There were some issues with the Azure implementation requiring permissions to list all containers ue to a container exists check. This was caught in CI this time, but going forward we should ensure that CI is executed using a token that does not allow listing containers. Relates #43288
This commit is contained in:
Armin Braun
GitHub
parent
92e518e789
commit
b00de8edf3
|
|
@ -68,6 +68,10 @@ public class AzureBlobStore implements BlobStore {
|
||||||
return container;
|
return container;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public AzureStorageService getService() {
|
||||||
|
return service;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Gets the configured {@link LocationMode} for the Azure storage requests.
|
* Gets the configured {@link LocationMode} for the Azure storage requests.
|
||||||
*/
|
*/
|
||||||
|
|
|
||||||
|
|
@ -19,15 +19,25 @@
|
||||||
|
|
||||||
package org.elasticsearch.repositories.azure;
|
package org.elasticsearch.repositories.azure;
|
||||||
|
|
||||||
|
import com.microsoft.azure.storage.OperationContext;
|
||||||
|
import com.microsoft.azure.storage.StorageException;
|
||||||
|
import com.microsoft.azure.storage.blob.CloudBlobClient;
|
||||||
|
import com.microsoft.azure.storage.blob.CloudBlobContainer;
|
||||||
|
import org.elasticsearch.action.ActionRunnable;
|
||||||
|
import org.elasticsearch.action.support.PlainActionFuture;
|
||||||
import org.elasticsearch.action.support.master.AcknowledgedResponse;
|
import org.elasticsearch.action.support.master.AcknowledgedResponse;
|
||||||
import org.elasticsearch.common.Strings;
|
import org.elasticsearch.common.Strings;
|
||||||
|
import org.elasticsearch.common.collect.Tuple;
|
||||||
import org.elasticsearch.common.settings.MockSecureSettings;
|
import org.elasticsearch.common.settings.MockSecureSettings;
|
||||||
import org.elasticsearch.common.settings.SecureSettings;
|
import org.elasticsearch.common.settings.SecureSettings;
|
||||||
import org.elasticsearch.common.settings.Settings;
|
import org.elasticsearch.common.settings.Settings;
|
||||||
import org.elasticsearch.plugins.Plugin;
|
import org.elasticsearch.plugins.Plugin;
|
||||||
import org.elasticsearch.repositories.AbstractThirdPartyRepositoryTestCase;
|
import org.elasticsearch.repositories.AbstractThirdPartyRepositoryTestCase;
|
||||||
|
import org.elasticsearch.repositories.blobstore.BlobStoreRepository;
|
||||||
|
|
||||||
|
import java.net.HttpURLConnection;
|
||||||
import java.util.Collection;
|
import java.util.Collection;
|
||||||
|
import java.util.function.Supplier;
|
||||||
|
|
||||||
import static org.hamcrest.Matchers.blankOrNullString;
|
import static org.hamcrest.Matchers.blankOrNullString;
|
||||||
import static org.hamcrest.Matchers.equalTo;
|
import static org.hamcrest.Matchers.equalTo;
|
||||||
|
|
@ -71,5 +81,32 @@ public class AzureStorageCleanupThirdPartyTests extends AbstractThirdPartyReposi
|
||||||
.put("base_path", System.getProperty("test.azure.base"))
|
.put("base_path", System.getProperty("test.azure.base"))
|
||||||
).get();
|
).get();
|
||||||
assertThat(putRepositoryResponse.isAcknowledged(), equalTo(true));
|
assertThat(putRepositoryResponse.isAcknowledged(), equalTo(true));
|
||||||
|
if (Strings.hasText(System.getProperty("test.azure.sas_token"))) {
|
||||||
|
ensureSasTokenPermissions();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
private void ensureSasTokenPermissions() {
|
||||||
|
final BlobStoreRepository repository = getRepository();
|
||||||
|
final PlainActionFuture<Void> future = PlainActionFuture.newFuture();
|
||||||
|
repository.threadPool().generic().execute(ActionRunnable.wrap(future, l -> {
|
||||||
|
final AzureBlobStore blobStore = (AzureBlobStore) repository.blobStore();
|
||||||
|
final String account = "default";
|
||||||
|
final Tuple<CloudBlobClient, Supplier<OperationContext>> client = blobStore.getService().client(account);
|
||||||
|
final CloudBlobContainer blobContainer = client.v1().getContainerReference(blobStore.toString());
|
||||||
|
try {
|
||||||
|
SocketAccess.doPrivilegedException(() -> blobContainer.exists(null, null, client.v2().get()));
|
||||||
|
future.onFailure(new RuntimeException(
|
||||||
|
"The SAS token used in this test allowed for checking container existence. This test only supports tokens " +
|
||||||
|
"that grant only the documented permission requirements for the Azure repository plugin."));
|
||||||
|
} catch (StorageException e) {
|
||||||
|
if (e.getHttpStatusCode() == HttpURLConnection.HTTP_FORBIDDEN) {
|
||||||
|
future.onResponse(null);
|
||||||
|
} else {
|
||||||
|
future.onFailure(e);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}));
|
||||||
|
future.actionGet();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -302,7 +302,7 @@ public abstract class AbstractThirdPartyRepositoryTestCase extends ESSingleNodeT
|
||||||
return future.actionGet();
|
return future.actionGet();
|
||||||
}
|
}
|
||||||
|
|
||||||
private BlobStoreRepository getRepository() {
|
protected BlobStoreRepository getRepository() {
|
||||||
return (BlobStoreRepository) getInstanceFromNode(RepositoriesService.class).repository("test-repo");
|
return (BlobStoreRepository) getInstanceFromNode(RepositoriesService.class).repository("test-repo");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue