summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTim Brooks <tim@uncontended.net>2017-01-21 12:03:52 -0600
committerGitHub <noreply@github.com>2017-01-21 12:03:52 -0600
commita4ac29c00588e8597502fc17f4caa6af88346fa8 (patch)
tree18ce552b297f1e8f33abb5bfd607400f05b81cdb
parent3ad6d6ebcccd06969f7d1fc22d6ad45655f3a349 (diff)
Add single static instance of SpecialPermission (#22726)
This commit adds a SpecialPermission constant and uses that constant opposed to introducing new instances everywhere. Additionally, this commit introduces a single static method to check that the current code has permission. This avoids all the duplicated access blocks that exist currently.
Diffstat
-rw-r--r--core/src/main/java/org/elasticsearch/SpecialPermission.java13
-rw-r--r--core/src/test/java/org/elasticsearch/SpecialPermissionTests.java10
-rw-r--r--modules/lang-expression/src/main/java/org/elasticsearch/script/expression/ExpressionScriptEngineService.java4
-rw-r--r--modules/lang-mustache/src/main/java/org/elasticsearch/script/mustache/MustacheScriptEngineService.java8
-rw-r--r--modules/lang-painless/src/main/java/org/elasticsearch/painless/PainlessScriptEngineService.java6
-rw-r--r--modules/transport-netty4/src/main/java/org/elasticsearch/transport/netty4/channel/PrivilegedNioServerSocketChannel.java5
-rw-r--r--modules/transport-netty4/src/main/java/org/elasticsearch/transport/netty4/channel/PrivilegedNioSocketChannel.java5
-rw-r--r--plugins/discovery-azure-classic/src/main/java/org/elasticsearch/cloud/azure/classic/management/AzureComputeServiceImpl.java11
-rw-r--r--plugins/discovery-ec2/src/main/java/org/elasticsearch/cloud/aws/util/SocketAccess.java12
-rw-r--r--plugins/discovery-ec2/src/main/java/org/elasticsearch/plugin/discovery/ec2/Ec2DiscoveryPlugin.java5
-rw-r--r--plugins/discovery-gce/src/main/java/org/elasticsearch/cloud/gce/util/Access.java15
-rw-r--r--plugins/ingest-attachment/src/main/java/org/elasticsearch/ingest/attachment/TikaImpl.java13
-rw-r--r--plugins/ingest-geoip/src/main/java/org/elasticsearch/ingest/geoip/GeoIpProcessor.java10
-rw-r--r--plugins/repository-azure/src/main/java/org/elasticsearch/cloud/azure/blobstore/util/SocketAccess.java13
-rw-r--r--plugins/repository-gcs/src/main/java/org/elasticsearch/common/blobstore/gcs/util/SocketAccess.java13
-rw-r--r--plugins/repository-gcs/src/main/java/org/elasticsearch/plugin/repository/gcs/GoogleCloudStoragePlugin.java9
-rw-r--r--plugins/repository-hdfs/src/main/java/org/elasticsearch/repositories/hdfs/HdfsBlobStore.java18
-rw-r--r--plugins/repository-hdfs/src/main/java/org/elasticsearch/repositories/hdfs/HdfsPlugin.java13
-rw-r--r--plugins/repository-hdfs/src/main/java/org/elasticsearch/repositories/hdfs/HdfsRepository.java13
-rw-r--r--plugins/repository-s3/src/main/java/org/elasticsearch/cloud/aws/util/SocketAccess.java7
-rw-r--r--plugins/repository-s3/src/main/java/org/elasticsearch/plugin/repository/s3/S3RepositoryPlugin.java28
21 files changed, 64 insertions, 167 deletions
diff --git a/core/src/main/java/org/elasticsearch/SpecialPermission.java b/core/src/main/java/org/elasticsearch/SpecialPermission.java
index 7d796346c6..9e5571a5b0 100644
--- a/core/src/main/java/org/elasticsearch/SpecialPermission.java
+++ b/core/src/main/java/org/elasticsearch/SpecialPermission.java
@@ -57,6 +57,9 @@ import java.security.BasicPermission;
* </code></pre>
*/
public final class SpecialPermission extends BasicPermission {
+
+ public static final SpecialPermission INSTANCE = new SpecialPermission();
+
/**
* Creates a new SpecialPermision object.
*/
@@ -76,4 +79,14 @@ public final class SpecialPermission extends BasicPermission {
public SpecialPermission(String name, String actions) {
this();
}
+
+ /**
+ * Check that the current stack has {@link SpecialPermission} access according to the {@link SecurityManager}.
