diff --git a/core/src/main/java/org/elasticsearch/SpecialPermission.java b/core/src/main/java/org/elasticsearch/SpecialPermission.java index 7d796346c6472..9e5571a5b0af9 100644 --- a/core/src/main/java/org/elasticsearch/SpecialPermission.java +++ b/core/src/main/java/org/elasticsearch/SpecialPermission.java @@ -57,6 +57,9 @@ * */ public final class SpecialPermission extends BasicPermission { + + public static final SpecialPermission INSTANCE = new SpecialPermission(); + /** * Creates a new SpecialPermision object. */ @@ -76,4 +79,14 @@ public SpecialPermission() { public SpecialPermission(String name, String actions) { this(); } + + /** + * Check that the current stack has {@link SpecialPermission} access according to the {@link SecurityManager}. + */ + public static void check() { + SecurityManager sm = System.getSecurityManager(); + if (sm != null) { + sm.checkPermission(INSTANCE); + } + } } diff --git a/core/src/test/java/org/elasticsearch/SpecialPermissionTests.java b/core/src/test/java/org/elasticsearch/SpecialPermissionTests.java index a2cfc02c5d583..5834de32b2b55 100644 --- a/core/src/test/java/org/elasticsearch/SpecialPermissionTests.java +++ b/core/src/test/java/org/elasticsearch/SpecialPermissionTests.java @@ -25,14 +25,18 @@ /** Very simple sanity checks for {@link SpecialPermission} */ public class SpecialPermissionTests extends ESTestCase { - + public void testEquals() { assertEquals(new SpecialPermission(), new SpecialPermission()); + assertEquals(SpecialPermission.INSTANCE, new SpecialPermission()); assertFalse(new SpecialPermission().equals(new AllPermission())); + assertFalse(SpecialPermission.INSTANCE.equals(new AllPermission())); } - + public void testImplies() { - assertTrue(new SpecialPermission().implies(new SpecialPermission())); + assertTrue(SpecialPermission.INSTANCE.implies(new SpecialPermission())); + assertTrue(SpecialPermission.INSTANCE.implies(SpecialPermission.INSTANCE)); assertFalse(new SpecialPermission().implies(new AllPermission())); + assertFalse(SpecialPermission.INSTANCE.implies(new AllPermission())); } } diff --git a/modules/lang-expression/src/main/java/org/elasticsearch/script/expression/ExpressionScriptEngineService.java b/modules/lang-expression/src/main/java/org/elasticsearch/script/expression/ExpressionScriptEngineService.java index 0b95f55dff164..46461ee5acb2c 100644 --- a/modules/lang-expression/src/main/java/org/elasticsearch/script/expression/ExpressionScriptEngineService.java +++ b/modules/lang-expression/src/main/java/org/elasticsearch/script/expression/ExpressionScriptEngineService.java @@ -78,9 +78,7 @@ public String getExtension() { public Object compile(String scriptName, String scriptSource, Map params) { // classloader created here final SecurityManager sm = System.getSecurityManager(); - if (sm != null) { - sm.checkPermission(new SpecialPermission()); - } + SpecialPermission.check(); return AccessController.doPrivileged(new PrivilegedAction() { @Override public Expression run() { diff --git a/modules/lang-mustache/src/main/java/org/elasticsearch/script/mustache/MustacheScriptEngineService.java b/modules/lang-mustache/src/main/java/org/elasticsearch/script/mustache/MustacheScriptEngineService.java index 08c0e1643bcf8..6686b8a76c4f5 100644 --- a/modules/lang-mustache/src/main/java/org/elasticsearch/script/mustache/MustacheScriptEngineService.java +++ b/modules/lang-mustache/src/main/java/org/elasticsearch/script/mustache/MustacheScriptEngineService.java @@ -127,9 +127,6 @@ public void close() { // Nothing to do here } - // permission checked before doing crazy reflection - static final SpecialPermission SPECIAL_PERMISSION = new SpecialPermission(); - /** * Used at query execution time by script service in order to execute a query template. * */ @@ -158,10 +155,7 @@ public Object run() { final BytesStreamOutput result = new BytesStreamOutput(); try (UTF8StreamWriter writer = utf8StreamWriter().setOutput(result)) { // crazy