Startup exception reading custom role mapper files

[thecoop]

If a custom role mapper file exists, configured by the xpack.security.authc.realms.*.files.role_mapping configuration option, Elasticseach will not start, with the following exception:

[ERROR][o.e.x.s.a.s.DnRoleMapper ] [<hostname>] failed to parse role mappings file [<role mapper file>]. skipping/removing all mappings...
java.security.AccessControlException: access denied ("java.io.FilePermission" "<role mapper file>" "read")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:488) ~[?:?]
at java.security.AccessController.checkPermission(AccessController.java:1085) ~[?:?]
at java.lang.SecurityManager.checkPermission(SecurityManager.java:411) ~[?:?]
at java.lang.SecurityManager.checkRead(SecurityManager.java:742) ~[?:?]
at sun.nio.fs.UnixChannelFactory.open(UnixChannelFactory.java:246) ~[?:?]
at sun.nio.fs.UnixChannelFactory.newFileChannel(UnixChannelFactory.java:133) ~[?:?]
at sun.nio.fs.UnixChannelFactory.newFileChannel(UnixChannelFactory.java:146) ~[?:?]
at sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:259) ~[?:?]
at java.nio.file.Files.newByteChannel(Files.java:379) ~[?:?]
at java.nio.file.Files.newByteChannel(Files.java:431) ~[?:?]
at java.nio.file.spi.FileSystemProvider.newInputStream(FileSystemProvider.java:420) ~[?:?]
at java.nio.file.Files.newInputStream(Files.java:159) ~[?:?]
at org.elasticsearch.common.settings.Settings$Builder.loadFromPath(Settings.java:1223) ~[elasticsearch-8.15.0.jar:?]
at org.elasticsearch.xpack.security.authc.support.DnRoleMapper.parseFile(DnRoleMapper.java:117) ~[?:?]
at org.elasticsearch.xpack.security.authc.support.DnRoleMapper.parseFileLenient(DnRoleMapper.java:88) ~[?:?]
at org.elasticsearch.xpack.security.authc.support.DnRoleMapper.lambda$new$0(DnRoleMapper.java:65) ~[?:?]
at java.security.AccessController.doPrivileged(AccessController.java:319) ~[?:?]
at org.elasticsearch.xpack.security.authc.support.DnRoleMapper.<init>(DnRoleMapper.java:64) ~[?:?]
at org.elasticsearch.xpack.security.authc.ldap.LdapRealm.<init>(LdapRealm.java:80) ~[?:?]
at org.elasticsearch.xpack.security.authc.InternalRealms.lambda$getFactories$3(InternalRealms.java:152) ~[?:?]
at org.elasticsearch.xpack.security.authc.Realms.initRealms(Realms.java:303) ~[?:?]
at org.elasticsearch.xpack.security.authc.Realms.<init>(Realms.java:112) ~[?:?]
at org.elasticsearch.xpack.security.Security.createComponents(Security.java:892) ~[?:?]
at org.elasticsearch.xpack.security.Security.createComponents(Security.java:740) ~[?:?]
at org.elasticsearch.node.NodeConstruction.lambda$construct$13(NodeConstruction.java:868) ~[elasticsearch-8.15.0.jar:?]
at org.elasticsearch.plugins.PluginsService.lambda$flatMap$1(PluginsService.java:253) ~[elasticsearch-8.15.0.jar:?]
at java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:288) ~[?:?]
at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:212) ~[?:?]
at java.util.AbstractList$RandomAccessSpliterator.forEachRemaining(AbstractList.java:722) ~[?:?]
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:556) ~[?:?]
at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:546) ~[?:?]
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:622) ~[?:?]
at java.util.stream.AbstractPipeline.evaluateToArrayNode(AbstractPipeline.java:291) ~[?:?]
at java.util.stream.ReferencePipeline.toArray(ReferencePipeline.java:631) ~[?:?]
at java.util.stream.ReferencePipeline.toArray(ReferencePipeline.java:637) ~[?:?]
at java.util.stream.ReferencePipeline.toList(ReferencePipeline.java:642) ~[?:?]
at org.elasticsearch.node.NodeConstruction.construct(NodeConstruction.java:868) ~[elasticsearch-8.15.0.jar:?]
at org.elasticsearch.node.NodeConstruction.prepareConstruction(NodeConstruction.java:270) ~[elasticsearch-8.15.0.jar:?]
at org.elasticsearch.node.Node.<init>(Node.java:192) ~[elasticsearch-8.15.0.jar:?]
at org.elasticsearch.bootstrap.Elasticsearch$2.<init>(Elasticsearch.java:242) ~[elasticsearch-8.15.0.jar:?]
at org.elasticsearch.bootstrap.Elasticsearch.initPhase3(Elasticsearch.java:242) ~[elasticsearch-8.15.0.jar:?]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:76) ~[elasticsearch-8.15.0.jar:?]

This is due to a refactoring in the security manager code in 8.15.0, significantly locking down access within Elasticsearch to files specified with that configuration option.

As a workaround, custom role mappings can be configured using the REST API.

[elasticsearchmachine]

Pinging @elastic/es-security (Team:Security)

[elasticsearchmachine]

Pinging @elastic/es-core-infra (Team:Core/Infra)

[thecoop]

The immediate bug is fixed by #112400, but we need better testing in this area

[c4m4]

When will you release the fix?

[thecoop]

The fix will be available in release 8.15.2

[c4m4]

and when 8.15.2 will be released?

Thanks

[thecoop]

I'm afraid we do not publish release dates in advance, but we release a new patch version every few weeks. The workaround in the meantime is to configure role mappings in the UI (which is the recommended way to do it)