+ */
+ public static void check() {
+ SecurityManager sm = System.getSecurityManager();
+ if (sm != null) {
+ sm.checkPermission(INSTANCE);
+ }
+ }
}
diff --git a/core/src/test/java/org/elasticsearch/SpecialPermissionTests.java b/core/src/test/java/org/elasticsearch/SpecialPermissionTests.java
index a2cfc02c5d..5834de32b2 100644
--- a/core/src/test/java/org/elasticsearch/SpecialPermissionTests.java
+++ b/core/src/test/java/org/elasticsearch/SpecialPermissionTests.java
@@ -25,14 +25,18 @@ import java.security.AllPermission;
/** Very simple sanity checks for {@link SpecialPermission} */
public class SpecialPermissionTests extends ESTestCase {
-
+
public void testEquals() {
assertEquals(new SpecialPermission(), new SpecialPermission());
+ assertEquals(SpecialPermission.INSTANCE, new SpecialPermission());
assertFalse(new SpecialPermission().equals(new AllPermission()));
+ assertFalse(SpecialPermission.INSTANCE.equals(new AllPermission()));
}
-
+
public void testImplies() {
- assertTrue(new SpecialPermission().implies(new SpecialPermission()));
+ assertTrue(SpecialPermission.INSTANCE.implies(new SpecialPermission()));
+ assertTrue(SpecialPermission.INSTANCE.implies(SpecialPermission.INSTANCE));
assertFalse(new SpecialPermission().implies(new AllPermission()));
+ assertFalse(SpecialPermission.INSTANCE.implies(new AllPermission()));
}
}
diff --git a/modules/lang-expression/src/main/java/org/elasticsearch/script/expression/ExpressionScriptEngineService.java b/modules/lang-expression/src/main/java/org/elasticsearch/script/expression/ExpressionScriptEngineService.java
index 0b95f55dff..46461ee5ac 100644
--- a/modules/lang-expression/src/main/java/org/elasticsearch/script/expression/ExpressionScriptEngineService.java
+++ b/modules/lang-expression/src/main/java/org/elasticsearch/script/expression/ExpressionScriptEngineService.java
@@ -78,9 +78,7 @@ public class ExpressionScriptEngineService extends AbstractComponent implements
public Object compile(String scriptName, String scriptSource, Map<String, String> params) {
// classloader created here
final SecurityManager sm = System.getSecurityManager();
- if (sm != null) {
- sm.checkPermission(new SpecialPermission());
- }
+ SpecialPermission.check();
return AccessController.doPrivileged(new PrivilegedAction<Expression>() {
@Override
public Expression run() {
diff --git a/modules/lang-mustache/src/main/java/org/elasticsearch/script/mustache/MustacheScriptEngineService.java b/modules/lang-mustache/src/main/java/org/elasticsearch/script/mustache/MustacheScriptEngineService.java
index 08c0e1643b..6686b8a76c 100644
--- a/modules/lang-mustache/src/main/java/org/elasticsearch/script/mustache/MustacheScriptEngineService.java
+++ b/modules/lang-mustache/src/main/java/org/elasticsearch/script/mustache/MustacheScriptEngineService.java
@@ -127,9 +127,6 @@ public final class MustacheScriptEngineService extends AbstractComponent impleme
// Nothing to do here
}
- // permission checked before doing crazy reflection
- static final SpecialPermission SPECIAL_PERMISSION = new SpecialPermission();
-
/**
* Used at query execution time by script service in order to execute a query template.
* */
@@ -158,10 +155,7 @@ public final class MustacheScriptEngineService extends AbstractComponent impleme
final BytesStreamOutput result = new BytesStreamOutput();
try (UTF8StreamWriter writer = utf8StreamWriter().setOutput(result)) {
// crazy reflection here
- SecurityManager sm = System.getSecurityManager();
- if (sm != null) {
- sm.checkPermission(SPECIAL_PERMISSION);
- }
+ SpecialPermission.check();
AccessController.doPrivileged((PrivilegedAction<Void>) () -> {
((Mustache) template.compiled()).execute(writer, vars);
return null;
diff --git a/modules/lang-painless/src/main/java/org/elasticsearch/painless/PainlessScriptEngineService.java b/modules/lang-painless/src/main/java/org/elasticsearch/painless/PainlessScriptEngineService.java
index 968f5ee296..4d20a20bd6 100644
--- a/modules/lang-painless/src/main/java/org/elasticsearch/painless/PainlessScriptEngineService.java
+++ b/modules/lang-painless/src/main/java/org/elasticsearch/painless/PainlessScriptEngineService.java
@@ -149,11 +149,7 @@ public final class PainlessScriptEngineService extends AbstractComponent impleme
}
// Check we ourselves are not being called by unprivileged code.