reflection here - SecurityManager sm = System.getSecurityManager(); - if (sm != null) { - sm.checkPermission(SPECIAL_PERMISSION); - } + SpecialPermission.check(); AccessController.doPrivileged((PrivilegedAction) () -> { ((Mustache) template.compiled()).execute(writer, vars); return null; diff --git a/modules/lang-painless/src/main/java/org/elasticsearch/painless/PainlessScriptEngineService.java b/modules/lang-painless/src/main/java/org/elasticsearch/painless/PainlessScriptEngineService.java index 968f5ee296692..4d20a20bd6663 100644 --- a/modules/lang-painless/src/main/java/org/elasticsearch/painless/PainlessScriptEngineService.java +++ b/modules/lang-painless/src/main/java/org/elasticsearch/painless/PainlessScriptEngineService.java @@ -149,11 +149,7 @@ public Object compile(String scriptName, final String scriptSource, final Map() { diff --git a/modules/transport-netty4/src/main/java/org/elasticsearch/transport/netty4/channel/PrivilegedNioServerSocketChannel.java b/modules/transport-netty4/src/main/java/org/elasticsearch/transport/netty4/channel/PrivilegedNioServerSocketChannel.java index 075a41f157b09..f49d0fed04c46 100644 --- a/modules/transport-netty4/src/main/java/org/elasticsearch/transport/netty4/channel/PrivilegedNioServerSocketChannel.java +++ b/modules/transport-netty4/src/main/java/org/elasticsearch/transport/netty4/channel/PrivilegedNioServerSocketChannel.java @@ -37,10 +37,7 @@ public class PrivilegedNioServerSocketChannel extends NioServerSocketChannel { @Override protected int doReadMessages(List buf) throws Exception { - SecurityManager sm = System.getSecurityManager(); - if (sm != null) { - sm.checkPermission(new SpecialPermission()); - } + SpecialPermission.check(); try { return AccessController.doPrivileged((PrivilegedExceptionAction) () -> super.doReadMessages(buf)); } catch (PrivilegedActionException e) { diff --git a/modules/transport-netty4/src/main/java/org/elasticsearch/transport/netty4/channel/PrivilegedNioSocketChannel.java b/modules/transport-netty4/src/main/java/org/elasticsearch/transport/netty4/channel/PrivilegedNioSocketChannel.java index daa6a2baec54d..1eed118b8afb7 100644 --- a/modules/transport-netty4/src/main/java/org/elasticsearch/transport/netty4/channel/PrivilegedNioSocketChannel.java +++ b/modules/transport-netty4/src/main/java/org/elasticsearch/transport/netty4/channel/PrivilegedNioSocketChannel.java @@ -37,10 +37,7 @@ public class PrivilegedNioSocketChannel extends NioSocketChannel { @Override protected boolean doConnect(SocketAddress remoteAddress, SocketAddress localAddress) throws Exception { - SecurityManager sm = System.getSecurityManager(); - if (sm != null) { - sm.checkPermission(new SpecialPermission()); - } + SpecialPermission.check(); try { return AccessController.doPrivileged((PrivilegedExceptionAction) () -> super.doConnect(remoteAddress, localAddress)); } catch (PrivilegedActionException e) { diff --git a/plugins/discovery-azure-classic/src/main/java/org/elasticsearch/cloud/azure/classic/management/AzureComputeServiceImpl.java b/plugins/discovery-azure-classic/src/main/java/org/elasticsearch/cloud/azure/classic/management/AzureComputeServiceImpl.java index 4734e2aa3afa5..4a922e36084e1 100644 --- a/plugins/discovery-azure-classic/src/main/java/org/elasticsearch/cloud/azure/classic/management/AzureComputeServiceImpl.java +++ b/plugins/discovery-azure-classic/src/main/java/org/elasticsearch/cloud/azure/classic/management/AzureComputeServiceImpl.java @@ -20,9 +20,7 @@ package org.elasticsearch.cloud.azure.classic.management; import java.io.IOException; -import java.net.URISyntaxException; import java.security.AccessController; -import java.security.PrivilegedAction; import java.security.PrivilegedActionException; import java.security.PrivilegedExceptionAction; import java.util.ServiceLoader; @@ -31,7 +29,6 @@ import com.microsoft.windowsazure.core.Builder; import com.microsoft.windowsazure.core.DefaultBuilder; import