From a4afc22df6350f72fb427d4630e3e57f5b14335a Mon Sep 17 00:00:00 2001 From: Tim Brooks Date: Thu, 23 Feb 2017 08:59:42 -0600 Subject: [PATCH] Wrap getCredentials() in a doPrivileged() block (#23297) This commit fixes an issue that was missed in #22534. `AWSCredentialsProvider.getCredentials()` appears to potentially open a socket connect. This operation needed to be wrapped in `doPrivileged()`. This should fix issue #23271. --- .../cloud/aws/InternalAwsS3Service.java | 20 ++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/plugins/repository-s3/src/main/java/org/elasticsearch/cloud/aws/InternalAwsS3Service.java b/plugins/repository-s3/src/main/java/org/elasticsearch/cloud/aws/InternalAwsS3Service.java index cafcb6b98f044..ce47bd44f0b28 100644 --- a/plugins/repository-s3/src/main/java/org/elasticsearch/cloud/aws/InternalAwsS3Service.java +++ b/plugins/repository-s3/src/main/java/org/elasticsearch/cloud/aws/InternalAwsS3Service.java @@ -25,6 +25,7 @@ import com.amazonaws.ClientConfiguration; import com.amazonaws.Protocol; +import com.amazonaws.auth.AWSCredentials; import com.amazonaws.auth.AWSCredentialsProvider; import com.amazonaws.auth.BasicAWSCredentials; import com.amazonaws.auth.InstanceProfileCredentialsProvider; @@ -35,6 +36,7 @@ import com.amazonaws.services.s3.S3ClientOptions; import org.apache.logging.log4j.Logger; import org.elasticsearch.ElasticsearchException; +import org.elasticsearch.cloud.aws.util.SocketAccess; import org.elasticsearch.common.Strings; import org.elasticsearch.common.collect.Tuple; import org.elasticsearch.common.component.AbstractLifecycleComponent; @@ -141,7 +143,6 @@ static ClientConfiguration buildConfiguration(Logger logger, Settings repository public static AWSCredentialsProvider buildCredentials(Logger logger, DeprecationLogger deprecationLogger, Settings settings, Settings repositorySettings, String clientName) { - AWSCredentialsProvider credentials; try (SecureString key = getConfigValue(repositorySettings, settings, clientName, S3Repository.ACCESS_KEY_SETTING, S3Repository.Repository.KEY_SETTING, S3Repository.Repositories.KEY_SETTING); SecureString secret = getConfigValue(repositorySettings, settings, clientName, S3Repository.SECRET_KEY_SETTING, @@ -149,14 +150,23 @@ public static AWSCredentialsProvider buildCredentials(Logger logger, Deprecation if (key.length() == 0 && secret.length() == 0) { logger.debug("Using instance profile credentials"); - credentials = new InstanceProfileCredentialsProvider(); + AWSCredentialsProvider credentials = new InstanceProfileCredentialsProvider(); + return new AWSCredentialsProvider() { + @Override + public AWSCredentials getCredentials() { + return SocketAccess.doPrivileged(credentials::getCredentials); + } + + @Override + public void refresh() { + SocketAccess.doPrivilegedVoid(credentials::refresh); + } + }; } else { logger.debug("Using basic key/secret credentials"); - credentials = new StaticCredentialsProvider(new BasicAWSCredentials(key.toString(), secret.toString())); + return new StaticCredentialsProvider(new BasicAWSCredentials(key.toString(), secret.toString())); } } - - return credentials; } // pkg private for tests