- final SecurityManager sm = System.getSecurityManager();
-
- if (sm != null) {
- sm.checkPermission(new SpecialPermission());
- }
+ SpecialPermission.check();
// Create our loader (which loads compiled code with no permissions).
final Loader loader = AccessController.doPrivileged(new PrivilegedAction<Loader>() {
diff --git a/modules/transport-netty4/src/main/java/org/elasticsearch/transport/netty4/channel/PrivilegedNioServerSocketChannel.java b/modules/transport-netty4/src/main/java/org/elasticsearch/transport/netty4/channel/PrivilegedNioServerSocketChannel.java
index 075a41f157..f49d0fed04 100644
--- a/modules/transport-netty4/src/main/java/org/elasticsearch/transport/netty4/channel/PrivilegedNioServerSocketChannel.java
+++ b/modules/transport-netty4/src/main/java/org/elasticsearch/transport/netty4/channel/PrivilegedNioServerSocketChannel.java
@@ -37,10 +37,7 @@ public class PrivilegedNioServerSocketChannel extends NioServerSocketChannel {
@Override
protected int doReadMessages(List<Object> buf) throws Exception {
- SecurityManager sm = System.getSecurityManager();
- if (sm != null) {
- sm.checkPermission(new SpecialPermission());
- }
+ SpecialPermission.check();
try {
return AccessController.doPrivileged((PrivilegedExceptionAction<Integer>) () -> super.doReadMessages(buf));
} catch (PrivilegedActionException e) {
diff --git a/modules/transport-netty4/src/main/java/org/elasticsearch/transport/netty4/channel/PrivilegedNioSocketChannel.java b/modules/transport-netty4/src/main/java/org/elasticsearch/transport/netty4/channel/PrivilegedNioSocketChannel.java
index daa6a2baec..1eed118b8a 100644
--- a/modules/transport-netty4/src/main/java/org/elasticsearch/transport/netty4/channel/PrivilegedNioSocketChannel.java
+++ b/modules/transport-netty4/src/main/java/org/elasticsearch/transport/netty4/channel/PrivilegedNioSocketChannel.java
@@ -37,10 +37,7 @@ public class PrivilegedNioSocketChannel extends NioSocketChannel {
@Override
protected boolean doConnect(SocketAddress remoteAddress, SocketAddress localAddress) throws Exception {
- SecurityManager sm = System.getSecurityManager();
- if (sm != null) {
- sm.checkPermission(new SpecialPermission());
- }
+ SpecialPermission.check();
try {
return AccessController.doPrivileged((PrivilegedExceptionAction<Boolean>) () -> super.doConnect(remoteAddress, localAddress));
} catch (PrivilegedActionException e) {
diff --git a/plugins/discovery-azure-classic/src/main/java/org/elasticsearch/cloud/azure/classic/management/AzureComputeServiceImpl.java b/plugins/discovery-azure-classic/src/main/java/org/elasticsearch/cloud/azure/classic/management/AzureComputeServiceImpl.java
index 4734e2aa3a..4a922e3608 100644
--- a/plugins/discovery-azure-classic/src/main/java/org/elasticsearch/cloud/azure/classic/management/AzureComputeServiceImpl.java
+++ b/plugins/discovery-azure-classic/src/main/java/org/elasticsearch/cloud/azure/classic/management/AzureComputeServiceImpl.java
@@ -20,9 +20,7 @@
package org.elasticsearch.cloud.azure.classic.management;
import java.io.IOException;
-import java.net.URISyntaxException;
import java.security.AccessController;
-import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.ServiceLoader;
@@ -31,7 +29,6 @@ import com.microsoft.windowsazure.Configuration;
import com.microsoft.windowsazure.core.Builder;
import com.microsoft.windowsazure.core.DefaultBuilder;
import com.microsoft.windowsazure.core.utils.KeyStoreType;
-import com.microsoft.windowsazure.exception.ServiceException;
import com.microsoft.windowsazure.management.compute.ComputeManagementClient;
import com.microsoft.windowsazure.management.compute.ComputeManagementService;
import com.microsoft.windowsazure.management.compute.models.HostedServiceGetDetailedResponse;
@@ -43,9 +40,6 @@ import org.elasticsearch.common.Strings;
import org.elasticsearch.common.component.AbstractLifecycleComponent;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Settings;
-import org.xml.sax.SAXException;
-
-import javax.xml.parsers.ParserConfigurationException;