com.microsoft.windowsazure.core.utils.KeyStoreType; -import com.microsoft.windowsazure.exception.ServiceException; import com.microsoft.windowsazure.management.compute.ComputeManagementClient; import com.microsoft.windowsazure.management.compute.ComputeManagementService; import com.microsoft.windowsazure.management.compute.models.HostedServiceGetDetailedResponse; @@ -43,9 +40,6 @@ import org.elasticsearch.common.component.AbstractLifecycleComponent; import org.elasticsearch.common.settings.Setting; import org.elasticsearch.common.settings.Settings; -import org.xml.sax.SAXException; - -import javax.xml.parsers.ParserConfigurationException; public class AzureComputeServiceImpl extends AbstractLifecycleComponent implements AzureComputeService { @@ -99,10 +93,7 @@ private static String getRequiredSetting(Settings settings, Setting sett @Override public HostedServiceGetDetailedResponse getServiceDetails() { - SecurityManager sm = System.getSecurityManager(); - if (sm != null) { - sm.checkPermission(new SpecialPermission()); - } + SpecialPermission.check(); try { return AccessController.doPrivileged((PrivilegedExceptionAction) () -> client.getHostedServicesOperations().getDetailed(serviceName)); diff --git a/plugins/discovery-ec2/src/main/java/org/elasticsearch/cloud/aws/util/SocketAccess.java b/plugins/discovery-ec2/src/main/java/org/elasticsearch/cloud/aws/util/SocketAccess.java index 7266a9daa575c..2c68369bb9902 100644 --- a/plugins/discovery-ec2/src/main/java/org/elasticsearch/cloud/aws/util/SocketAccess.java +++ b/plugins/discovery-ec2/src/main/java/org/elasticsearch/cloud/aws/util/SocketAccess.java @@ -35,17 +35,15 @@ */ public final class SocketAccess { - private static final SpecialPermission SPECIAL_PERMISSION = new SpecialPermission(); - private SocketAccess() {} public static T doPrivileged(PrivilegedAction operation) { - checkSpecialPermission(); + SpecialPermission.check(); return AccessController.doPrivileged(operation); } public static T doPrivilegedIOException(PrivilegedExceptionAction operation) throws IOException { - checkSpecialPermission(); + SpecialPermission.check(); try { return AccessController.doPrivileged(operation); } catch (PrivilegedActionException e) { @@ -53,10 +51,4 @@ public static T doPrivilegedIOException(PrivilegedExceptionAction operati } } - private static void checkSpecialPermission() { - SecurityManager sm = System.getSecurityManager(); - if (sm != null) { - sm.checkPermission(SPECIAL_PERMISSION); - } - } } diff --git a/plugins/discovery-ec2/src/main/java/org/elasticsearch/plugin/discovery/ec2/Ec2DiscoveryPlugin.java b/plugins/discovery-ec2/src/main/java/org/elasticsearch/plugin/discovery/ec2/Ec2DiscoveryPlugin.java index 55e0c39d2245b..fd30623fb80b6 100644 --- a/plugins/discovery-ec2/src/main/java/org/elasticsearch/plugin/discovery/ec2/Ec2DiscoveryPlugin.java +++ b/plugins/discovery-ec2/src/main/java/org/elasticsearch/plugin/discovery/ec2/Ec2DiscoveryPlugin.java @@ -71,10 +71,7 @@ public class Ec2DiscoveryPlugin extends Plugin implements DiscoveryPlugin, Close public static final String EC2 = "ec2"; static { - SecurityManager sm = System.getSecurityManager(); - if (sm != null) { - sm.checkPermission(new SpecialPermission()); - } + SpecialPermission.check(); // Initializing Jackson requires RuntimePermission accessDeclaredMembers // The ClientConfiguration class requires RuntimePermission getClassLoader AccessController.doPrivileged((PrivilegedAction) () -> { diff --git a/plugins/discovery-gce/src/main/java/org/elasticsearch/cloud/gce/util/Access.java b/plugins/discovery-gce/src/main/java/org/elasticsearch/cloud/gce/util/Access.java index 1a881dd24d803..044fccb5fa0d9 100644 --- a/plugins/discovery-gce/src/main/java/org/elasticsearch/cloud/gce/util/Access.java +++ b/plugins/discovery-gce/src/main/java/org/elasticsearch/cloud/gce/util/Access.java @@ -35,17 +35,15 @@ */ public final class Access { - private static final SpecialPermission