Upgrade to aws 1.10.33
Security issues have been fixed. This removes our hacks.
This commit is contained in:
parent
83f3a981b7
commit
914cee213e
|
@ -74,18 +74,6 @@ final class ESPolicy extends Policy {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Special handling for broken AWS code which destroys all SSL security
|
|
||||||
// REMOVE THIS when https://github.com/aws/aws-sdk-java/pull/432 is fixed
|
|
||||||
if (permission instanceof RuntimePermission && "accessClassInPackage.sun.security.ssl".equals(permission.getName())) {
|
|
||||||
for (StackTraceElement element : Thread.currentThread().getStackTrace()) {
|
|
||||||
if ("com.amazonaws.http.conn.ssl.SdkTLSSocketFactory".equals(element.getClassName()) &&
|
|
||||||
"verifyMasterSecret".equals(element.getMethodName())) {
|
|
||||||
// we found the horrible method: the hack begins!
|
|
||||||
// force the aws code to back down, by throwing an exception that it catches.
|
|
||||||
rethrow(new IllegalAccessException("no amazon, you cannot do this."));
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
// otherwise defer to template + dynamic file permissions
|
// otherwise defer to template + dynamic file permissions
|
||||||
return template.implies(domain, permission) || dynamic.implies(permission);
|
return template.implies(domain, permission) || dynamic.implies(permission);
|
||||||
}
|
}
|
||||||
|
@ -104,20 +92,4 @@ final class ESPolicy extends Policy {
|
||||||
// return UNSUPPORTED_EMPTY_COLLECTION since it is safe.
|
// return UNSUPPORTED_EMPTY_COLLECTION since it is safe.
|
||||||
return super.getPermissions(codesource);
|
return super.getPermissions(codesource);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* Classy puzzler to rethrow any checked exception as an unchecked one.
|
|
||||||
*/
|
|
||||||
private static class Rethrower<T extends Throwable> {
|
|
||||||
private void rethrow(Throwable t) throws T {
|
|
||||||
throw (T) t;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Rethrows <code>t</code> (identical object).
|
|
||||||
*/
|
|
||||||
private void rethrow(Throwable t) {
|
|
||||||
new Rethrower<Error>().rethrow(t);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -23,7 +23,7 @@ esplugin {
|
||||||
}
|
}
|
||||||
|
|
||||||
versions << [
|
versions << [
|
||||||
'aws': '1.10.19'
|
'aws': '1.10.33'
|
||||||
]
|
]
|
||||||
|
|
||||||
dependencies {
|
dependencies {
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
b53f650323b7242dcced25b679f3e9aa4b494da5
|
|
|
@ -0,0 +1 @@
|
||||||
|
fabedbbe2b834b1add150b6a38395c5ef7380168
|
|
@ -1 +0,0 @@
|
||||||
50ba7eb31719be1260bdae51cf69340df2d91ec4
|
|
|
@ -0,0 +1 @@
|
||||||
|
202f6b5dbc196e355d50c131b0fd34969bfd89e6
|
|
@ -19,7 +19,6 @@
|
||||||
|
|
||||||
package org.elasticsearch.plugin.discovery.ec2;
|
package org.elasticsearch.plugin.discovery.ec2;
|
||||||
|
|
||||||
import org.elasticsearch.SpecialPermission;
|
|
||||||
import org.elasticsearch.cloud.aws.AwsEc2ServiceImpl;
|
import org.elasticsearch.cloud.aws.AwsEc2ServiceImpl;
|
||||||
import org.elasticsearch.cloud.aws.Ec2Module;
|
import org.elasticsearch.cloud.aws.Ec2Module;
|
||||||
import org.elasticsearch.common.component.LifecycleComponent;
|
import org.elasticsearch.common.component.LifecycleComponent;
|
||||||
|
@ -32,8 +31,6 @@ import org.elasticsearch.discovery.ec2.AwsEc2UnicastHostsProvider;
|
||||||
import org.elasticsearch.discovery.ec2.Ec2Discovery;
|
import org.elasticsearch.discovery.ec2.Ec2Discovery;
|
||||||
import org.elasticsearch.plugins.Plugin;
|
import org.elasticsearch.plugins.Plugin;
|
||||||
|
|
||||||
import java.security.AccessController;
|
|
||||||
import java.security.PrivilegedAction;
|
|
||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
import java.util.Collection;
|
import java.util.Collection;
|
||||||
|
|
||||||
|
@ -42,27 +39,6 @@ import java.util.Collection;
|
||||||
*/
|
*/
|
||||||
public class Ec2DiscoveryPlugin extends Plugin {
|
public class Ec2DiscoveryPlugin extends Plugin {
|
||||||
|
|
||||||
static {
|
|
||||||
// This internal config is deserialized but with wrong access modifiers,
|
|
||||||
// cannot work without suppressAccessChecks permission right now. We force
|
|
||||||
// a one time load with elevated privileges as a workaround.