public class AzureComputeServiceImpl extends AbstractLifecycleComponent
implements AzureComputeService {
@@ -99,10 +93,7 @@ public class AzureComputeServiceImpl extends AbstractLifecycleComponent
@Override
public HostedServiceGetDetailedResponse getServiceDetails() {
- SecurityManager sm = System.getSecurityManager();
- if (sm != null) {
- sm.checkPermission(new SpecialPermission());
- }
+ SpecialPermission.check();
try {
return AccessController.doPrivileged((PrivilegedExceptionAction<HostedServiceGetDetailedResponse>)
() -> client.getHostedServicesOperations().getDetailed(serviceName));
diff --git a/plugins/discovery-ec2/src/main/java/org/elasticsearch/cloud/aws/util/SocketAccess.java b/plugins/discovery-ec2/src/main/java/org/elasticsearch/cloud/aws/util/SocketAccess.java
index 7266a9daa5..2c68369bb9 100644
--- a/plugins/discovery-ec2/src/main/java/org/elasticsearch/cloud/aws/util/SocketAccess.java
+++ b/plugins/discovery-ec2/src/main/java/org/elasticsearch/cloud/aws/util/SocketAccess.java
@@ -35,17 +35,15 @@ import java.security.PrivilegedExceptionAction;
*/
public final class SocketAccess {
- private static final SpecialPermission SPECIAL_PERMISSION = new SpecialPermission();
-
private SocketAccess() {}
public static <T> T doPrivileged(PrivilegedAction<T> operation) {
- checkSpecialPermission();
+ SpecialPermission.check();
return AccessController.doPrivileged(operation);
}
public static <T> T doPrivilegedIOException(PrivilegedExceptionAction<T> operation) throws IOException {
- checkSpecialPermission();
+ SpecialPermission.check();
try {
return AccessController.doPrivileged(operation);
} catch (PrivilegedActionException e) {
@@ -53,10 +51,4 @@ public final class SocketAccess {
}
}
- private static void checkSpecialPermission() {
- SecurityManager sm = System.getSecurityManager();
- if (sm != null) {
- sm.checkPermission(SPECIAL_PERMISSION);
- }
- }
}
diff --git a/plugins/discovery-ec2/src/main/java/org/elasticsearch/plugin/discovery/ec2/Ec2DiscoveryPlugin.java b/plugins/discovery-ec2/src/main/java/org/elasticsearch/plugin/discovery/ec2/Ec2DiscoveryPlugin.java
index 55e0c39d22..fd30623fb8 100644
--- a/plugins/discovery-ec2/src/main/java/org/elasticsearch/plugin/discovery/ec2/Ec2DiscoveryPlugin.java
+++ b/plugins/discovery-ec2/src/main/java/org/elasticsearch/plugin/discovery/ec2/Ec2DiscoveryPlugin.java
@@ -71,10 +71,7 @@ public class Ec2DiscoveryPlugin extends Plugin implements DiscoveryPlugin, Close
public static final String EC2 = "ec2";
static {
- SecurityManager sm = System.getSecurityManager();
- if (sm != null) {
- sm.checkPermission(new SpecialPermission());
- }
+ SpecialPermission.check();
// Initializing Jackson requires RuntimePermission accessDeclaredMembers
// The ClientConfiguration class requires RuntimePermission getClassLoader
AccessController.doPrivileged((PrivilegedAction<Void>) () -> {
diff --git a/plugins/discovery-gce/src/main/java/org/elasticsearch/cloud/gce/util/Access.java b/plugins/discovery-gce/src/main/java/org/elasticsearch/cloud/gce/util/Access.java
index 1a881dd24d..044fccb5fa 100644
--- a/plugins/discovery-gce/src/main/java/org/elasticsearch/cloud/gce/util/Access.java
+++ b/plugins/discovery-gce/src/main/java/org/elasticsearch/cloud/gce/util/Access.java
@@ -35,17 +35,15 @@ import java.security.PrivilegedExceptionAction;
*/
public final class Access {
- private static final SpecialPermission SPECIAL_PERMISSION = new SpecialPermission();
-
private Access() {}
public static <T> T doPrivileged(PrivilegedAction<T> operation) {
- checkSpecialPermission();
+ SpecialPermission.check();
return AccessController.doPrivileged(operation);
}
public static void doPrivilegedVoid(DiscoveryRunnable action) {
- checkSpecialPermission();
+ SpecialPermission.check();
AccessController.doPrivileged((PrivilegedAction<Void>) () -> {
action.execute();
return null;
@@ -53,7 +51,7 @@ public final class Access {
}
public static <T> T doPrivilegedIOException(PrivilegedExceptionAction<T> operation) throws IOException {
- checkSpecialPermission();
