Confusing File Permission Problem

Tue, 01 Jul 2025 07:11:51 -0700 

Hello,
I have a file permission problem creating up backups with my little test Solr cluster, according to https://solr.apache.org/guide/solr/latest/deployment-guide/collection-management.html#backup. 


Every time I try to pull a backup I get an error.

Command:
$ sudo -u solr curl 'http://localhost:8983/solr/admin/collections?action=BACKUP&name=book_20250701&collection=book&location=file%3A%2F%2F%2Fmnt%2Fbms%2Fsolr_cluster_backups' 

Log entry:
2025-07-01 13:50:28.844 ERROR (qtp1275009283-23-beta.intern-645) [c:book s: r: x: t:beta.intern-645] o.a.s.h.RequestHandlerBase Server exception => java.security.AccessControlException: access denied ("java.io.Fi 
lePermission" "/mnt/bms/solr_cluster_backups" "read")
        at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) 
(etc. see attachment for full stack trace.)


That does not make sense.
It's a trio of Solr 9.8.1 servers running on Ubuntu 22.04 using OpenJDK 11. The server runs as user "solr", which is uid 119 all three servers, typically using systemd, but the problem persists even if I start the server by hand using "/opt/solr/bin/solr start --cloud".
On all three servers there is a directory /mnt/bms/solr_cluster_backups, where /mnt/bms is a share from the local NAS. The directory /mnt/bms/solr_clusterbackups is owned by solr and the permissions are set to "chown 0777 /mnt/bms/solr_cluster_backups". 

I have have verified the following:
* The user "solr" is able to write into the directory on each of the three servers using "touch /mnt/bms/solr_cluster_backups".
* Usually I run Solr using SystemD. To exclude the possibility that SystemD is the problem, I ran Solr by hand and the problem persists.
* I have written a little Java program to check whether java.nio.files.Files.exist() always yields an exception if called by the "solr" user on any one of the three servers. The answer is: No, it doesn't. See the attached java source code.
* I have checked whether the problem is related to apparmor, but it isn't. sudo systemctl status apparmor.service yields a: "Unit apparmor.service could not be found." 

* I haven't configured any security for Solr of for Zookeeper.

