Wrap getCredentials() in a doPrivileged() block

This commit fixes an issue that was missed in elastic#22534. `AWSCredentialsProvider.getCredentials()` appears to potentially open a socket connect. This operation needed to be wrapped in `doPrivileged()`. This should fix issue elastic#23271.
Tim-Brooks · Feb 21, 2017 · f517e7a · f517e7a
1 parent 489f389
commit f517e7a
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/plugins/repository-s3/src/main/java/org/elasticsearch/cloud/aws/InternalAwsS3Service.java b/plugins/repository-s3/src/main/java/org/elasticsearch/cloud/aws/InternalAwsS3Service.java
@@ -35,6 +35,7 @@
 import com.amazonaws.services.s3.S3ClientOptions;
 import org.apache.logging.log4j.Logger;
 import org.elasticsearch.ElasticsearchException;
+import org.elasticsearch.cloud.aws.util.SocketAccess;
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.collect.Tuple;
 import org.elasticsearch.common.component.AbstractLifecycleComponent;
@@ -67,7 +68,8 @@ public synchronized AmazonS3 client(Settings repositorySettings, Integer maxRetr
 
         AWSCredentialsProvider credentials = buildCredentials(logger, deprecationLogger, settings, repositorySettings, clientName);
 
-        Tuple<String, String> clientDescriptor = new Tuple<>(foundEndpoint, credentials.getCredentials().getAWSAccessKeyId());
+        String awsAccessKeyId = SocketAccess.doPrivileged(() -> credentials.getCredentials().getAWSAccessKeyId());
+        Tuple<String, String> clientDescriptor = new Tuple<>(foundEndpoint, awsAccessKeyId);
         AmazonS3Client client = clients.get(clientDescriptor);
         if (client != null) {
             return client;