Do not stash environment in security (#54372)

Today the security plugin stashes a copy of the environment in its constructor, and uses the stashed copy to construct its components even though it is provided with an environment to create these components. What is more, the environment it creates in its constructor is not fully initialized, as it does not have the final copy of the settings, but the environment passed in while creating components does. This commit removes that stashed copy of the environment.
2020-03-28 12:41:17 -04:00 · 2020-03-28 12:41:17 -04:00 · 512a318b4b
parent cf68ac8a2c
commit 512a318b4b
2 changed files with 9 additions and 10 deletions
--- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java
+++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java
@ -283,7 +283,6 @@ public class Security extends Plugin implements SystemIndexPlugin, IngestPlugin,
    private static final Logger logger = LogManager.getLogger(Security.class);

    private final Settings settings;
-    private final Environment env;
    private final boolean enabled;
    private final boolean transportClientMode;
    /* what a PITA that we need an extra indirection to initialize this. Yet, once we got rid of guice we can thing about how
@ -313,7 +312,6 @@ public class Security extends Plugin implements SystemIndexPlugin, IngestPlugin,
        this.settings = settings;
        this.transportClientMode = XPackPlugin.transportClientMode(settings);
        // TODO this is wrong, we should only use the environment that is provided to createComponents
-        this.env = transportClientMode ? null : new Environment(settings, configPath);
        this.enabled = XPackSettings.SECURITY_ENABLED.get(settings);
        if (enabled && transportClientMode == false) {
            runStartupChecks(settings);
@ -385,7 +383,7 @@ public class Security extends Plugin implements SystemIndexPlugin, IngestPlugin,
                                               IndexNameExpressionResolver expressionResolver) {
        try {
            return createComponents(client, threadPool, clusterService, resourceWatcherService, scriptService, xContentRegistry,
-                expressionResolver);
+                environment, expressionResolver);
        } catch (final Exception e) {
            throw new IllegalStateException("security initialization failed", e);
        }
@ -394,7 +392,7 @@ public class Security extends Plugin implements SystemIndexPlugin, IngestPlugin,
    // pkg private for testing - tests want to pass in their set of extensions hence we are not using the extension service directly
    Collection<Object> createComponents(Client client, ThreadPool threadPool, ClusterService clusterService,
                                        ResourceWatcherService resourceWatcherService, ScriptService scriptService,
-                                        NamedXContentRegistry xContentRegistry,
+                                        NamedXContentRegistry xContentRegistry, Environment environment,
                                        IndexNameExpressionResolver expressionResolver) throws Exception {
        if (enabled == false) {
            return Collections.emptyList();
@ -408,7 +406,7 @@ public class Security extends Plugin implements SystemIndexPlugin, IngestPlugin,
            new TokenSSLBootstrapCheck(),
            new PkiRealmBootstrapCheck(getSslService()),
            new TLSLicenseBootstrapCheck()));
-        checks.addAll(InternalRealms.getBootstrapChecks(settings, env));
+        checks.addAll(InternalRealms.getBootstrapChecks(settings, environment));
        this.bootstrapChecks.set(Collections.unmodifiableList(checks));

        threadContext.set(threadPool.getThreadContext());
@ -436,9 +434,9 @@ public class Security extends Plugin implements SystemIndexPlugin, IngestPlugin,
        final NativeRoleMappingStore nativeRoleMappingStore = new NativeRoleMappingStore(settings, client, securityIndex.get(),
            scriptService);
        final AnonymousUser anonymousUser = new AnonymousUser(settings);
-        final ReservedRealm reservedRealm = new ReservedRealm(env, settings, nativeUsersStore,
+        final ReservedRealm reservedRealm = new ReservedRealm(environment, settings, nativeUsersStore,
                anonymousUser, securityIndex.get(), threadPool);
-        final SecurityExtension.SecurityComponents extensionComponents = new ExtensionComponents(env, client, clusterService,
+        final SecurityExtension.SecurityComponents extensionComponents = new ExtensionComponents(environment, client, clusterService,
            resourceWatcherService, nativeRoleMappingStore);
        Map<String, Realm.Factory> realmFactories = new HashMap<>(InternalRealms.getFactories(threadPool, resourceWatcherService,
                getSslService(), nativeUsersStore, nativeRoleMappingStore, securityIndex.get()));
@ -450,7 +448,8 @@ public class Security extends Plugin implements SystemIndexPlugin, IngestPlugin,
                }
            }
        }
-        final Realms realms = new Realms(settings, env, realmFactories, getLicenseState(), threadPool.getThreadContext(), reservedRealm);
+        final Realms realms =
+            new Realms(settings, environment, realmFactories, getLicenseState(), threadPool.getThreadContext(), reservedRealm);
        components.add(nativeUsersStore);
        components.add(nativeRoleMappingStore);
        components.add(realms);
@ -463,7 +462,7 @@ public class Security extends Plugin implements SystemIndexPlugin, IngestPlugin,

        dlsBitsetCache.set(new DocumentSubsetBitsetCache(settings, threadPool));
        final FieldPermissionsCache fieldPermissionsCache = new FieldPermissionsCache(settings);
-        final FileRolesStore fileRolesStore = new FileRolesStore(settings, env, resourceWatcherService, getLicenseState(),
+        final FileRolesStore fileRolesStore = new FileRolesStore(settings, environment, resourceWatcherService, getLicenseState(),
            xContentRegistry);
        final NativeRolesStore nativeRolesStore = new NativeRolesStore(settings, client, getLicenseState(), securityIndex.get());
        final ReservedRolesStore reservedRolesStore = new ReservedRolesStore();
--- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java
+++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java
@ -134,7 +134,7 @@ public class SecurityTests extends ESTestCase {
        when(client.threadPool()).thenReturn(threadPool);
        when(client.settings()).thenReturn(settings);
        return security.createComponents(client, threadPool, clusterService, mock(ResourceWatcherService.class), mock(ScriptService.class),
-            xContentRegistry(), new IndexNameExpressionResolver());
+            xContentRegistry(), env, new IndexNameExpressionResolver());
    }

    private static <T> T findComponent(Class<T> type, Collection<Object> components) {