SPECIAL_PERMISSION = new SpecialPermission(); - private Access() {} public static T doPrivileged(PrivilegedAction operation) { - checkSpecialPermission(); + SpecialPermission.check(); return AccessController.doPrivileged(operation); } public static void doPrivilegedVoid(DiscoveryRunnable action) { - checkSpecialPermission(); + SpecialPermission.check(); AccessController.doPrivileged((PrivilegedAction) () -> { action.execute(); return null; @@ -53,7 +51,7 @@ public static void doPrivilegedVoid(DiscoveryRunnable action) { } public static T doPrivilegedIOException(PrivilegedExceptionAction operation) throws IOException { - checkSpecialPermission(); + SpecialPermission.check(); try { return AccessController.doPrivileged(operation); } catch (PrivilegedActionException e) { @@ -61,13 +59,6 @@ public static T doPrivilegedIOException(PrivilegedExceptionAction operati } } - private static void checkSpecialPermission() { - SecurityManager sm = System.getSecurityManager(); - if (sm != null) { - sm.checkPermission(SPECIAL_PERMISSION); - } - } - @FunctionalInterface public interface DiscoveryRunnable { void execute(); diff --git a/plugins/ingest-attachment/src/main/java/org/elasticsearch/ingest/attachment/TikaImpl.java b/plugins/ingest-attachment/src/main/java/org/elasticsearch/ingest/attachment/TikaImpl.java index 27a4cfebbcd2f..f99a2a630ab27 100644 --- a/plugins/ingest-attachment/src/main/java/org/elasticsearch/ingest/attachment/TikaImpl.java +++ b/plugins/ingest-attachment/src/main/java/org/elasticsearch/ingest/attachment/TikaImpl.java @@ -82,18 +82,11 @@ final class TikaImpl { // only package private for testing! static String parse(final byte content[], final Metadata metadata, final int limit) throws TikaException, IOException { // check that its not unprivileged code like a script - SecurityManager sm = System.getSecurityManager(); - if (sm != null) { - sm.checkPermission(new SpecialPermission()); - } + SpecialPermission.check(); try { - return AccessController.doPrivileged(new PrivilegedExceptionAction() { - @Override - public String run() throws TikaException, IOException { - return TIKA_INSTANCE.parseToString(new ByteArrayInputStream(content), metadata, limit); - } - }, RESTRICTED_CONTEXT); + return AccessController.doPrivileged((PrivilegedExceptionAction) + () -> TIKA_INSTANCE.parseToString(new ByteArrayInputStream(content), metadata, limit), RESTRICTED_CONTEXT); } catch (PrivilegedActionException e) { // checked exception from tika: unbox it Throwable cause = e.getCause(); diff --git a/plugins/ingest-geoip/src/main/java/org/elasticsearch/ingest/geoip/GeoIpProcessor.java b/plugins/ingest-geoip/src/main/java/org/elasticsearch/ingest/geoip/GeoIpProcessor.java index 542aa5e6b3f81..afc4231afffab 100644 --- a/plugins/ingest-geoip/src/main/java/org/elasticsearch/ingest/geoip/GeoIpProcessor.java +++ b/plugins/ingest-geoip/src/main/java/org/elasticsearch/ingest/geoip/GeoIpProcessor.java @@ -139,10 +139,7 @@ Set getProperties() { } private Map retrieveCityGeoData(InetAddress ipAddress) { - SecurityManager sm = System.getSecurityManager(); - if (sm != null) { - sm.checkPermission(new SpecialPermission()); - } + SpecialPermission.check(); CityResponse response = AccessController.doPrivileged((PrivilegedAction) () -> { try { return dbReader.city(ipAddress); @@ -217,10 +214,7 @@ private Map retrieveCityGeoData(InetAddress ipAddress) { } private Map retrieveCountryGeoData(InetAddress ipAddress) { - SecurityManager sm = System.getSecurityManager(); - if (sm != null) { - sm.checkPermission(new SpecialPermission()); - } + SpecialPermission.check(); CountryResponse response = AccessController.doPrivileged((PrivilegedAction) () -> { try { return dbReader.country(ipAddress); diff --git a/plugins/repository-azure/src/main/java/org/elasticsearch/cloud/azure/blobstore/util/SocketAccess.java b/plugins/repository-azure/src/main/java/org/elasticsearch/cloud/azure/blobstore/util/SocketAccess.java