|
|
||||||
SecurityManager sm = System.getSecurityManager();
|
|
||||||
if (sm != null) {
|
|
||||||
sm.checkPermission(new SpecialPermission());
|
|
||||||
}
|
|
||||||
AccessController.doPrivileged(new PrivilegedAction<Void>() {
|
|
||||||
@Override
|
|
||||||
public Void run() {
|
|
||||||
try {
|
|
||||||
Class.forName("com.amazonaws.internal.config.InternalConfig$Factory");
|
|
||||||
} catch (ClassNotFoundException e) {
|
|
||||||
throw new RuntimeException("Unable to initialize internal aws config", e);
|
|
||||||
}
|
|
||||||
return null;
|
|
||||||
}
|
|
||||||
});
|
|
||||||
}
|
|
||||||
|
|
||||||
private final Settings settings;
|
private final Settings settings;
|
||||||
protected final ESLogger logger = Loggers.getLogger(Ec2DiscoveryPlugin.class);
|
protected final ESLogger logger = Loggers.getLogger(Ec2DiscoveryPlugin.class);
|
||||||
|
|
||||||
|
|
|
@ -1,23 +0,0 @@
|
||||||
/*
|
|
||||||
* Licensed to Elasticsearch under one or more contributor
|
|
||||||
* license agreements. See the NOTICE file distributed with
|
|
||||||
* this work for additional information regarding copyright
|
|
||||||
* ownership. Elasticsearch licenses this file to you under
|
|
||||||
* the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
* not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing,
|
|
||||||
* software distributed under the License is distributed on an
|
|
||||||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
|
||||||
* KIND, either express or implied. See the License for the
|
|
||||||
* specific language governing permissions and limitations
|
|
||||||
* under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
grant {
|
|
||||||
// needed because of problems in aws-sdk
|
|
||||||
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
|
|
||||||
};
|
|
|
@ -1355,4 +1355,9 @@ public class AmazonEC2Mock implements AmazonEC2 {
|
||||||
public ResponseMetadata getCachedResponseMetadata(AmazonWebServiceRequest request) {
|
public ResponseMetadata getCachedResponseMetadata(AmazonWebServiceRequest request) {
|
||||||
throw new UnsupportedOperationException("Not supported in mock");
|
throw new UnsupportedOperationException("Not supported in mock");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public ModifySpotFleetRequestResult modifySpotFleetRequest(ModifySpotFleetRequestRequest modifySpotFleetRequestRequest) throws AmazonServiceException, AmazonClientException {
|
||||||
|
throw new UnsupportedOperationException("Not supported in mock");
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -23,7 +23,7 @@ esplugin {
|
||||||
}
|
}
|
||||||
|
|
||||||
versions << [
|
versions << [
|
||||||
'aws': '1.10.19'
|
'aws': '1.10.33'
|
||||||
]
|
]
|
||||||
|
|
||||||
dependencies {
|
dependencies {
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
b53f650323b7242dcced25b679f3e9aa4b494da5
|
|
|
@ -0,0 +1 @@
|
||||||
|
fabedbbe2b834b1add150b6a38395c5ef7380168
|
|
@ -1 +0,0 @@
|
||||||
c8764f3e61a3c420db429870ec22b31fe755d81d
|
|
|
@ -0,0 +1 @@
|
||||||
|
35881245894ecc4d893c074eacdf2e6b56820fda
|
|
@ -1 +0,0 @@
|
||||||
a23dc60d56d54126250c23cab1d01328b1e83678
|
|
|
@ -0,0 +1 @@
|
||||||
|
5665cf77102a932a16e99ebf41d197e03ddbf25c
|
|
@ -19,7 +19,6 @@
|
||||||
|
|
||||||
package org.elasticsearch.plugin.repository.s3;
|
package org.elasticsearch.plugin.repository.s3;
|
||||||
|
|
||||||
import org.elasticsearch.SpecialPermission;
|
|
||||||
import org.elasticsearch.cloud.aws.S3Module;
|
import org.elasticsearch.cloud.aws.S3Module;
|
||||||
import org.elasticsearch.common.component.LifecycleComponent;
|
import org.elasticsearch.common.component.LifecycleComponent;
|
||||||
import org.elasticsearch.common.inject.Module;
|
import org.elasticsearch.common.inject.Module;