So, for some funny


2025-07-01 13:50:28.844 ERROR (qtp1275009283-23-beta.intern-645) [c:book s: r: 
x: t:beta.intern-645] o.a.s.h.RequestHandlerBase Server exception => 
java.security.AccessControlException: access denied ("java.io.FilePermission" 
"/mnt/bms/solr_cluster_backups" "read")
        at 
java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
java.security.AccessControlException: access denied ("java.io.FilePermission" 
"/mnt/bms/solr_cluster_backups" "read")
        at 
java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
 ~[?:?]
        at 
java.base/java.security.AccessController.checkPermission(AccessController.java:897)
 ~[?:?]
        at 
java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322) 
~[?:?]
        at 
java.base/java.lang.SecurityManager.checkRead(SecurityManager.java:661) ~[?:?]
        at java.base/sun.nio.fs.UnixPath.checkRead(UnixPath.java:818) ~[?:?]
        at 
java.base/sun.nio.fs.UnixFileSystemProvider.exists(UnixFileSystemProvider.java:525)
 ~[?:?]
        at java.base/java.nio.file.Files.exists(Files.java:2435) ~[?:?]
        at 
org.apache.solr.core.backup.repository.LocalFileSystemRepository.exists(LocalFileSystemRepository.java:103)
 ~[?:?]
        at 
org.apache.solr.handler.admin.api.BackupAPIBase.ensureBackupLocationExists(BackupAPIBase.java:86)
 ~[?:?]
        at 
org.apache.solr.handler.admin.api.BackupAPIBase.getAndValidateBackupLocation(BackupAPIBase.java:101)
 ~[?:?]
        at 
org.apache.solr.handler.admin.api.BackupAPIBase.getAndValidateBackupLocation(BackupAPIBase.java:45)
 ~[?:?]
        at 
org.apache.solr.handler.admin.api.CreateCollectionBackup.createCollectionBackup(CreateCollectionBackup.java:98)
 ~[?:?]
        at 
org.apache.solr.handler.admin.api.CreateCollectionBackup.invokeFromV1Params(CreateCollectionBackup.java:173)
 ~[?:?]
        at 
org.apache.solr.handler.admin.CollectionsHandler$CollectionOperation.lambda$static$32(CollectionsHandler.java:1066)
 ~[?:?]
        at 
org.apache.solr.handler.admin.CollectionsHandler$CollectionOperation.execute(CollectionsHandler.java:1264)
 ~[?:?]
        at 
org.apache.solr.handler.admin.CollectionsHandler.invokeAction(CollectionsHandler.java:321)
 ~[?:?]
        at 
org.apache.solr.handler.admin.CollectionsHandler.handleRequestBody(CollectionsHandler.java:299)
 ~[?:?]
        at 
org.apache.solr.handler.RequestHandlerBase.handleRequest(RequestHandlerBase.java:228)
 ~[?:?]
        at 
org.apache.solr.servlet.HttpSolrCall.handleAdmin(HttpSolrCall.java:940) ~[?:?]
        at 
org.apache.solr.servlet.HttpSolrCall.handleAdminRequest(HttpSolrCall.java:894) 
~[?:?]
        at org.apache.solr.servlet.HttpSolrCall.call(HttpSolrCall.java:555) 
~[?:?]
        at 
org.apache.solr.servlet.SolrDispatchFilter.dispatch(SolrDispatchFilter.java:241)
 ~[?:?]
        at 
org.apache.solr.servlet.SolrDispatchFilter.lambda$doFilterRetry$0(SolrDispatchFilter.java:198)
 ~[?:?]
        at 
org.apache.solr.servlet.ServletUtils.traceHttpRequestExecution2(ServletUtils.java:227)
 ~[?:?]
        at 
org.apache.solr.servlet.ServletUtils.rateLimitRequest(ServletUtils.java:197) 
~[?:?]
        at 
org.apache.solr.servlet.SolrDispatchFilter.doFilterRetry(SolrDispatchFilter.java:192)
 ~[?:?]
        at 
org.apache.solr.servlet.SolrDispatchFilter.doFilter(SolrDispatchFilter.java:181)
 ~[?:?]
        at javax.servlet.http.HttpFilter.doFilter(HttpFilter.java:97) 
~[jetty-servlet-api-4.0.6.jar:?]
        at 
org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:210) 
~[jetty-servlet-10.0.22.jar:10.0.22]
        at 
org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
 ~[jetty-servlet-10.0.22.jar:10.0.22]
        at 
org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:527) 
~[jetty-servlet-10.0.22.jar:10.0.22]
        at 
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:131) 
~[jetty-server-10.0.22.jar:10.0.22]
        at 
org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:598) 
~[jetty-security-10.0.22.jar:10.0.22]
        at 
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122) 
~[jetty-server-10.0.22.jar:10.0.22]
        at 
org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:223)
 ~[jetty-server-10.0.22.jar:10.0.22]
        at 
org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1580)
 ~[jetty-server-10.0.22.jar:10.0.22]
        at 
org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:221)
 ~[jetty-server-10.0.22.jar:10.0.22]
        at 
org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1384)
 ~[jetty-server-10.0.22.jar:10.0.22]
        at 
org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:176)
 ~[jetty-server-10.0.22.jar:10.0.22]
        at 
org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:484) 
~[jetty-servlet-10.0.22.jar:10.0.22]
        at 
org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1553)
 ~[jetty-server-10.0.22.jar:10.0.22]
        at 
org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:174)
 ~[jetty-server-10.0.22.jar:10.0.22]
        at 
org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1306)
 ~[jetty-server-10.0.22.jar:10.0.22]
        at 
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:129) 
~[jetty-server-10.0.22.jar:10.0.22]
        at 
org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:149)
 ~[jetty-server-10.0.22.jar:10.0.22]
        at 
org.eclipse.jetty.server.handler.InetAccessHandler.handle(InetAccessHandler.java:228)
 ~[jetty-server-10.0.22.jar:10.0.22]
        at 
org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:141)
 ~[jetty-server-10.0.22.jar:10.0.22]
        at 
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122) 
~[jetty-server-10.0.22.jar:10.0.22]
        at 
org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:301)
 ~[jetty-rewrite-10.0.22.jar:10.0.22]
        at 
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122) 
~[jetty-server-10.0.22.jar:10.0.22]
        at 
org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:822) 
~[jetty-server-10.0.22.jar:10.0.22]
        at 
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122) 
~[jetty-server-10.0.22.jar:10.0.22]
        at org.eclipse.jetty.server.Server.handle(Server.java:563) 
~[jetty-server-10.0.22.jar:10.0.22]
        at 
org.eclipse.jetty.server.HttpChannel$RequestDispatchable.dispatch(HttpChannel.java:1598)
 ~[jetty-server-10.0.22.jar:10.0.22]
        at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:753) 
~[jetty-server-10.0.22.jar:10.0.22]
        at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:501) 
~[jetty-server-10.0.22.jar:10.0.22]
        at 
org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:287) 
~[jetty-server-10.0.22.jar:10.0.22]
        at 
org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:314)
 ~[jetty-io-10.0.22.jar:10.0.22]
        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100) 
~[jetty-io-10.0.22.jar:10.0.22]
        at 
org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53)
 ~[jetty-io-10.0.22.jar:10.0.22]
        at 
org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:421)
 ~[jetty-util-10.0.22.jar:10.0.22]
        at 
org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:390)
 ~[jetty-util-10.0.22.jar:10.0.22]
        at 
org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:277)
 ~[jetty-util-10.0.22.jar:10.0.22]
        at 
org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.run(AdaptiveExecutionStrategy.java:199)
 ~[jetty-util-10.0.22.jar:10.0.22]
        at 
org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:411)
 ~[jetty-util-10.0.22.jar:10.0.22]
        at 
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:969)
 ~[jetty-util-10.0.22.jar:10.0.22]
        at 
org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.doRunJob(QueuedThreadPool.java:1194)
 ~[jetty-util-10.0.22.jar:10.0.22]
        at 
org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1149)
 ~[jetty-util-10.0.22.jar:10.0.22]
        at java.base/java.lang.Thread.run(Thread.java:829) [?:?]

import java.nio.file.Files;
import java.nio.file.Path;

class FindFile {
    public static void main(String[] args) {
        if (Files.exists(Path.of(args[0]))) {
            System.out.println("File " + args[0] + " found.\n");
        } else {
            System.out.println("File " + args[0] + " does not exist.");
        }
    }
}

Reply via email to