Wrap getCredentials() in a doPrivileged() block (#23297)

This commit fixes an issue that was missed in #22534.
`AWSCredentialsProvider.getCredentials()` appears to potentially open a
socket connect. This operation needed to be wrapped in `doPrivileged()`.

This should fix issue #23271.
This commit is contained in:
Tim Brooks 2017-02-23 08:59:42 -06:00 committed by GitHub
parent 3e69c38dbd
commit a4afc22df6
1 changed files with 15 additions and 5 deletions

View File

@ -25,6 +25,7 @@ import java.util.function.Function;
import com.amazonaws.ClientConfiguration; import com.amazonaws.ClientConfiguration;
import com.amazonaws.Protocol; import com.amazonaws.Protocol;
import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.AWSCredentialsProvider; import com.amazonaws.auth.AWSCredentialsProvider;
import com.amazonaws.auth.BasicAWSCredentials; import com.amazonaws.auth.BasicAWSCredentials;
import com.amazonaws.auth.InstanceProfileCredentialsProvider; import com.amazonaws.auth.InstanceProfileCredentialsProvider;
@ -35,6 +36,7 @@ import com.amazonaws.services.s3.AmazonS3Client;
import com.amazonaws.services.s3.S3ClientOptions; import com.amazonaws.services.s3.S3ClientOptions;
import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchException; import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.cloud.aws.util.SocketAccess;
import org.elasticsearch.common.Strings; import org.elasticsearch.common.Strings;
import org.elasticsearch.common.collect.Tuple; import org.elasticsearch.common.collect.Tuple;
import org.elasticsearch.common.component.AbstractLifecycleComponent; import org.elasticsearch.common.component.AbstractLifecycleComponent;
@ -141,7 +143,6 @@ public class InternalAwsS3Service extends AbstractLifecycleComponent implements
public static AWSCredentialsProvider buildCredentials(Logger logger, DeprecationLogger deprecationLogger, public static AWSCredentialsProvider buildCredentials(Logger logger, DeprecationLogger deprecationLogger,
Settings settings, Settings repositorySettings, String clientName) { Settings settings, Settings repositorySettings, String clientName) {
AWSCredentialsProvider credentials;
try (SecureString key = getConfigValue(repositorySettings, settings, clientName, S3Repository.ACCESS_KEY_SETTING, try (SecureString key = getConfigValue(repositorySettings, settings, clientName, S3Repository.ACCESS_KEY_SETTING,
S3Repository.Repository.KEY_SETTING, S3Repository.Repositories.KEY_SETTING); S3Repository.Repository.KEY_SETTING, S3Repository.Repositories.KEY_SETTING);
SecureString secret = getConfigValue(repositorySettings, settings, clientName, S3Repository.SECRET_KEY_SETTING, SecureString secret = getConfigValue(repositorySettings, settings, clientName, S3Repository.SECRET_KEY_SETTING,
@ -149,14 +150,23 @@ public class InternalAwsS3Service extends AbstractLifecycleComponent implements
if (key.length() == 0 && secret.length() == 0) { if (key.length() == 0 && secret.length() == 0) {
logger.debug("Using instance profile credentials"); logger.debug("Using instance profile credentials");
credentials = new InstanceProfileCredentialsProvider(); AWSCredentialsProvider credentials = new InstanceProfileCredentialsProvider();
return new AWSCredentialsProvider() {
@Override
public AWSCredentials getCredentials() {
return SocketAccess.doPrivileged(credentials::getCredentials);
}
@Override
public void refresh() {
SocketAccess.doPrivilegedVoid(credentials::refresh);
}
};
} else { } else {
logger.debug("Using basic key/secret credentials"); logger.debug("Using basic key/secret credentials");
credentials = new StaticCredentialsProvider(new BasicAWSCredentials(key.toString(), secret.toString())); return new StaticCredentialsProvider(new BasicAWSCredentials(key.toString(), secret.toString()));
} }
} }
return credentials;
} }
// pkg private for tests // pkg private for tests