S3 Repository: Remove env var and sysprop credentials support (#22842)

These are deprecated in 5.x. This commit removes support for them in 6.0.

docs/reference/migration/migrate_6_0/plugins.asciidoc

@@ -5,3 +5,9 @@
 
 * The mapper attachments plugin has been deprecated in elasticsearch 5.0 and is now removed.
 You can use {plugins}/ingest-attachment.html[ingest attachment plugin] instead.
+
+==== S3 Repository plugin
+
+* Support for specifying s3 credentials through environment variables and
+system properties has been removed. Use the `elasticsearch-keystore` tool
+to securely store the credentials.

plugins/repository-s3/build.gradle

@@ -54,23 +54,6 @@ bundlePlugin {
   }
 }
 
-additionalTest('testEnvCreds'){
-  include '**/EnvironmentCredentialsTests.class'
-  environment 'AWS_ACCESS_KEY_ID', 'env_access'
-  environment 'AWS_SECRET_ACCESS_KEY', 'env_secret'
-}
-
-additionalTest('testSyspropCreds'){
-  include '**/SyspropCredentialsTests.class'
-  systemProperty 'aws.accessKeyId', 'sysprop_access'
-  systemProperty 'aws.secretKey', 'sysprop_secret'
-}
-
-test {
-  // these are tested explicitly in separate test tasks
-  exclude '**/*CredentialsTests.class'
-}
-
 thirdPartyAudit.excludes = [
   // classes are missing
   'javax.servlet.ServletContextEvent', 

plugins/repository-s3/src/main/java/org/elasticsearch/cloud/aws/InternalAwsS3Service.java

@@ -25,12 +25,9 @@ import java.util.function.Function;
 
 import com.amazonaws.ClientConfiguration;
 import com.amazonaws.Protocol;
-import com.amazonaws.auth.AWSCredentials;
 import com.amazonaws.auth.AWSCredentialsProvider;
 import com.amazonaws.auth.BasicAWSCredentials;
-import com.amazonaws.auth.EnvironmentVariableCredentialsProvider;
 import com.amazonaws.auth.InstanceProfileCredentialsProvider;
-import com.amazonaws.auth.SystemPropertiesCredentialsProvider;
 import com.amazonaws.http.IdleConnectionReaper;
 import com.amazonaws.internal.StaticCredentialsProvider;
 import com.amazonaws.services.s3.AmazonS3;
@@ -151,21 +148,8 @@ public class InternalAwsS3Service extends AbstractLifecycleComponent implements
                                                   S3Repository.Repository.SECRET_SETTING, S3Repository.Repositories.SECRET_SETTING)) {
 
             if (key.length() == 0 && secret.length() == 0) {
-                // create a "manual" chain of providers here, so we can log deprecation of unsupported methods
+                logger.debug("Using instance profile credentials");
-                AWSCredentials envCredentials = getDeprecatedCredentials(logger, deprecationLogger,
+                credentials = new InstanceProfileCredentialsProvider();
-                    new EnvironmentVariableCredentialsProvider(), "environment variables");
-                if (envCredentials != null) {
-                    credentials = new StaticCredentialsProvider(envCredentials);
-                } else {
-                    AWSCredentials syspropCredentials = getDeprecatedCredentials(logger, deprecationLogger,
-                        new SystemPropertiesCredentialsProvider(), "system properties");
-                    if (syspropCredentials != null) {
-                        credentials = new StaticCredentialsProvider(syspropCredentials);
-                    } else {
-                        logger.debug("Using instance profile credentials");
-                        credentials = new InstanceProfileCredentialsProvider();
-                    }
-                }
             } else {
                 logger.debug("Using basic key/secret credentials");
                 credentials = new StaticCredentialsProvider(new BasicAWSCredentials(key.toString(), secret.toString()));
@@ -175,23 +159,6 @@ public class InternalAwsS3Service extends AbstractLifecycleComponent implements
         return credentials;
     }
 
-    /** Return credentials from the given provider, or null if full credentials are not available */
-    private static AWSCredentials getDeprecatedCredentials(Logger logger, DeprecationLogger deprecationLogger,
-                                                           AWSCredentialsProvider provider, String description) {
-        try {
-            AWSCredentials credentials = provider.getCredentials();
-            if (credentials.getAWSAccessKeyId() != null && credentials.getAWSSecretKey() != null) {
-                logger.debug("Using " + description + " credentials");
-                deprecationLogger.deprecated("Supplying S3 credentials through " + description + " is deprecated. " +
-                    "See the breaking changes lists in the documentation for details.");
-                return credentials;
-            }
-        } catch (Exception e) {
-            logger.debug("Failed to get aws credentials from " + description, e);
-        }
-        return null;
-    }
-
     // pkg private for tests
     /** Returns the endpoint the client should use, based on the available endpoint settings found. */
     static String findEndpoint(Logger logger, Settings repositorySettings, Settings settings, String clientName) {

plugins/repository-s3/src/test/java/org/elasticsearch/cloud/aws/EnvironmentCredentialsTests.java

@@ -1,36 +0,0 @@
-/*
- * Licensed to Elasticsearch under one or more contributor
- * license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright
- * ownership. Elasticsearch licenses this file to you under
- * the Apache License, Version 2.0 (the "License"); you may
- * not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *    http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.elasticsearch.cloud.aws;
-
-import com.amazonaws.auth.AWSCredentialsProvider;
-import org.elasticsearch.common.settings.Settings;
-import org.elasticsearch.test.ESTestCase;
-
-public class EnvironmentCredentialsTests extends ESTestCase {
-
-    public void test() {
-        AWSCredentialsProvider provider =
-            InternalAwsS3Service.buildCredentials(logger, deprecationLogger, Settings.EMPTY, Settings.EMPTY, "default");
-        // NOTE: env vars are setup by the test runner in gradle
-        assertEquals("env_access", provider.getCredentials().getAWSAccessKeyId());
-        assertEquals("env_secret", provider.getCredentials().getAWSSecretKey());
-        assertWarnings("Supplying S3 credentials through environment variables is deprecated");
-    }
-}

plugins/repository-s3/src/test/java/org/elasticsearch/cloud/aws/SyspropCredentialsTests.java

@@ -1,35 +0,0 @@
-/*
- * Licensed to Elasticsearch under one or more contributor
- * license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright
- * ownership. Elasticsearch licenses this file to you under
- * the Apache License, Version 2.0 (the "License"); you may
- * not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *    http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.elasticsearch.cloud.aws;
-
-import com.amazonaws.auth.AWSCredentialsProvider;
-import org.elasticsearch.common.settings.Settings;
-import org.elasticsearch.test.ESTestCase;
-
-public class SyspropCredentialsTests extends ESTestCase {
-    public void test() {
-        AWSCredentialsProvider provider =
-            InternalAwsS3Service.buildCredentials(logger, deprecationLogger, Settings.EMPTY, Settings.EMPTY, "default");
-        // NOTE: sys props are setup by the test runner in gradle
-        assertEquals("sysprop_access", provider.getCredentials().getAWSAccessKeyId());
-        assertEquals("sysprop_secret", provider.getCredentials().getAWSSecretKey());
-        assertWarnings("Supplying S3 credentials through system properties is deprecated");
-    }
-}