+ SpecialPermission.check();
try {
return AccessController.doPrivileged(operation);
} catch (PrivilegedActionException e) {
@@ -61,13 +59,6 @@ public final class Access {
}
}
- private static void checkSpecialPermission() {
- SecurityManager sm = System.getSecurityManager();
- if (sm != null) {
- sm.checkPermission(SPECIAL_PERMISSION);
- }
- }
-
@FunctionalInterface
public interface DiscoveryRunnable {
void execute();
diff --git a/plugins/ingest-attachment/src/main/java/org/elasticsearch/ingest/attachment/TikaImpl.java b/plugins/ingest-attachment/src/main/java/org/elasticsearch/ingest/attachment/TikaImpl.java
index 27a4cfebbc..f99a2a630a 100644
--- a/plugins/ingest-attachment/src/main/java/org/elasticsearch/ingest/attachment/TikaImpl.java
+++ b/plugins/ingest-attachment/src/main/java/org/elasticsearch/ingest/attachment/TikaImpl.java
@@ -82,18 +82,11 @@ final class TikaImpl {
// only package private for testing!
static String parse(final byte content[], final Metadata metadata, final int limit) throws TikaException, IOException {
// check that its not unprivileged code like a script
- SecurityManager sm = System.getSecurityManager();
- if (sm != null) {
- sm.checkPermission(new SpecialPermission());
- }
+ SpecialPermission.check();
try {
- return AccessController.doPrivileged(new PrivilegedExceptionAction<String>() {
- @Override
- public String run() throws TikaException, IOException {
- return TIKA_INSTANCE.parseToString(new ByteArrayInputStream(content), metadata, limit);
- }
- }, RESTRICTED_CONTEXT);
+ return AccessController.doPrivileged((PrivilegedExceptionAction<String>)
+ () -> TIKA_INSTANCE.parseToString(new ByteArrayInputStream(content), metadata, limit), RESTRICTED_CONTEXT);
} catch (PrivilegedActionException e) {
// checked exception from tika: unbox it
Throwable cause = e.getCause();
diff --git a/plugins/ingest-geoip/src/main/java/org/elasticsearch/ingest/geoip/GeoIpProcessor.java b/plugins/ingest-geoip/src/main/java/org/elasticsearch/ingest/geoip/GeoIpProcessor.java
index 542aa5e6b3..afc4231aff 100644
--- a/plugins/ingest-geoip/src/main/java/org/elasticsearch/ingest/geoip/GeoIpProcessor.java
+++ b/plugins/ingest-geoip/src/main/java/org/elasticsearch/ingest/geoip/GeoIpProcessor.java
@@ -139,10 +139,7 @@ public final class GeoIpProcessor extends AbstractProcessor {
}
private Map<String, Object> retrieveCityGeoData(InetAddress ipAddress) {
- SecurityManager sm = System.getSecurityManager();
- if (sm != null) {
- sm.checkPermission(new SpecialPermission());
- }
+ SpecialPermission.check();
CityResponse response = AccessController.doPrivileged((PrivilegedAction<CityResponse>) () -> {
try {
return dbReader.city(ipAddress);
@@ -217,10 +214,7 @@ public final class GeoIpProcessor extends AbstractProcessor {
}
private Map<String, Object> retrieveCountryGeoData(InetAddress ipAddress) {
- SecurityManager sm = System.getSecurityManager();
- if (sm != null) {
- sm.checkPermission(new SpecialPermission());
- }
+ SpecialPermission.check();
CountryResponse response = AccessController.doPrivileged((PrivilegedAction<CountryResponse>) () -> {
try {
return dbReader.country(ipAddress);
diff --git a/plugins/repository-azure/src/main/java/org/elasticsearch/cloud/azure/blobstore/util/SocketAccess.java b/plugins/repository-azure/src/main/java/org/elasticsearch/cloud/azure/blobstore/util/SocketAccess.java
index d2c2e42581..6202a0a46f 100644
--- a/plugins/repository-azure/src/main/java/org/elasticsearch/cloud/azure/blobstore/util/SocketAccess.java
+++ b/plugins/repository-azure/src/main/java/org/elasticsearch/cloud/azure/blobstore/util/SocketAccess.java
@@ -36,12 +36,10 @@ import java.security.PrivilegedExceptionAction;
*/
public final class SocketAccess {
- private static final SpecialPermission SPECIAL_PERMISSION = new SpecialPermission();
-
private SocketAccess() {}
public static <T> T doPrivilegedException(PrivilegedExceptionAction<T> operation) throws StorageException, URISyntaxException {
- checkSpecialPermission();
+ SpecialPermission.check();
try {
