GCS Repository: Remove specifying credential file on disk (#24727)

This commit removes the ability to specify the google credential json file on disk, which is deprecated in 5.5.0.
2025-03-27 10:28:28 +00:00 · 2017-05-18 10:22:29 -07:00 · 2017-05-18 10:22:29 -07:00 · b214b80e6c
commit b214b80e6c
parent 46530c1cba
5 changed files with 17 additions and 55 deletions
--- a/docs/reference/migration/migrate_6_0/plugins.asciidoc
+++ b/docs/reference/migration/migrate_6_0/plugins.asciidoc
@ -55,6 +55,11 @@ You must set those settings per repository instead. Respectively `account`, `con
 `location_mode`, `chunk_size` and `compress`.
 See {plugins}/repository-azure-usage.html#repository-azure-repository-settings[Azure Repository settings].

+==== GCS Repository plugin
+
+* The `service_account` setting has been removed. A service account json credential file must now be
+specified in the <<secure-settings, elasticsearch keystore>>.
+
 ==== EC2 Discovery plugin

 * Specifying ec2 signer type has been removed, including `cloud.aws.signer` and `cloud.aws.ec2.signer`.
--- a/plugins/repository-gcs/src/main/java/org/elasticsearch/repositories/gcs/GoogleCloudStorageRepository.java
+++ b/plugins/repository-gcs/src/main/java/org/elasticsearch/repositories/gcs/GoogleCloudStorageRepository.java
@ -62,8 +62,6 @@ class GoogleCloudStorageRepository extends BlobStoreRepository {
            byteSizeSetting("chunk_size", MAX_CHUNK_SIZE, MIN_CHUNK_SIZE, MAX_CHUNK_SIZE, Property.NodeScope, Property.Dynamic);
    static final Setting<String> APPLICATION_NAME =
            new Setting<>("application_name", GoogleCloudStoragePlugin.NAME, Function.identity(), Property.NodeScope, Property.Dynamic);
-    static final Setting<String> SERVICE_ACCOUNT =
-            new Setting<>("service_account", "_default_", Function.identity(), Property.NodeScope, Property.Dynamic, Property.Deprecated);
    static final Setting<String> CLIENT_NAME = new Setting<>("client", "default", Function.identity());
    static final Setting<TimeValue> HTTP_READ_TIMEOUT =
            timeSetting("http.read_timeout", NO_TIMEOUT, Property.NodeScope, Property.Dynamic);
@ -82,7 +80,6 @@ class GoogleCloudStorageRepository extends BlobStoreRepository {

        String bucket = getSetting(BUCKET, metadata);
        String application = getSetting(APPLICATION_NAME, metadata);
-        String serviceAccount = SERVICE_ACCOUNT.get(metadata.settings());
        String clientName = CLIENT_NAME.get(metadata.settings());

        String basePath = BASE_PATH.get(metadata.settings());
@ -115,7 +112,7 @@ class GoogleCloudStorageRepository extends BlobStoreRepository {
        logger.debug("using bucket [{}], base_path [{}], chunk_size [{}], compress [{}], application [{}]",
                bucket, basePath, chunkSize, compress, application);

-        Storage client = storageService.createClient(serviceAccount, clientName, application, connectTimeout, readTimeout);
+        Storage client = storageService.createClient(clientName, application, connectTimeout, readTimeout);
        this.blobStore = new GoogleCloudStorageBlobStore(settings, bucket, client);
    }

--- a/plugins/repository-gcs/src/main/java/org/elasticsearch/repositories/gcs/GoogleCloudStorageService.java
+++ b/plugins/repository-gcs/src/main/java/org/elasticsearch/repositories/gcs/GoogleCloudStorageService.java
@ -63,14 +63,13 @@ interface GoogleCloudStorageService {
    /**
     * Creates a client that can be used to manage Google Cloud Storage objects.
     *
-     * @param serviceAccount path to service account file
     * @param clientName     name of client settings to use from secure settings
     * @param application    name of the application
     * @param connectTimeout connection timeout for HTTP requests
     * @param readTimeout    read timeout for HTTP requests
     * @return a Client instance that can be used to manage objects
     */
-    Storage createClient(String serviceAccount, String clientName, String application,
+    Storage createClient(String clientName, String application,
                         TimeValue connectTimeout, TimeValue readTimeout) throws Exception;

    /**
@ -92,10 +91,10 @@ interface GoogleCloudStorageService {
        }

        @Override
-        public Storage createClient(String serviceAccountFile, String clientName, String application,
+        public Storage createClient(String clientName, String application,
                                    TimeValue connectTimeout, TimeValue readTimeout) throws Exception {
            try {
-                GoogleCredential credential = getCredential(serviceAccountFile, clientName);
+                GoogleCredential credential = getCredential(clientName);
                NetHttpTransport httpTransport = GoogleNetHttpTransport.newTrustedTransport();