|
||||||
|
@ -28,8 +27,6 @@ import org.elasticsearch.plugins.Plugin;
|
||||||
import org.elasticsearch.repositories.RepositoriesModule;
|
import org.elasticsearch.repositories.RepositoriesModule;
|
||||||
import org.elasticsearch.repositories.s3.S3Repository;
|
import org.elasticsearch.repositories.s3.S3Repository;
|
||||||
|
|
||||||
import java.security.AccessController;
|
|
||||||
import java.security.PrivilegedAction;
|
|
||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
import java.util.Collection;
|
import java.util.Collection;
|
||||||
import java.util.Collections;
|
import java.util.Collections;
|
||||||
|
@ -39,27 +36,6 @@ import java.util.Collections;
|
||||||
*/
|
*/
|
||||||
public class S3RepositoryPlugin extends Plugin {
|
public class S3RepositoryPlugin extends Plugin {
|
||||||
|
|
||||||
static {
|
|
||||||
// This internal config is deserialized but with wrong access modifiers,
|
|
||||||
// cannot work without suppressAccessChecks permission right now. We force
|
|
||||||
// a one time load with elevated privileges as a workaround.
|
|
||||||
SecurityManager sm = System.getSecurityManager();
|
|
||||||
if (sm != null) {
|
|
||||||
sm.checkPermission(new SpecialPermission());
|
|
||||||
}
|
|
||||||
AccessController.doPrivileged(new PrivilegedAction<Void>() {
|
|
||||||
@Override
|
|
||||||
public Void run() {
|
|
||||||
try {
|
|
||||||
Class.forName("com.amazonaws.internal.config.InternalConfig$Factory");
|
|
||||||
} catch (ClassNotFoundException e) {
|
|
||||||
throw new RuntimeException("Unable to initialize internal aws config", e);
|
|
||||||
}
|
|
||||||
return null;
|
|
||||||
}
|
|
||||||
});
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public String name() {
|
public String name() {
|
||||||
return "repository-s3";
|
return "repository-s3";
|
||||||
|
|
|
@ -1,23 +0,0 @@
|
||||||
/*
|
|
||||||
* Licensed to Elasticsearch under one or more contributor
|
|
||||||
* license agreements. See the NOTICE file distributed with
|
|
||||||
* this work for additional information regarding copyright
|
|
||||||
* ownership. Elasticsearch licenses this file to you under
|
|
||||||
* the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
* not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing,
|
|
||||||
* software distributed under the License is distributed on an
|
|
||||||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
|
||||||
* KIND, either express or implied. See the License for the
|
|
||||||
* specific language governing permissions and limitations
|
|
||||||
* under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
grant {
|
|
||||||
// needed because of problems in aws-sdk
|
|
||||||
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
|
|
||||||
};
|
|
|
@ -628,4 +628,9 @@ public class AmazonS3Wrapper implements AmazonS3 {
|
||||||
public BucketReplicationConfiguration getBucketReplicationConfiguration(GetBucketReplicationConfigurationRequest getBucketReplicationConfigurationRequest) throws AmazonServiceException, AmazonClientException {
|
public BucketReplicationConfiguration getBucketReplicationConfiguration(GetBucketReplicationConfigurationRequest getBucketReplicationConfigurationRequest) throws AmazonServiceException, AmazonClientException {
|
||||||
return delegate.getBucketReplicationConfiguration(getBucketReplicationConfigurationRequest);
|
return delegate.getBucketReplicationConfiguration(getBucketReplicationConfigurationRequest);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public HeadBucketResult headBucket(HeadBucketRequest headBucketRequest) throws AmazonClientException, AmazonServiceException {
|
||||||
|
return delegate.headBucket(headBucketRequest);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue