Skip to content

Wrap getCredentials() in a doPrivileged() block#23297

Merged
Tim-Brooks merged 4 commits intoelastic:masterfrom
Tim-Brooks:wrap_get_credentials
Feb 23, 2017
Merged

Wrap getCredentials() in a doPrivileged() block#23297
Tim-Brooks merged 4 commits intoelastic:masterfrom
Tim-Brooks:wrap_get_credentials

Conversation

@Tim-Brooks
Copy link
Contributor

@Tim-Brooks Tim-Brooks commented Feb 21, 2017

This commit fixes an issue that was missed in #22534.
AWSCredentialsProvider.getCredentials() appears to potentially open a
socket connect. This operation needed to be wrapped in doPrivileged().

This should fix issue #23271.

@Tim-Brooks
Wrap getCredentials() in a doPrivileged() block
f517e7a 
This commit fixes an issue that was missed in elastic#22534.
`AWSCredentialsProvider.getCredentials()` appears to potentially open a
socket connect. This operation needed to be wrapped in `doPrivileged()`.

This should fix issue elastic#23271.
@Tim-Brooks
Copy link
Contributor Author

Tim-Brooks commented Feb 21, 2017

I tested this manually with the scenario provided by @dadoonet in #23271.

@rjernst
Copy link
Member

rjernst commented Feb 21, 2017

Hrm, that is not the only place getCredentials() will be called. It would also be called by the s3 client. I think instead, the doPriv should be inside a wrapper credentials provider, setup to wrap the InstanceProfileCredentialsProvider created in buildCredentials?

@Tim-Brooks
Copy link
Contributor Author

Tim-Brooks commented Feb 21, 2017

I adjusted the PR to reflect @rjernst's review.

rjernst
rjernst reviewed Feb 22, 2017
View reviewed changes
plugins/repository-s3/src/main/java/org/elasticsearch/cloud/aws/InternalAwsS3Service.java Outdated
return new AWSCredentialsProvider() {
@Override
public AWSCredentials getCredentials() {
return SocketAccess.doPrivileged(credentials::getCredentials);
Copy link
Member

@rjernst rjernst Feb 22, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We only need this for the instance profile credentials. The rest are read and created statically, so definitely do not require socket access.

rjernst
rjernst approved these changes Feb 22, 2017
View reviewed changes
Copy link
Member

@rjernst rjernst left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Tim-Brooks Tim-Brooks merged commit a4afc22 into elastic:master Feb 23, 2017
Tim-Brooks added a commit to Tim-Brooks/elasticsearch that referenced this pull request Feb 23, 2017
@Tim-Brooks
Test that buildCredentials returns correct clazz
6692096 
This is fallout from elastic#23297. That commit wrapped
`InstanceProfileCredentialsProvider` to ensure that the `getCredentials`
and `refresh` methods had privileged access. However, it looks like
there was a test ensuring that `buildCredentials` returned the correct
clazz type. This commit adjusts that test to check that the correct
wrapper is returned.
@Tim-Brooks Tim-Brooks mentioned this pull request Feb 23, 2017
Merged
Tim-Brooks added a commit that referenced this pull request Feb 23, 2017
@Tim-Brooks
Test that buildCredentials returns correct clazz (#23334)
0e80296 
This is fallout from #23297. That commit wrapped
`InstanceProfileCredentialsProvider` to ensure that the `getCredentials`
and `refresh` methods had privileged access. However, it looks like
there was a test ensuring that `buildCredentials` returned the correct
clazz type. This commit adjusts that test to check that the correct
wrapper is returned.
jasontedor added a commit to jasontedor/elasticsearch that referenced this pull request Feb 24, 2017
@jasontedor
Merge branch 'master' into HEAD
af46ba6 
* master: (54 commits)
  Keep the pipeline handler queue small initially
  Do not create String instances in 'Strings' methods accepting StringBuilder (elastic#22907)
  Tests: fix AwsS3ServiceImplTests
  Remove abstract InternalMetricsAggregation class (elastic#23326)
  Add BulkRequest support to High Level Rest client (elastic#23312)
  Wrap getCredentials() in a doPrivileged() block (elastic#23297)
  Respect promises on pipelined responses
  Align REST specs for HEAD requests
  Remove unnecessary result sorting in SearchPhaseController (elastic#23321)
  Fix SamplerAggregatorTests to have stable and predictable docIds
  Tests: Ensure multi node integ tests wait on first node
  Relocate a comment in HttpPipeliningHandler
  Add comments to HttpPipeliningHandler
  [TEST] Fix incorrect test cluster name in cluster health doc tests
  Build: Change location in zip of license and notice inclusion for plugins (elastic#23316)
  Script: Fix value of `ctx._now` to be current epoch time in milliseconds (elastic#23175)
  Build: Rework integ test setup and shutdown to ensure stop runs when desired (elastic#23304)
  Handle long overflow when adding paths' totals
  Don't set local node on cluster state used for node join validation (elastic#23311)
  Ensure that releasing listener is called
  ...
@dadoonet dadoonet mentioned this pull request Feb 27, 2017
Closed
@clintongormley clintongormley added :Distributed/Snapshot/Restore Anything directly related to the `_snapshot/*` APIs and removed :Plugin Repository S3 labels Feb 14, 2018
@Tim-Brooks Tim-Brooks deleted the wrap_get_credentials branch November 14, 2018 14:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rjernst rjernst rjernst approved these changes

@dadoonet dadoonet Awaiting requested review from dadoonet

@s1monw s1monw Awaiting requested review from s1monw

@jasontedor jasontedor Awaiting requested review from jasontedor

Assignees

No one assigned

Labels

>bug :Distributed/Snapshot/Restore Anything directly related to the `_snapshot/*` APIs v6.0.0-alpha1

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Tim-Brooks @rjernst @clintongormley