return AccessController.doPrivileged(operation);
} catch (PrivilegedActionException e) {
@@ -50,7 +48,7 @@ public final class SocketAccess {
}
public static void doPrivilegedVoidException(StorageRunnable action) throws StorageException, URISyntaxException {
- checkSpecialPermission();
+ SpecialPermission.check();
try {
AccessController.doPrivileged((PrivilegedExceptionAction<Void>) () -> {
action.executeCouldThrow();
@@ -66,13 +64,6 @@ public final class SocketAccess {
}
}
- private static void checkSpecialPermission() {
- SecurityManager sm = System.getSecurityManager();
- if (sm != null) {
- sm.checkPermission(SPECIAL_PERMISSION);
- }
- }
-
@FunctionalInterface
public interface StorageRunnable {
void executeCouldThrow() throws StorageException, URISyntaxException;
diff --git a/plugins/repository-gcs/src/main/java/org/elasticsearch/common/blobstore/gcs/util/SocketAccess.java b/plugins/repository-gcs/src/main/java/org/elasticsearch/common/blobstore/gcs/util/SocketAccess.java
index e5f494ce9f..3687b54d64 100644
--- a/plugins/repository-gcs/src/main/java/org/elasticsearch/common/blobstore/gcs/util/SocketAccess.java
+++ b/plugins/repository-gcs/src/main/java/org/elasticsearch/common/blobstore/gcs/util/SocketAccess.java
@@ -35,12 +35,10 @@ import java.security.PrivilegedExceptionAction;
*/
public final class SocketAccess {
- private static final SpecialPermission SPECIAL_PERMISSION = new SpecialPermission();
-
private SocketAccess() {}
public static <T> T doPrivilegedIOException(PrivilegedExceptionAction<T> operation) throws IOException {
- checkSpecialPermission();
+ SpecialPermission.check();
try {
return AccessController.doPrivileged(operation);
} catch (PrivilegedActionException e) {
@@ -49,7 +47,7 @@ public final class SocketAccess {
}
public static void doPrivilegedVoidIOException(StorageRunnable action) throws IOException {
- checkSpecialPermission();
+ SpecialPermission.check();
try {
AccessController.doPrivileged((PrivilegedExceptionAction<Void>) () -> {
action.executeCouldThrow();
@@ -60,13 +58,6 @@ public final class SocketAccess {
}
}
- private static void checkSpecialPermission() {
- SecurityManager sm = System.getSecurityManager();
- if (sm != null) {
- sm.checkPermission(SPECIAL_PERMISSION);
- }
- }
-
@FunctionalInterface
public interface StorageRunnable {
void executeCouldThrow() throws IOException;
diff --git a/plugins/repository-gcs/src/main/java/org/elasticsearch/plugin/repository/gcs/GoogleCloudStoragePlugin.java b/plugins/repository-gcs/src/main/java/org/elasticsearch/plugin/repository/gcs/GoogleCloudStoragePlugin.java
index 3d28922327..b20ed34e53 100644
--- a/plugins/repository-gcs/src/main/java/org/elasticsearch/plugin/repository/gcs/GoogleCloudStoragePlugin.java
+++ b/plugins/repository-gcs/src/main/java/org/elasticsearch/plugin/repository/gcs/GoogleCloudStoragePlugin.java
@@ -21,7 +21,6 @@ package org.elasticsearch.plugin.repository.gcs;
import java.security.AccessController;
import java.security.PrivilegedAction;
-import java.util.Collection;
import java.util.Collections;
import java.util.Map;
@@ -40,13 +39,10 @@ import com.google.api.services.storage.model.Bucket;
import com.google.api.services.storage.model.Objects;
import com.google.api.services.storage.model.StorageObject;
import org.elasticsearch.SpecialPermission;
-import org.elasticsearch.common.inject.Module;
-import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.xcontent.NamedXContentRegistry;
import org.elasticsearch.env.Environment;
import org.elasticsearch.plugins.Plugin;
import org.elasticsearch.plugins.RepositoryPlugin;
-import org.elasticsearch.repositories.RepositoriesModule;
import org.elasticsearch.repositories.Repository;
import org.elasticsearch.repositories.gcs.GoogleCloudStorageRepository;
import org.elasticsearch.repositories.gcs.GoogleCloudStorageService;
@@ -64,10 +60,7 @@ public class GoogleCloudStoragePlugin extends Plugin implements RepositoryPlugin
* our plugin permissions don't allow core to "reach through" plugins to
* change the permission. Because that'd be silly.
