From f517e7a56fb42fb47e242a2edd93caed4af7c1c7 Mon Sep 17 00:00:00 2001 From: Tim Brooks Date: Tue, 21 Feb 2017 14:08:06 -0600 Subject: [PATCH 1/3] Wrap getCredentials() in a doPrivileged() block This commit fixes an issue that was missed in #22534. `AWSCredentialsProvider.getCredentials()` appears to potentially open a socket connect. This operation needed to be wrapped in `doPrivileged()`. This should fix issue #23271. --- .../org/elasticsearch/cloud/aws/InternalAwsS3Service.java | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/plugins/repository-s3/src/main/java/org/elasticsearch/cloud/aws/InternalAwsS3Service.java b/plugins/repository-s3/src/main/java/org/elasticsearch/cloud/aws/InternalAwsS3Service.java index cafcb6b98f044..9e448666939bc 100644 --- a/plugins/repository-s3/src/main/java/org/elasticsearch/cloud/aws/InternalAwsS3Service.java +++ b/plugins/repository-s3/src/main/java/org/elasticsearch/cloud/aws/InternalAwsS3Service.java @@ -35,6 +35,7 @@ import com.amazonaws.services.s3.S3ClientOptions; import org.apache.logging.log4j.Logger; import org.elasticsearch.ElasticsearchException; +import org.elasticsearch.cloud.aws.util.SocketAccess; import org.elasticsearch.common.Strings; import org.elasticsearch.common.collect.Tuple; import org.elasticsearch.common.component.AbstractLifecycleComponent; @@ -67,7 +68,8 @@ public synchronized AmazonS3 client(Settings repositorySettings, Integer maxRetr AWSCredentialsProvider credentials = buildCredentials(logger, deprecationLogger, settings, repositorySettings, clientName); - Tuple clientDescriptor = new Tuple<>(foundEndpoint, credentials.getCredentials().getAWSAccessKeyId()); + String awsAccessKeyId = SocketAccess.doPrivileged(() -> credentials.getCredentials().getAWSAccessKeyId()); + Tuple clientDescriptor = new Tuple<>(foundEndpoint, awsAccessKeyId); AmazonS3Client client = clients.get(clientDescriptor); if (client != null) { return client; From 9544e2257da44eab80e7fb6547a4b72a922ee999 Mon Sep 17 00:00:00 2001 From: Tim Brooks Date: Tue, 21 Feb 2017 15:25:03 -0600 Subject: [PATCH 2/3] Wrap all calls to AWSCredentialsProvider with doPrivileged blocks --- .../cloud/aws/InternalAwsS3Service.java | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/plugins/repository-s3/src/main/java/org/elasticsearch/cloud/aws/InternalAwsS3Service.java b/plugins/repository-s3/src/main/java/org/elasticsearch/cloud/aws/InternalAwsS3Service.java index 9e448666939bc..99ed4876f49e3 100644 --- a/plugins/repository-s3/src/main/java/org/elasticsearch/cloud/aws/InternalAwsS3Service.java +++ b/plugins/repository-s3/src/main/java/org/elasticsearch/cloud/aws/InternalAwsS3Service.java @@ -25,6 +25,7 @@ import com.amazonaws.ClientConfiguration; import com.amazonaws.Protocol; +import com.amazonaws.auth.AWSCredentials; import com.amazonaws.auth.AWSCredentialsProvider; import com.amazonaws.auth.BasicAWSCredentials; import com.amazonaws.auth.InstanceProfileCredentialsProvider; @@ -68,8 +69,7 @@ public synchronized AmazonS3 client(Settings repositorySettings, Integer maxRetr AWSCredentialsProvider credentials = buildCredentials(logger, deprecationLogger, settings, repositorySettings, clientName); - String awsAccessKeyId = SocketAccess.doPrivileged(() -> credentials.getCredentials().getAWSAccessKeyId()); - Tuple clientDescriptor = new Tuple<>(foundEndpoint, awsAccessKeyId); + Tuple clientDescriptor = new Tuple<>(foundEndpoint, credentials.getCredentials().getAWSAccessKeyId()); AmazonS3Client client = clients.get(clientDescriptor); if (client != null) { return client; @@ -158,7 +158,17 @@ public static AWSCredentialsProvider buildCredentials(Logger logger, Deprecation } } - return credentials; + return new AWSCredentialsProvider() { + @Override + public AWSCredentials getCredentials() { + return SocketAccess.doPrivileged(credentials::getCredentials); + } + + @Override + public void refresh() { + SocketAccess.doPrivilegedVoid(credentials::refresh); + } + }; } // pkg private for tests From ee88434709c0e5b514ec1b8089da322bb797c5bc Mon Sep 17 00:00:00 2001 From: Tim Brooks Date: Tue, 21 Feb 2017 22:09:10 -0600 Subject: [PATCH 3/3] Only wrap InstanceProfileCredentialsProvider --- .../cloud/aws/InternalAwsS3Service.java | 28 +++++++++---------- 1 file changed, 13 insertions(+), 15 deletions(-) diff --git a/plugins/repository-s3/src/main/java/org/elasticsearch/cloud/aws/InternalAwsS3Service.java b/plugins/repository-s3/src/main/java/org/elasticsearch/cloud/aws/InternalAwsS3Service.java index 99ed4876f49e3..ce47bd44f0b28 100644 --- a/plugins/repository-s3/src/main/java/org/elasticsearch/cloud/aws/InternalAwsS3Service.java +++ b/plugins/repository-s3/src/main/java/org/elasticsearch/cloud/aws/InternalAwsS3Service.java @@ -143,7 +143,6 @@ static ClientConfiguration buildConfiguration(Logger logger, Settings repository public static AWSCredentialsProvider buildCredentials(Logger logger, DeprecationLogger deprecationLogger, Settings settings, Settings repositorySettings, String clientName) { - AWSCredentialsProvider credentials; try (SecureString key = getConfigValue(repositorySettings, settings, clientName, S3Repository.ACCESS_KEY_SETTING, S3Repository.Repository.KEY_SETTING, S3Repository.Repositories.KEY_SETTING); SecureString secret = getConfigValue(repositorySettings, settings, clientName, S3Repository.SECRET_KEY_SETTING, @@ -151,24 +150,23 @@ public static AWSCredentialsProvider buildCredentials(Logger logger, Deprecation if (key.length() == 0 && secret.length() == 0) { logger.debug("Using instance profile credentials"); - credentials = new InstanceProfileCredentialsProvider(); + AWSCredentialsProvider credentials = new InstanceProfileCredentialsProvider(); + return new AWSCredentialsProvider() { + @Override + public AWSCredentials getCredentials() { + return SocketAccess.doPrivileged(credentials::getCredentials); + } + + @Override + public void refresh() { + SocketAccess.doPrivilegedVoid(credentials::refresh); + } + }; } else { logger.debug("Using basic key/secret credentials"); - credentials = new StaticCredentialsProvider(new BasicAWSCredentials(key.toString(), secret.toString())); + return new StaticCredentialsProvider(new BasicAWSCredentials(key.toString(), secret.toString())); } } - - return new AWSCredentialsProvider() { - @Override - public AWSCredentials getCredentials() { - return SocketAccess.doPrivileged(credentials::getCredentials); - } - - @Override - public void refresh() { - SocketAccess.doPrivilegedVoid(credentials::refresh); - } - }; } // pkg private for tests