Wrap getCredentials() in a doPrivileged() block (#23297)
This commit fixes an issue that was missed in #22534. `AWSCredentialsProvider.getCredentials()` appears to potentially open a socket connect. This operation needed to be wrapped in `doPrivileged()`. This should fix issue #23271.
This commit is contained in:
parent
3e69c38dbd
commit
a4afc22df6
|
@ -25,6 +25,7 @@ import java.util.function.Function;
|
||||||
|
|
||||||
import com.amazonaws.ClientConfiguration;
|
import com.amazonaws.ClientConfiguration;
|
||||||
import com.amazonaws.Protocol;
|
import com.amazonaws.Protocol;
|
||||||
|
import com.amazonaws.auth.AWSCredentials;
|
||||||
import com.amazonaws.auth.AWSCredentialsProvider;
|
import com.amazonaws.auth.AWSCredentialsProvider;
|
||||||
import com.amazonaws.auth.BasicAWSCredentials;
|
import com.amazonaws.auth.BasicAWSCredentials;
|
||||||
import com.amazonaws.auth.InstanceProfileCredentialsProvider;
|
import com.amazonaws.auth.InstanceProfileCredentialsProvider;
|
||||||
|
@ -35,6 +36,7 @@ import com.amazonaws.services.s3.AmazonS3Client;
|
||||||
import com.amazonaws.services.s3.S3ClientOptions;
|
import com.amazonaws.services.s3.S3ClientOptions;
|
||||||
import org.apache.logging.log4j.Logger;
|
import org.apache.logging.log4j.Logger;
|
||||||
import org.elasticsearch.ElasticsearchException;
|
import org.elasticsearch.ElasticsearchException;
|
||||||
|
import org.elasticsearch.cloud.aws.util.SocketAccess;
|
||||||
import org.elasticsearch.common.Strings;
|
import org.elasticsearch.common.Strings;
|
||||||
import org.elasticsearch.common.collect.Tuple;
|
import org.elasticsearch.common.collect.Tuple;
|
||||||
import org.elasticsearch.common.component.AbstractLifecycleComponent;
|
import org.elasticsearch.common.component.AbstractLifecycleComponent;
|
||||||
|
@ -141,7 +143,6 @@ public class InternalAwsS3Service extends AbstractLifecycleComponent implements
|
||||||
|
|
||||||
public static AWSCredentialsProvider buildCredentials(Logger logger, DeprecationLogger deprecationLogger,
|
public static AWSCredentialsProvider buildCredentials(Logger logger, DeprecationLogger deprecationLogger,
|
||||||
Settings settings, Settings repositorySettings, String clientName) {
|
Settings settings, Settings repositorySettings, String clientName) {
|
||||||
AWSCredentialsProvider credentials;
|
|
||||||
try (SecureString key = getConfigValue(repositorySettings, settings, clientName, S3Repository.ACCESS_KEY_SETTING,
|
try (SecureString key = getConfigValue(repositorySettings, settings, clientName, S3Repository.ACCESS_KEY_SETTING,
|
||||||
S3Repository.Repository.KEY_SETTING, S3Repository.Repositories.KEY_SETTING);
|
S3Repository.Repository.KEY_SETTING, S3Repository.Repositories.KEY_SETTING);
|
||||||
SecureString secret = getConfigValue(repositorySettings, settings, clientName, S3Repository.SECRET_KEY_SETTING,
|
SecureString secret = getConfigValue(repositorySettings, settings, clientName, S3Repository.SECRET_KEY_SETTING,
|
||||||
|
@ -149,14 +150,23 @@ public class InternalAwsS3Service extends AbstractLifecycleComponent implements
|
||||||
|
|
||||||
if (key.length() == 0 && secret.length() == 0) {
|
if (key.length() == 0 && secret.length() == 0) {
|
||||||
logger.debug("Using instance profile credentials");
|
logger.debug("Using instance profile credentials");
|
||||||
credentials = new InstanceProfileCredentialsProvider();
|
AWSCredentialsProvider credentials = new InstanceProfileCredentialsProvider();
|
||||||
|
return new AWSCredentialsProvider() {
|
||||||
|
@Override
|
||||||
|
public AWSCredentials getCredentials() {
|
||||||
|
return SocketAccess.doPrivileged(credentials::getCredentials);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void refresh() {
|
||||||
|
SocketAccess.doPrivilegedVoid(credentials::refresh);
|
||||||
|
}
|
||||||
|
};
|
||||||
} else {
|
} else {
|
||||||
logger.debug("Using basic key/secret credentials");
|
logger.debug("Using basic key/secret credentials");
|
||||||
credentials = new StaticCredentialsProvider(new BasicAWSCredentials(key.toString(), secret.toString()));
|
return new StaticCredentialsProvider(new BasicAWSCredentials(key.toString(), secret.toString()));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return credentials;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// pkg private for tests
|
// pkg private for tests
|
||||||
|
|
Loading…
Reference in New Issue