*/
- SecurityManager sm = System.getSecurityManager();
- if (sm != null) {
- sm.checkPermission(new SpecialPermission());
- }
+ SpecialPermission.check();
AccessController.doPrivileged((PrivilegedAction<Void>) () -> {
// ClassInfo put in cache all the fields of a given class
// that are annoted with @Key; at the same time it changes
diff --git a/plugins/repository-hdfs/src/main/java/org/elasticsearch/repositories/hdfs/HdfsBlobStore.java b/plugins/repository-hdfs/src/main/java/org/elasticsearch/repositories/hdfs/HdfsBlobStore.java
index 23404a7c36..fdd99a79a3 100644
--- a/plugins/repository-hdfs/src/main/java/org/elasticsearch/repositories/hdfs/HdfsBlobStore.java
+++ b/plugins/repository-hdfs/src/main/java/org/elasticsearch/repositories/hdfs/HdfsBlobStore.java
@@ -109,7 +109,7 @@ final class HdfsBlobStore implements BlobStore {
}
return path;
}
-
+
interface Operation<V> {
V run(FileContext fileContext) throws IOException;
}
@@ -121,21 +121,13 @@ final class HdfsBlobStore implements BlobStore {
// 1) hadoop dynamic proxy is messy with access rules
// 2) allow hadoop to add credentials to our Subject
<V> V execute(Operation<V> operation) throws IOException {
- SecurityManager sm = System.getSecurityManager();
- if (sm != null) {
- // unprivileged code such as scripts do not have SpecialPermission
- sm.checkPermission(new SpecialPermission());
- }
+ SpecialPermission.check();
if (closed) {
throw new AlreadyClosedException("HdfsBlobStore is closed: " + this);
}
try {
- return AccessController.doPrivileged(new PrivilegedExceptionAction<V>() {
- @Override
- public V run() throws IOException {
- return operation.run(fileContext);
- }
- }, null, new ReflectPermission("suppressAccessChecks"),
+ return AccessController.doPrivileged((PrivilegedExceptionAction<V>)
+ () -> operation.run(fileContext), null, new ReflectPermission("suppressAccessChecks"),
new AuthPermission("modifyPrivateCredentials"));
} catch (PrivilegedActionException pae) {
throw (IOException) pae.getException();
@@ -146,4 +138,4 @@ final class HdfsBlobStore implements BlobStore {
public void close() {
closed = true;
}
-} \ No newline at end of file
+}
diff --git a/plugins/repository-hdfs/src/main/java/org/elasticsearch/repositories/hdfs/HdfsPlugin.java b/plugins/repository-hdfs/src/main/java/org/elasticsearch/repositories/hdfs/HdfsPlugin.java
index 13da44b45f..9ea53a5acf 100644
--- a/plugins/repository-hdfs/src/main/java/org/elasticsearch/repositories/hdfs/HdfsPlugin.java
+++ b/plugins/repository-hdfs/src/main/java/org/elasticsearch/repositories/hdfs/HdfsPlugin.java
@@ -32,23 +32,14 @@ import org.elasticsearch.common.xcontent.NamedXContentRegistry;
import org.elasticsearch.env.Environment;
import org.elasticsearch.plugins.Plugin;
import org.elasticsearch.plugins.RepositoryPlugin;
-import org.elasticsearch.repositories.RepositoriesModule;
import org.elasticsearch.repositories.Repository;
public final class HdfsPlugin extends Plugin implements RepositoryPlugin {
// initialize some problematic classes with elevated privileges
static {
- SecurityManager sm = System.getSecurityManager();
- if (sm != null) {
- sm.checkPermission(new SpecialPermission());
- }
- AccessController.doPrivileged(new PrivilegedAction<Void>() {
- @Override
- public Void run() {
- return evilHadoopInit();
- }
- });
+ SpecialPermission.check();
+ AccessController.doPrivileged((PrivilegedAction<Void>) HdfsPlugin::evilHadoopInit);
}
@SuppressForbidden(reason = "Needs a security hack for hadoop on windows, until HADOOP-XXXX is fixed")
diff --git a/plugins/repository-hdfs/src/main/java/org/elasticsearch/repositories/hdfs/HdfsRepository.java b/plugins/repository-hdfs/src/main/java/org/elasticsearch/repositories/hdfs/HdfsRepository.java
