkdir /opt/solr/steve/lib").  Still
solr complains.

On Sun, Nov 22, 2009 at 10:03 PM, Yonik Seeley <[hidden email]> wrote:

> Maybe ensuring that the full parent path (all parent directories) have
> "rx" permissions?
>
> -Yonik
> http://www.lucidimagination.com
>
> On Sun, Nov 22, 2009 at 2:59 PM, Charles Moad <[hidden email]> wrote:
>>    I have been trying to get a new solr install setup on Ubuntu 9.10
>> using tomcat6.  I have tried the solr 1.4 release and the latest svn
>> for good measure.  No matter what, I am running into the following
>> permission error.  I removed all the lib includes from solrconfig.xml.
>> I have created the "/opt/solr/steve/lib" directory and all permissions
>> are good.  This directory is optional, but I just cannot get past
>> this.  I've installed solr 1.3 many times without running into this on
>> redhat boxes.
>>
>> Thanks,
>>    Charlie
>>
>> Nov 22, 2009 2:48:53 PM org.apache.catalina.core.StandardContext filterStart
>> SEVERE: Exception starting filter SolrRequestFilter
>> org.apache.solr.common.SolrException:
>> java.security.AccessControlException: access denied
>> (java.io.FilePermission /opt/solr/steve/./lib read)
>>       at org.apache.solr.servlet.SolrDispatchFilter.<init>(SolrDispatchFilter.java:68)
>>       at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
>>       at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
>>       at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
>>       at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
>>       at java.lang.Class.newInstance0(Class.java:355)
>>       at java.lang.Class.newInstance(Class.java:308)
>>       at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:255)
>>       at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:397)
>>       at org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:108)
>>       at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:3800)
>>       at org.apache.catalina.core.StandardContext.start(StandardContext.java:4450)
>>       at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
>>       at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:123)
>>       at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
>>       at java.security.AccessController.doPrivileged(Native Method)
>>       at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:769)
>>       at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526)
>>       at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:630)
>>       at org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:556)
>>       at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:491)
>>       at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1206)
>>       at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:314)
>>       at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
>>       at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
>>       at org.apache.catalina.core.StandardHost.start(StandardHost.java:722)
>>       at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
>>       at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
>>       at org.apache.catalina.core.StandardService.start(StandardService.java:516)
>>       at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
>>       at org.apache.catalina.startup.Catalina.start(Catalina.java:583)
>>       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>>       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>>       at java.lang.reflect.Method.invoke(Method.java:597)
>>       at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:288)
>>       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>>       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>>       at java.lang.reflect.Method.invoke(Method.java:597)
>>       at org.apache.commons.daemon.support.DaemonLoader.start(DaemonLoader.java:177)
>> Caused by: java.security.AccessControlException: access denied
>> (java.io.FilePermission /opt/solr/steve/./lib read)
>>       at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
>>       at java.security.AccessController.checkPermission(AccessController.java:546)
>>       at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
>>       at java.lang.SecurityManager.checkRead(SecurityManager.java:871)
>>       at java.io.File.canRead(File.java:689)
>>       at org.apache.solr.core.SolrResourceLoader.replaceClassLoader(SolrResourceLoader.java:157)
>>       at org.apache.solr.core.SolrResourceLoader.addToClassLoader(SolrResourceLoader.java:128)
>>       at org.apache.solr.core.SolrResourceLoader.<init>(SolrResourceLoader.java:97)
>>       at org.apache.solr.core.SolrResourceLoader.<init>(SolrResourceLoader.java:195)
>>       at org.apache.solr.core.Config.<init>(Config.java:93)
>>       at org.apache.solr.servlet.SolrDispatchFilter.<init>(SolrDispatchFilter.java:65)
>>       ... 40 more
>>
>
> imamuseum.org made the following annotations
> ---------------------------------------------------------------------
> Be A Member. Be Amazed. | Make your Museum, your community and your world a better place. | Join Today!
>
>
> ---------------------------------------------------------------------
>
>
>
> NOTICE:
>
> Sun Nov 22 2009 22:03:53
>
>
>
> This email message is for the sole use of the intended
> recipient(s) and may contain confidential and privileged information. Any
> unauthorized review, use, disclosure or distribution is prohibited. If you are
> not the intended recipient, please contact the sender by reply email and
> destroy all copies of the original message.
> ---------------------------------------------------------------------
>
>
Reply | Threaded
Open this post in threaded view
|

Re: access denied to solr home lib dir

hossman

: Check.  I even verified that the tomcat user could create the
: directory (i.e. "sudo -u tomcat6 mkdir /opt/solr/steve/lib").  Still
: solr complains.

Note that you have an AccessControlException, not a simple
FileNotFoundException ... the error here is coming from File.canRead (when
Solr is asking if it has permision to read the file) but your
ServletContainer evidently has a security policy in place that prevent's
solr from even checking (if the security policy allowed it to check, then
it would return true/false based on the actaul file permisions)...

http://java.sun.com/j2se/1.4.2/docs/api/java/io/File.html#canRead%28%29

    Tests whether the application can read the file denoted by this
    abstract pathname.

