Summary
Dremio may exit on startup with an error related to insufficient permissions on the security folder. This issue occurs when the security folder and its contents are not owned by the Dremio service user or have overly permissive access rights.
Reported Issue
Dremio exits on startup with an error stack that includes the following lines:
...
java.lang.RuntimeException: java.security.GeneralSecurityException: Directory /opt/dremio/data/security is not accessible to owner only
at com.dremio.dac.daemon.DACDaemonModule.build(DACDaemonModule.java:494)
at com.dremio.dac.daemon.EnterpriseDACDaemonModule.build(EnterpriseDACDaemonModule.java:316)
at com.dremio.dac.daemon.DACDaemon.<init>(DACDaemon.java:189)
at com.dremio.dac.daemon.DACDaemon.newDremioDaemon(DACDaemon.java:316)
at com.dremio.dac.daemon.DACDaemon.newDremioDaemon(DACDaemon.java:324)
at com.dremio.dac.daemon.DremioDaemon.main(DremioDaemon.java:103)
Caused by: java.security.GeneralSecurityException: Directory /opt/dremio/data/security is not accessible to owner only
at com.dremio.security.SecurityFolder.checkSecurity(SecurityFolder.java:200)
at com.dremio.security.SecurityFolder.checkPathPermissions(SecurityFolder.java:193)
at com.dremio.security.SecurityFolder.checkDirectoryPermissions(SecurityFolder.java:184)
at com.dremio.security.SecurityFolder.<init>(SecurityFolder.java:80)
at com.dremio.security.SecurityFolder.of(SecurityFolder.java:76)
at com.dremio.exec.rpc.ssl.SSLConfigurator.getSSLConfig(SSLConfigurator.java:143)
at com.dremio.dac.daemon.DACDaemonModule.build(DACDaemonModule.java:491)
... 5 common frames omitted
Dremio is exiting. Failure while starting services.
As the GeneralSecurityException suggests, the problem is caused by insufficiently restrictive access to the Dremio security folder.
Relevant Versions
Dremio software versions with the dremio-admin encryption utility (v16+).
Troubleshooting Steps
Check the permissions on the security folder identified in the error message.
Cause
When you use the dremio-admin encryption utility to encrypt passwords/secrets that are referenced in your Dremio configuration files, it generates a security subdirectory (folder) under ${DREMIO_HOME} and places the encryption key there. The owner of the directory and its contents must be the Linux user running the Dremio process and their associated group, and access must be restricted to them. The problem arises if the owner is not the Dremio service user, or the access is made less restrictive. The ownership problem can be caused by running the encryption utility as root, rather than the Dremio service user.
Steps to Resolve
Change the ownership (back) to the Dremio service user and change the permissions so the security directory and its contents can only be read by that user.
In the following example, the user running Dremio is simply called "dremio", and ${DREMIO_HOME} is /var/lib/dremio. The credentials folder has a single file: credentials.p12
$ sudo -u dremio chown dremio:dremio /var/lib/dremio/security
$ sudo -u dremio chmod 700 /var/lib/dremio/security
$ ls -l /var/lib/dremio
drwxr-xr-x. 6 dremio dremio 80 Jul 9 04:23 db
drwxr-xr-x. 8 dremio dremio 103 May 18 2023 pdfs
drwx------. 2 dremio dremio 29 Jul 9 04:04 security
drwxr-xr-x. 3 dremio dremio 72 May 18 2023 spill
drwxr-xr-x. 3 dremio dremio 23 Jul 9 04:23 zk
$ sudo -u dremio chown dremio:dremio /var/lib/dremio/security/credentials.p12
$ sudo -u dremio chmod 600 /var/lib/dremio/security/credentials.p12
$ sudo -u dremio ls -l /var/lib/dremio/security/credentials.p12
-rw-------. 1 dremio dremio 313 Jul 9 04:04 /var/lib/dremio/security/credentials.p12