index f1e5f83fe6..6d74d20fc8 100644
--- a/plugins/repository-hdfs/src/main/java/org/elasticsearch/repositories/hdfs/HdfsRepository.java
+++ b/plugins/repository-hdfs/src/main/java/org/elasticsearch/repositories/hdfs/HdfsRepository.java
@@ -95,16 +95,9 @@ public final class HdfsRepository extends BlobStoreRepository {
try {
// initialize our filecontext
- SecurityManager sm = System.getSecurityManager();
- if (sm != null) {
- sm.checkPermission(new SpecialPermission());
- }
- FileContext fileContext = AccessController.doPrivileged(new PrivilegedAction<FileContext>() {
- @Override
- public FileContext run() {
- return createContext(uri, getMetadata().settings());
- }
- });
+ SpecialPermission.check();
+ FileContext fileContext = AccessController.doPrivileged((PrivilegedAction<FileContext>)
+ () -> createContext(uri, getMetadata().settings()));
blobStore = new HdfsBlobStore(fileContext, pathSetting, bufferSize);
logger.debug("Using file-system [{}] for URI [{}], path [{}]", fileContext.getDefaultFileSystem(), fileContext.getDefaultFileSystem().getUri(), pathSetting);
} catch (IOException e) {
diff --git a/plugins/repository-s3/src/main/java/org/elasticsearch/cloud/aws/util/SocketAccess.java b/plugins/repository-s3/src/main/java/org/elasticsearch/cloud/aws/util/SocketAccess.java
index 5b4d2c3a6c..726d9e141a 100644
--- a/plugins/repository-s3/src/main/java/org/elasticsearch/cloud/aws/util/SocketAccess.java
+++ b/plugins/repository-s3/src/main/java/org/elasticsearch/cloud/aws/util/SocketAccess.java
@@ -35,8 +35,6 @@ import java.security.PrivilegedExceptionAction;
*/
public final class SocketAccess {
- private static final SpecialPermission SPECIAL_PERMISSION = new SpecialPermission();
-
private SocketAccess() {}
public static <T> T doPrivileged(PrivilegedAction<T> operation) {
@@ -62,10 +60,7 @@ public final class SocketAccess {
}
private static void checkSpecialPermission() {
- SecurityManager sm = System.getSecurityManager();
- if (sm != null) {
- sm.checkPermission(SPECIAL_PERMISSION);
- }
+ SpecialPermission.check();
}
@FunctionalInterface
diff --git a/plugins/repository-s3/src/main/java/org/elasticsearch/plugin/repository/s3/S3RepositoryPlugin.java b/plugins/repository-s3/src/main/java/org/elasticsearch/plugin/repository/s3/S3RepositoryPlugin.java
index 449c9ce411..45aea045a9 100644
--- a/plugins/repository-s3/src/main/java/org/elasticsearch/plugin/repository/s3/S3RepositoryPlugin.java
+++ b/plugins/repository-s3/src/main/java/org/elasticsearch/plugin/repository/s3/S3RepositoryPlugin.java
@@ -45,24 +45,18 @@ import org.elasticsearch.repositories.s3.S3Repository;
public class S3RepositoryPlugin extends Plugin implements RepositoryPlugin {
static {
- SecurityManager sm = System.getSecurityManager();
- if (sm != null) {
- sm.checkPermission(new SpecialPermission());
- }
- AccessController.doPrivileged(new PrivilegedAction<Void>() {
- @Override
- public Void run() {
- try {
- // kick jackson to do some static caching of declared members info
- Jackson.jsonNodeOf("{}");
- // ClientConfiguration clinit has some classloader problems
- // TODO: fix that
- Class.forName("com.amazonaws.ClientConfiguration");
- } catch (ClassNotFoundException e) {
- throw new RuntimeException(e);
- }
- return null;
+ SpecialPermission.check();
+ AccessController.doPrivileged((PrivilegedAction<Void>) () -> {
+ try {
+ // kick jackson to do some static caching of declared members info
+ Jackson.jsonNodeOf("{}");
+ // ClientConfiguration clinit has some classloader problems
+ // TODO: fix that
+ Class.forName("com.amazonaws.ClientConfiguration");
+ } catch (ClassNotFoundException e) {
+ throw new RuntimeException(e);
}
+ return null;
});
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-12 17:54:46 +0000