                Storage.Builder storage = new Storage.Builder(httpTransport, JacksonFactory.getDefaultInstance(),
@ -111,25 +110,10 @@ interface GoogleCloudStorageService {
        }

        // pkg private for tests
-        GoogleCredential getCredential(String serviceAccountFile, String clientName) throws IOException {
-            if (DEFAULT.equalsIgnoreCase(serviceAccountFile) == false) {
-                deprecationLogger.deprecated("Using GCS service account file from disk is deprecated. " +
-                    "Move the file into the elasticsearch keystore.");
-                Path account = environment.configFile().resolve(serviceAccountFile);
-                if (Files.exists(account) == false) {
-                    throw new IllegalArgumentException("Unable to find service account file [" + serviceAccountFile
-                        + "] defined for repository");
-                }
-
-                try (InputStream is = Files.newInputStream(account)) {
-                    GoogleCredential credential = GoogleCredential.fromStream(is);
-                    if (credential.createScopedRequired()) {
-                        credential = credential.createScoped(Collections.singleton(StorageScopes.DEVSTORAGE_FULL_CONTROL));
-                    }
-                    return credential;
-                }
-            } else if (credentials.containsKey(clientName)) {
-                return credentials.get(clientName);
+        GoogleCredential getCredential(String clientName) throws IOException {
+            GoogleCredential cred = credentials.get(clientName);
+            if (cred != null) {
+                return cred;
            }
            return getDefaultCredential();
        }
--- a/plugins/repository-gcs/src/test/java/org/elasticsearch/repositories/gcs/GoogleCloudStorageBlobStoreRepositoryTests.java
+++ b/plugins/repository-gcs/src/test/java/org/elasticsearch/repositories/gcs/GoogleCloudStorageBlobStoreRepositoryTests.java
@ -78,9 +78,8 @@ public class GoogleCloudStorageBlobStoreRepositoryTests extends ESBlobStoreRepos

    public static class MockGoogleCloudStorageService implements GoogleCloudStorageService {
        @Override
-        public Storage createClient(String serviceAccount, String accountName, String application,
-                                    TimeValue connectTimeout, TimeValue readTimeout) throws
-                Exception {
+        public Storage createClient(String accountName, String application,
+                                    TimeValue connectTimeout, TimeValue readTimeout) throws Exception {
            return storage.get();
        }
    }
--- a/plugins/repository-gcs/src/test/java/org/elasticsearch/repositories/gcs/GoogleCloudStorageServiceTests.java
+++ b/plugins/repository-gcs/src/test/java/org/elasticsearch/repositories/gcs/GoogleCloudStorageServiceTests.java
@ -49,30 +49,7 @@ public class GoogleCloudStorageServiceTests extends ESTestCase {
                return cred;
            }
        };
-        assertSame(cred, service.getCredential("_default_", "default"));
-    }
-
-    public void testFileCredentialBackcompat() throws Exception {
-        Path home = createTempDir();
-        Path config = home.resolve("config");
-        Files.createDirectories(config);
-        Settings settings = Settings.builder()
-            .put("path.home", home).build();
-        Environment env = new Environment(settings);
-        Files.copy(getDummyCredentialStream(), config.resolve("test-cred.json"));
-        InternalGoogleCloudStorageService service = new InternalGoogleCloudStorageService(env, Collections.emptyMap());
-        GoogleCredential cred = service.getCredential("test-cred.json", "default");
-        assertEquals("some-project-name@appspot.gserviceaccount.com", cred.getServiceAccountId());
-        assertWarnings("Using GCS service account file from disk is deprecated. Move the file into the elasticsearch keystore.");
-    }
-
-    public void testFileCredentialMissing() throws Exception {
-        Environment env = new Environment(Settings.builder().put("path.home", createTempDir()).build());
-        InternalGoogleCloudStorageService service = new InternalGoogleCloudStorageService(env, Collections.emptyMap());
-        IllegalArgumentException e = expectThrows(IllegalArgumentException.class, () ->
-            service.getCredential("test-cred.json", "default"));
-        assertThat(e.getMessage(), containsString("Unable to find service account file"));
-        assertWarnings("Using GCS service account file from disk is deprecated. Move the file into the elasticsearch keystore.");
+        assertSame(cred, service.getCredential("default"));
    }

    public void testClientCredential() throws Exception {
@ -80,6 +57,6 @@ public class GoogleCloudStorageServiceTests extends ESTestCase {
        Map<String, GoogleCredential> credentials = Collections.singletonMap("clientname", cred);
        Environment env = new Environment(Settings.builder().put("path.home", createTempDir()).build());
        InternalGoogleCloudStorageService service = new InternalGoogleCloudStorageService(env, credentials);
-        assertSame(cred, service.getCredential("_default_", "clientname"));
+        assertSame(cred, service.getCredential("clientname"));
    }
 }