index d2c2e425812e5..6202a0a46f8e6 100644 --- a/plugins/repository-azure/src/main/java/org/elasticsearch/cloud/azure/blobstore/util/SocketAccess.java +++ b/plugins/repository-azure/src/main/java/org/elasticsearch/cloud/azure/blobstore/util/SocketAccess.java @@ -36,12 +36,10 @@ */ public final class SocketAccess { - private static final SpecialPermission SPECIAL_PERMISSION = new SpecialPermission(); - private SocketAccess() {} public static T doPrivilegedException(PrivilegedExceptionAction operation) throws StorageException, URISyntaxException { - checkSpecialPermission(); + SpecialPermission.check(); try { return AccessController.doPrivileged(operation); } catch (PrivilegedActionException e) { @@ -50,7 +48,7 @@ public static T doPrivilegedException(PrivilegedExceptionAction operation } public static void doPrivilegedVoidException(StorageRunnable action) throws StorageException, URISyntaxException { - checkSpecialPermission(); + SpecialPermission.check(); try { AccessController.doPrivileged((PrivilegedExceptionAction) () -> { action.executeCouldThrow(); @@ -66,13 +64,6 @@ public static void doPrivilegedVoidException(StorageRunnable action) throws Stor } } - private static void checkSpecialPermission() { - SecurityManager sm = System.getSecurityManager(); - if (sm != null) { - sm.checkPermission(SPECIAL_PERMISSION); - } - } - @FunctionalInterface public interface StorageRunnable { void executeCouldThrow() throws StorageException, URISyntaxException; diff --git a/plugins/repository-gcs/src/main/java/org/elasticsearch/common/blobstore/gcs/util/SocketAccess.java b/plugins/repository-gcs/src/main/java/org/elasticsearch/common/blobstore/gcs/util/SocketAccess.java index e5f494ce9f8d1..3687b54d64c58 100644 --- a/plugins/repository-gcs/src/main/java/org/elasticsearch/common/blobstore/gcs/util/SocketAccess.java +++ b/plugins/repository-gcs/src/main/java/org/elasticsearch/common/blobstore/gcs/util/SocketAccess.java @@ -35,12 +35,10 @@ */ public final class SocketAccess { - private static final SpecialPermission SPECIAL_PERMISSION = new SpecialPermission(); - private SocketAccess() {} public static T doPrivilegedIOException(PrivilegedExceptionAction operation) throws IOException { - checkSpecialPermission(); + SpecialPermission.check(); try { return AccessController.doPrivileged(operation); } catch (PrivilegedActionException e) { @@ -49,7 +47,7 @@ public static T doPrivilegedIOException(PrivilegedExceptionAction operati } public static void doPrivilegedVoidIOException(StorageRunnable action) throws IOException { - checkSpecialPermission(); + SpecialPermission.check(); try { AccessController.doPrivileged((PrivilegedExceptionAction) () -> { action.executeCouldThrow(); @@ -60,13 +58,6 @@ public static void doPrivilegedVoidIOException(StorageRunnable action) throws IO } } - private static void checkSpecialPermission() { - SecurityManager sm = System.getSecurityManager(); - if (sm != null) { - sm.checkPermission(SPECIAL_PERMISSION); - } - } - @FunctionalInterface public interface StorageRunnable { void executeCouldThrow() throws IOException; diff --git a/plugins/repository-gcs/src/main/java/org/elasticsearch/plugin/repository/gcs/GoogleCloudStoragePlugin.java b/plugins/repository-gcs/src/main/java/org/elasticsearch/plugin/repository/gcs/GoogleCloudStoragePlugin.java index 3d28922327ec6..b20ed34e532d2 100644 --- a/plugins/repository-gcs/src/main/java/org/elasticsearch/plugin/repository/gcs/GoogleCloudStoragePlugin.java +++ b/plugins/repository-gcs/src/main/java/org/elasticsearch/plugin/repository/gcs/GoogleCloudStoragePlugin.java @@ -21,7 +21,6 @@ import java.security.AccessController; import java.security.PrivilegedAction; -import java.util.Collection; import java.util.Collections; import java.util.Map; @@ -40,13 +39,10 @@ import com.google.api.services.storage.model.Objects; import com.google.api.services.storage.model.StorageObject; import org.elasticsearch.SpecialPermission; -import