IBM Support

SCRIPTING_04 - Script sent record to error: java.security.AccessControlException: access denied

Troubleshooting


Problem

Java Access Control system, which is enabled by default on SDC, is preventing Groovy code access to the external directory from the SDC resources directory.

The Java Security Manager is a security component of the Java Runtime Environment (JRE) that controls the permissions granted to the code running within the Java Virtual Machine (JVM). When using Java 8, the Data Collector includes a Java Security Manager enabled by default. The Security Manager maintains a security policy file that defines the permissions and restrictions for various types of Java code, such as applets, Java Web Start applications, and server-side Java applications. When a Java application attempts to access system resources, such as files, network sockets, or system properties, the Security Manager consults the security policy file to determine whether the access is allowed or not.

  • In such case we can get a stage error or error record with the following message:

SCRIPTING_04 - Script sent record to error:  java.security.AccessControlException: access denied ("java.io.FilePermission" "/data1/resources/" "read").

Symptom

A Groovy stage generates a ‘java.security.AccessControlException’ error record when it tries to read records or information from an external file on the file system.

Resolving The Problem

There are two possible solutions to solve this error.

Solution 1 (recommended)

  • For ‘java.security.AccessControlException’ error edit the SDC config file '${SDC_CONFIG}/sdc-security.policy', add the content indicated below for each external directory the Grovy code needs access, and restart SDC service.

  • In the following example, we are telling Java Access Control to allow read permissions for reading files from directories ‘/data1/resources/' and '/data2/resources/'. 

grant codebase "file:/groovy/script" {
...
  permission java.io.FilePermission "/data1/resources/*", "read";
  permission java.io.FilePermission "/data2/resources/*", "read";
  permission java.util.PropertyPermission "file.encoding", "read";

Solution 2

  • Although the recommendation is to tune the required permissions on the file ‘sdc-security.policy' to solve this kind of issue, if you are experiencing continuous and different errors related to Java Security Manager, you can consider disabling Java Security Manager. To disable the Java Security Manager edit the file '$SDC_HOME/libexec/sdc-env.sh', add the following command to the bottom of the file, and restart the SDC service. For Cloudera SDC installation you will have to do this change from Cloudera Manager, editing the environment variables for the file 'sdc-env.sh'.

export SDC_SECURITY_MANAGER_ENABLED="false""

  • To know if the Java Security Manager is enabled or not you have to run the following command on the SDC server and check if the output of the command appears the string '-Djava.security.manager'. If you see it, the Security Manager is enabled. If not, then it's disabled.

ps aux | grep jav[a]

Document Location

Worldwide

[{"Line of Business":{"code":"LOB76","label":"Data Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSM7CU","label":"IBM StreamSets Data Collector"},"ARM Category":[{"code":"","label":""}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
15 March 2025

UID

ibm17186099

Page Feedback