Wrap getCredentials() in a doPrivileged() block (#23297)
This commit fixes an issue that was missed in #22534. `AWSCredentialsProvider.getCredentials()` appears to potentially open a socket connect. This operation needed to be wrapped in `doPrivileged()`. This should fix issue #23271.
This commit is contained in:
parent
3e69c38dbd
commit
a4afc22df6
|
@ -25,6 +25,7 @@ import java.util.function.Function;
|
|||
|
||||
import com.amazonaws.ClientConfiguration;
|
||||
import com.amazonaws.Protocol;
|
||||
import com.amazonaws.auth.AWSCredentials;
|
||||
import com.amazonaws.auth.AWSCredentialsProvider;
|
||||
import com.amazonaws.auth.BasicAWSCredentials;
|
||||
import com.amazonaws.auth.InstanceProfileCredentialsProvider;
|
||||
|
@ -35,6 +36,7 @@ import com.amazonaws.services.s3.AmazonS3Client;
|
|||
import com.amazonaws.services.s3.S3ClientOptions;
|
||||
import org.apache.logging.log4j.Logger;
|
||||
import org.elasticsearch.ElasticsearchException;
|
||||
import org.elasticsearch.cloud.aws.util.SocketAccess;
|
||||
import org.elasticsearch.common.Strings;
|
||||
import org.elasticsearch.common.collect.Tuple;
|
||||
import org.elasticsearch.common.component.AbstractLifecycleComponent;
|
||||
|
@ -141,7 +143,6 @@ public class InternalAwsS3Service extends AbstractLifecycleComponent implements
|
|||
|
||||
public static AWSCredentialsProvider buildCredentials(Logger logger, DeprecationLogger deprecationLogger,
|
||||
Settings settings, Settings repositorySettings, String clientName) {
|
||||
AWSCredentialsProvider credentials;
|
||||
try (SecureString key = getConfigValue(repositorySettings, settings, clientName, S3Repository.ACCESS_KEY_SETTING,
|
||||
S3Repository.Repository.KEY_SETTING, S3Repository.Repositories.KEY_SETTING);
|
||||
SecureString secret = getConfigValue(repositorySettings, settings, clientName, S3Repository.SECRET_KEY_SETTING,
|
||||
|
@ -149,14 +150,23 @@ public class InternalAwsS3Service extends AbstractLifecycleComponent implements
|
|||
|
||||
if (key.length() == 0 && secret.length() == 0) {
|
||||
logger.debug("Using instance profile credentials");
|
||||
credentials = new InstanceProfileCredentialsProvider();
|
||||
AWSCredentialsProvider credentials = new InstanceProfileCredentialsProvider();
|
||||
return new AWSCredentialsProvider() {
|
||||
@Override
|
||||
public AWSCredentials getCredentials() {
|
||||
return SocketAccess.doPrivileged(credentials::getCredentials);
|
||||
}
|
||||
|
||||
@Override
|
||||
public void refresh() {
|
||||
SocketAccess.doPrivilegedVoid(credentials::refresh);
|
||||
}
|
||||
};
|
||||
} else {
|
||||
logger.debug("Using basic key/secret credentials");
|
||||
credentials = new StaticCredentialsProvider(new BasicAWSCredentials(key.toString(), secret.toString()));
|
||||
return new StaticCredentialsProvider(new BasicAWSCredentials(key.toString(), secret.toString()));
|
||||
}
|
||||
}
|
||||
|
||||
return credentials;
|
||||
}
|
||||
|
||||
// pkg private for tests
|
||||
|
|
Loading…
Reference in New Issue