org.elasticsearch.common.inject.Module; -import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.xcontent.NamedXContentRegistry; import org.elasticsearch.env.Environment; import org.elasticsearch.plugins.Plugin; import org.elasticsearch.plugins.RepositoryPlugin; -import org.elasticsearch.repositories.RepositoriesModule; import org.elasticsearch.repositories.Repository; import org.elasticsearch.repositories.gcs.GoogleCloudStorageRepository; import org.elasticsearch.repositories.gcs.GoogleCloudStorageService; @@ -64,10 +60,7 @@ public class GoogleCloudStoragePlugin extends Plugin implements RepositoryPlugin * our plugin permissions don't allow core to "reach through" plugins to * change the permission. Because that'd be silly. */ - SecurityManager sm = System.getSecurityManager(); - if (sm != null) { - sm.checkPermission(new SpecialPermission()); - } + SpecialPermission.check(); AccessController.doPrivileged((PrivilegedAction) () -> { // ClassInfo put in cache all the fields of a given class // that are annoted with @Key; at the same time it changes diff --git a/plugins/repository-hdfs/src/main/java/org/elasticsearch/repositories/hdfs/HdfsBlobStore.java b/plugins/repository-hdfs/src/main/java/org/elasticsearch/repositories/hdfs/HdfsBlobStore.java index 23404a7c3609b..fdd99a79a3efe 100644 --- a/plugins/repository-hdfs/src/main/java/org/elasticsearch/repositories/hdfs/HdfsBlobStore.java +++ b/plugins/repository-hdfs/src/main/java/org/elasticsearch/repositories/hdfs/HdfsBlobStore.java @@ -109,7 +109,7 @@ private Path translateToHdfsPath(BlobPath blobPath) { } return path; } - + interface Operation { V run(FileContext fileContext) throws IOException; } @@ -121,21 +121,13 @@ interface Operation { // 1) hadoop dynamic proxy is messy with access rules // 2) allow hadoop to add credentials to our Subject V execute(Operation operation) throws IOException { - SecurityManager sm = System.getSecurityManager(); - if (sm != null) { - // unprivileged code such as scripts do not have SpecialPermission - sm.checkPermission(new SpecialPermission()); - } + SpecialPermission.check(); if (closed) { throw new AlreadyClosedException("HdfsBlobStore is closed: " + this); } try { - return AccessController.doPrivileged(new PrivilegedExceptionAction() { - @Override - public V run() throws IOException { - return operation.run(fileContext); - } - }, null, new ReflectPermission("suppressAccessChecks"), + return AccessController.doPrivileged((PrivilegedExceptionAction) + () -> operation.run(fileContext), null, new ReflectPermission("suppressAccessChecks"), new AuthPermission("modifyPrivateCredentials")); } catch (PrivilegedActionException pae) { throw (IOException) pae.getException(); @@ -146,4 +138,4 @@ public V run() throws IOException { public void close() { closed = true; } -} \ No newline at end of file +} diff --git a/plugins/repository-hdfs/src/main/java/org/elasticsearch/repositories/hdfs/HdfsPlugin.java b/plugins/repository-hdfs/src/main/java/org/elasticsearch/repositories/hdfs/HdfsPlugin.java index 13da44b45f182..9ea53a5acf22e 100644 --- a/plugins/repository-hdfs/src/main/java/org/elasticsearch/repositories/hdfs/HdfsPlugin.java +++ b/plugins/repository-hdfs/src/main/java/org/elasticsearch/repositories/hdfs/HdfsPlugin.java @@ -32,23 +32,14 @@ import org.elasticsearch.env.Environment; import org.elasticsearch.plugins.Plugin; import org.elasticsearch.plugins.RepositoryPlugin; -import org.elasticsearch.repositories.RepositoriesModule; import org.elasticsearch.repositories.Repository; public final class HdfsPlugin extends Plugin implements RepositoryPlugin { // initialize some problematic classes with elevated privileges static { - SecurityManager sm = System.getSecurityManager(); - if (sm != null) { - sm.checkPermission(new SpecialPermission()); - } - AccessController.doPrivileged(new PrivilegedAction() { - @Override - public Void run() { - return