    Returns:
        true if and only if the file specified by this abstract pathname
        exists and can be read by the application; false otherwise
    Throws:
        SecurityException - If a security manager exists and its
        SecurityManager.checkRead(java.lang.String) method denies read
        access to the file

...note that Tomcat doesn't have any special SecurityManager settings that
prevent this by default.  something about your tomcat deployment must be
specifying specific Security Permision rules.

: >> Caused by: java.security.AccessControlException: access denied
: >> (java.io.FilePermission /opt/solr/steve/./lib read)
: >>       at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
: >>       at java.security.AccessController.checkPermission(AccessController.java:546)
: >>       at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
: >>       at java.lang.SecurityManager.checkRead(SecurityManager.java:871)
: >>       at java.io.File.canRead(File.java:689)
: >>       at org.apache.solr.core.SolrResourceLoader.replaceClassLoader(SolrResourceLoader.java:157)
: >>       at org.apache.solr.core.SolrResourceLoader.addToClassLoader(SolrResourceLoader.java:128)
: >>       at org.apache.solr.core.SolrResourceLoader.<init>(SolrResourceLoader.java:97)
: >>       at org.apache.solr.core.SolrResourceLoader.<init>(SolrResourceLoader.java:195)
: >>       at org.apache.solr.core.Config.<init>(Config.java:93)
: >>       at org.apache.solr.servlet.SolrDispatchFilter.<init>(SolrDispatchFilter.java:65)
: >>       ... 40 more


-Hoss
Reply | Threaded
Open this post in threaded view
|

Re: access denied to solr home lib dir

Charles Moad-2
     Thank you all for the insight into this problem.  I was 100%
positive that selinux and file permissions were not the problems.
Turns out that tomcat 6 on ubuntu comes with a tomcat security manager
enabled by default.  I had no desire to figure out how this works
since this is for local testing.  I did find you could simply set
"TOMCAT6_SECURITY=no" in "/etc/default/tomcat6".  Restarting tomcat
after that fixed my problems.

Thanks again,
     Charlie

On Mon, Nov 23, 2009 at 4:38 PM, Chris Hostetter
<[hidden email]> wrote:

>
> : Check.  I even verified that the tomcat user could create the
> : directory (i.e. "sudo -u tomcat6 mkdir /opt/solr/steve/lib").  Still
> : solr complains.
>
> Note that you have an AccessControlException, not a simple
> FileNotFoundException ... the error here is coming from File.canRead (when
> Solr is asking if it has permision to read the file) but your
> ServletContainer evidently has a security policy in place that prevent's
> solr from even checking (if the security policy allowed it to check, then
> it would return true/false based on the actaul file permisions)...
>
> http://java.sun.com/j2se/1.4.2/docs/api/java/io/File.html#canRead%28%29
>
>    Tests whether the application can read the file denoted by this
>    abstract pathname.
>
>    Returns:
>        true if and only if the file specified by this abstract pathname
>        exists and can be read by the application; false otherwise
>    Throws:
>        SecurityException - If a security manager exists and its
>        SecurityManager.checkRead(java.lang.String) method denies read
>        access to the file
>
> ...note that Tomcat doesn't have any special SecurityManager settings that
> prevent this by default.  something about your tomcat deployment must be
> specifying specific Security Permision rules.
>
> : >> Caused by: java.security.AccessControlException: access denied
> : >> (java.io.FilePermission /opt/solr/steve/./lib read)
> : >>       at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
> : >>       at java.security.AccessController.checkPermission(AccessController.java:546)
> : >>       at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
> : >>       at java.lang.SecurityManager.checkRead(SecurityManager.java:871)
> : >>       at java.io.File.canRead(File.java:689)
> : >>       at org.apache.solr.core.SolrResourceLoader.replaceClassLoader(SolrResourceLoader.java:157)
> : >>       at org.apache.solr.core.SolrResourceLoader.addToClassLoader(SolrResourceLoader.java:128)
> : >>       at org.apache.solr.core.SolrResourceLoader.<init>(SolrResourceLoader.java:97)
> : >>       at org.apache.solr.core.SolrResourceLoader.<init>(SolrResourceLoader.java:195)
> : >>       at org.apache.solr.core.Config.<init>(Config.java:93)
> : >>       at org.apache.solr.servlet.SolrDispatchFilter.<init>(SolrDispatchFilter.java:65)
> : >>       ... 40 more
>
>
> -Hoss
>
> imamuseum.org made the following annotations
> ---------------------------------------------------------------------
> Be A Member. Be Amazed. | Make your Museum, your community and your world a better place. | Join Today!
>
>
> ---------------------------------------------------------------------
>
>
>
> NOTICE:
>
> Mon Nov 23 2009 16:38:55
>
>
>
> This email message is for the sole use of the intended
> recipient(s) and may contain confidential and privileged information. Any
> unauthorized review, use, disclosure or distribution is prohibited. If you are
> not the intended recipient, please contact the sender by reply email and
> destroy all copies of the original message.
> ---------------------------------------------------------------------
>
>