honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #13538 from rmuir/puff_on_this_aws 

Hack around aws security hole of accessing sun.security.ssl, s3 repository works on java 9 again
This commit is contained in:
Robert Muir 2015-09-12 17:03:27 -04:00
parent e1efd5f6ba 174ca77ebf
commit 39ecda1dad
3 changed files with 28 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
core/src/main/java/org/elasticsearch/bootstrap/ESPolicy.java
View File

@ -61,7 +61,35 @@ final class ESPolicy extends Policy {
} }
} }
// Special handling for broken AWS code which destroys all SSL security
// REMOVE THIS when https://github.com/aws/aws-sdk-java/pull/432 is fixed
if (permission instanceof RuntimePermission && "accessClassInPackage.sun.security.ssl".equals(permission.getName())) {
for (StackTraceElement element : Thread.currentThread().getStackTrace()) {
if ("com.amazonaws.http.conn.ssl.SdkTLSSocketFactory".equals(element.getClassName()) &&
"verifyMasterSecret".equals(element.getMethodName())) {
// we found the horrible method: the hack begins!
// force the aws code to back down, by throwing an exception that it catches.
rethrow(new IllegalAccessException("no amazon, you cannot do this."));
}
}
}
// otherwise defer to template + dynamic file permissions // otherwise defer to template + dynamic file permissions
return template.implies(domain, permission) || dynamic.implies(permission); return template.implies(domain, permission) || dynamic.implies(permission);
} }
/**
* Classy puzzler to rethrow any checked exception as an unchecked one.
*/
private static class Rethrower<T extends Throwable> {
private void rethrow(Throwable t) throws T {
throw (T) t;
}
}
/**
* Rethrows <code>t</code> (identical object).
*/
private void rethrow(Throwable t) {
new Rethrower<Error>().rethrow(t);
}
} }

2
core/src/main/resources/org/elasticsearch/bootstrap/security.policy
View File

@ -86,8 +86,6 @@ grant {
// reflection hacks: // reflection hacks:
// needed by groovy engine // needed by groovy engine
permission java.lang.RuntimePermission "accessClassInPackage.sun.reflect"; permission java.lang.RuntimePermission "accessClassInPackage.sun.reflect";
// needed by aws core sdk (TODO: look into this)
permission java.lang.RuntimePermission "accessClassInPackage.sun.security.ssl";
// needed by RandomizedRunner // needed by RandomizedRunner
permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.lang.RuntimePermission "accessDeclaredMembers";

3
plugins/repository-s3/rest-api-spec/test/repository_s3/20_repository.yaml
View File

@ -1,9 +1,6 @@
# Integration tests for Repository S3 component # Integration tests for Repository S3 component
# #
"S3 repository can be registereed": "S3 repository can be registereed":
- skip:
version: "all"
reason: does not work on java9, see https://github.com/aws/aws-sdk-java/pull/432
- do: - do:
snapshot.create_repository: snapshot.create_repository:
repository: test_repo_s3_1 repository: test_repo_s3_1