evilHadoopInit(); - } - }); + SpecialPermission.check(); + AccessController.doPrivileged((PrivilegedAction) HdfsPlugin::evilHadoopInit); } @SuppressForbidden(reason = "Needs a security hack for hadoop on windows, until HADOOP-XXXX is fixed") diff --git a/plugins/repository-hdfs/src/main/java/org/elasticsearch/repositories/hdfs/HdfsRepository.java b/plugins/repository-hdfs/src/main/java/org/elasticsearch/repositories/hdfs/HdfsRepository.java index f1e5f83fe601c..6d74d20fc83dc 100644 --- a/plugins/repository-hdfs/src/main/java/org/elasticsearch/repositories/hdfs/HdfsRepository.java +++ b/plugins/repository-hdfs/src/main/java/org/elasticsearch/repositories/hdfs/HdfsRepository.java @@ -95,16 +95,9 @@ protected void doStart() { try { // initialize our filecontext - SecurityManager sm = System.getSecurityManager(); - if (sm != null) { - sm.checkPermission(new SpecialPermission()); - } - FileContext fileContext = AccessController.doPrivileged(new PrivilegedAction() { - @Override - public FileContext run() { - return createContext(uri, getMetadata().settings()); - } - }); + SpecialPermission.check(); + FileContext fileContext = AccessController.doPrivileged((PrivilegedAction) + () -> createContext(uri, getMetadata().settings())); blobStore = new HdfsBlobStore(fileContext, pathSetting, bufferSize); logger.debug("Using file-system [{}] for URI [{}], path [{}]", fileContext.getDefaultFileSystem(), fileContext.getDefaultFileSystem().getUri(), pathSetting); } catch (IOException e) { diff --git a/plugins/repository-s3/src/main/java/org/elasticsearch/cloud/aws/util/SocketAccess.java b/plugins/repository-s3/src/main/java/org/elasticsearch/cloud/aws/util/SocketAccess.java index 5b4d2c3a6c1fc..726d9e141ab8c 100644 --- a/plugins/repository-s3/src/main/java/org/elasticsearch/cloud/aws/util/SocketAccess.java +++ b/plugins/repository-s3/src/main/java/org/elasticsearch/cloud/aws/util/SocketAccess.java @@ -35,8 +35,6 @@ */ public final class SocketAccess { - private static final SpecialPermission SPECIAL_PERMISSION = new SpecialPermission(); - private SocketAccess() {} public static T doPrivileged(PrivilegedAction operation) { @@ -62,10 +60,7 @@ public static void doPrivilegedVoid(StorageRunnable action) { } private static void checkSpecialPermission() { - SecurityManager sm = System.getSecurityManager(); - if (sm != null) { - sm.checkPermission(SPECIAL_PERMISSION); - } + SpecialPermission.check(); } @FunctionalInterface diff --git a/plugins/repository-s3/src/main/java/org/elasticsearch/plugin/repository/s3/S3RepositoryPlugin.java b/plugins/repository-s3/src/main/java/org/elasticsearch/plugin/repository/s3/S3RepositoryPlugin.java index 449c9ce411e73..45aea045a9b2f 100644 --- a/plugins/repository-s3/src/main/java/org/elasticsearch/plugin/repository/s3/S3RepositoryPlugin.java +++ b/plugins/repository-s3/src/main/java/org/elasticsearch/plugin/repository/s3/S3RepositoryPlugin.java @@ -45,24 +45,18 @@ public class S3RepositoryPlugin extends Plugin implements RepositoryPlugin { static { - SecurityManager sm = System.getSecurityManager(); - if (sm != null) { - sm.checkPermission(new SpecialPermission()); - } - AccessController.doPrivileged(new PrivilegedAction() { - @Override - public Void run() { - try { - // kick jackson to do some static caching of declared members info - Jackson.jsonNodeOf("{}"); - // ClientConfiguration clinit has some classloader problems - // TODO: fix that - Class.forName("com.amazonaws.ClientConfiguration"); - } catch (ClassNotFoundException e) { - throw new RuntimeException(e); - } - return null; + SpecialPermission.check(); + AccessController.doPrivileged((PrivilegedAction) () -> { + try { + // kick jackson to do some static caching of declared members info + Jackson.jsonNodeOf("{}"); + // ClientConfiguration clinit has some classloader problems + // TODO: fix that + Class.forName("com.amazonaws.ClientConfiguration"); + } catch (ClassNotFoundException e) { + throw new RuntimeException(e); } + return null; }); }