plugin requires additional permissions

[ftyuuu]

Hi, i meet this problem when i install a plugin.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@     WARNING: plugin requires additional permissions     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
* java.net.SocketPermission * connect,resolve
See http://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html
for descriptions of what these permissions allow and the associated risks.
Exception in thread "main" java.lang.IllegalStateException: unable to read from standard input; is standard input open and a tty attached?
	at org.elasticsearch.cli.Terminal$SystemTerminal.readText(Terminal.java:173)
	at org.elasticsearch.plugins.PluginSecurity.prompt(PluginSecurity.java:74)
	at org.elasticsearch.plugins.PluginSecurity.confirmPolicyExceptions(PluginSecurity.java:67)
	at org.elasticsearch.plugins.InstallPluginCommand.installPlugin(InstallPluginCommand.java:811)
	at org.elasticsearch.plugins.InstallPluginCommand.install(InstallPluginCommand.java:785)
	at org.elasticsearch.plugins.InstallPluginCommand.execute(InstallPluginCommand.java:231)
	at org.elasticsearch.plugins.InstallPluginCommand.execute(InstallPluginCommand.java:216)
	at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86)
	at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124)
	at org.elasticsearch.cli.MultiCommand.execute(MultiCommand.java:77)
	at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124)
	at org.elasticsearch.cli.Command.main(Command.java:90)
	at org.elasticsearch.plugins.PluginCli.main(PluginCli.java:47)

the initContainers's code is:

initContainers:
- name: install-plugins
  securityContext:
      privileged: true
  command: ['sh', '-c', 'bin/elasticsearch-plugin install https://github.com/medcl/elasticsearch-analysis-ik/releases/download/v6.8.4/elasticsearch-analysis-ik-6.8.4.zip']

i also see the #1801 , but not found clear solutions and i don't want to make custom images? What should i do?

[anyasabo]

Hello,
If you add the --batch flag as described in the docs here:
https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-init-containers-plugin-downloads.html
You should be able to to bypass the prompt. It is expecting you to accept the additional permissions, but there's no tty attached.

[ftyuuu]

@anyasabo Thank you very much for your reply!

[mooreniemi]

I'm sorry to revive a closed issue, but I don't find --batch or prepending with yes | ... to be working, I still see the warning. Is this only supported in some versions, but not all?

I even tried this in a Dockerfile but still see warning:

FROM docker.elastic.co/elasticsearch/elasticsearch:6.8.13
RUN bin/elasticsearch-plugin install --batch repository-s3

Digest: sha256:dca6a75fb0db7ff2ca7d1e18797f0936ef7e2e7e02ad253ae648292639c1ff82
Status: Downloaded newer image for docker.elastic.co/elasticsearch/elasticsearch:6.8.13
 ---> a7e1d4b5ee81
Step 2/2 : RUN bin/elasticsearch-plugin install --batch repository-s3
 ---> Running in 894afa3e90c4
-> Downloading repository-s3 from elastic
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@     WARNING: plugin requires additional permissions     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
* java.lang.RuntimePermission accessDeclaredMembers
* java.lang.RuntimePermission getClassLoader
* java.lang.reflect.ReflectPermission suppressAccessChecks
* java.net.SocketPermission * connect,resolve
* java.util.PropertyPermission es.allow_insecure_settings read,write
See http://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html
for descriptions of what these permissions allow and the associated risks.
-> Installed repository-s3
Removing intermediate container 894afa3e90c4
 ---> 141b1ffe3281
Successfully built 141b1ffe3281

[edwardsmit]

I'm sorry to revive a closed issue, but I don't find --batch or prepending with yes | ... to be working, I still see the warning. Is this only supported in some versions, but not all?

Adding --batch won't remove the Warning. It does however removes the Exception as described by @ftyuuu
The Exception will block usage of the container, the Warning is just what it is, a Warning, you can use the created Docker image as usual.

[ghost]

Unfortunately not work to me, after follow these steps: https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-init-containers-plugin-downloads.html.
And specify the securityContext: privilege: true the elastic pod starts crashloopback because of privileges:

apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
  name: elastic-test
spec:
  version: 7.10.1
  http:
    tls:
      selfSignedCertificate:
        disabled: true
  nodeSets:
  - name: default
    count: 1
    config:
      node.store.allow_mmap: false
    podTemplate:
      metadata:
        annotations:
          traffic.sidecar.istio.io/includeInboundPorts: "*"
          traffic.sidecar.istio.io/excludeOutboundPorts: "9300,443" 
          traffic.sidecar.istio.io/excludeInboundPorts: "9300"
      spec:
        automountServiceAccountToken: true
        initContainers:
          - name: install-plugins
            securityContext:
              privileged: true
            command: ['sh', '-c', 'bin/elasticsearch-plugin install --batch repository-s3']

Follow my logs:

Elastic Pod:

Exception in thread "main" org.elasticsearch.bootstrap.BootstrapException: java.nio.file.AccessDeniedException: /usr/share/elasticsearch/config/repository-s3
Likely root cause: java.nio.file.AccessDeniedException: /usr/share/elasticsearch/config/repository-s3
	at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:90)
	at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106)
	at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
	at java.base/sun.nio.fs.UnixFileSystemProvider.newDirectoryStream(UnixFileSystemProvider.java:431)
	at java.base/java.nio.file.Files.newDirectoryStream(Files.java:476)
	at java.base/java.nio.file.FileTreeWalker.visit(FileTreeWalker.java:300)
	at java.base/java.nio.file.FileTreeWalker.next(FileTreeWalker.java:373)
	at java.base/java.nio.file.Files.walkFileTree(Files.java:2840)
	at org.elasticsearch.common.logging.LogConfigurator.configure(LogConfigurator.java:220)
	at org.elasticsearch.common.logging.LogConfigurator.configure(LogConfigurator.java:129)
	at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:354)
	at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:170)
	at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:161)
	at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86)
	at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:127)
	at org.elasticsearch.cli.Command.main(Command.java:90)
	at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:126)
	at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92)
For complete error details, refer to the log at /usr/share/elasticsearch/logs/elastic-test.log

[sebgl]

@weydersantos I think what you experience is similar to #3934.

[ghost]

@weydersantos I think what you experience is similar to #3934.

@sebgl thankful bro, I'm rolback Elasticsearch version to 7.9.3and works fine.