attempt to fix AccessControlException (doesn't work)

jakelandis · Nov 21, 2024 · 1e57ca2 · 1e57ca2
1 parent 46945ee
commit 1e57ca2
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 2 deletions.
diff --git a/.../repository-hdfs/src/main/java/org/elasticsearch/repositories/hdfs/HdfsBlobContainer.java b/.../repository-hdfs/src/main/java/org/elasticsearch/repositories/hdfs/HdfsBlobContainer.java
@@ -16,6 +16,7 @@
 import org.apache.hadoop.fs.Options;
 import org.apache.hadoop.fs.Options.CreateOpts;
 import org.apache.hadoop.fs.Path;
+import org.elasticsearch.SpecialPermission;
 import org.elasticsearch.action.ActionListener;
 import org.elasticsearch.common.blobstore.BlobContainer;
 import org.elasticsearch.common.blobstore.BlobPath;
@@ -38,6 +39,9 @@
 import java.io.OutputStream;
 import java.nio.file.FileAlreadyExistsException;
 import java.nio.file.NoSuchFileException;
+import java.security.AccessController;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
 import java.util.Collections;
 import java.util.EnumSet;
 import java.util.Iterator;
@@ -262,8 +266,16 @@ public void writeBlobAtomic(OperationPurpose purpose, String blobName, BytesRefe
 
     private void writeToPath(BytesReference bytes, Path blobPath, FileContext fileContext, EnumSet<CreateFlag> createFlags)
         throws IOException {
-        try (FSDataOutputStream stream = fileContext.create(blobPath, createFlags, createOpts)) {
-            bytes.writeTo(stream);
+        SpecialPermission.check();
+        try {
+            AccessController.doPrivileged((PrivilegedExceptionAction<Void>) () -> {
+                try (FSDataOutputStream stream = fileContext.create(blobPath, createFlags, createOpts)) {
+                    bytes.writeTo(stream);
+                }
+                return null;
+            });
+        } catch (PrivilegedActionException e) {
+            throw (IOException) e.getCause();
         }
     }
 

diff --git a/plugins/repository-hdfs/src/main/plugin-metadata/plugin-security.policy b/plugins/repository-hdfs/src/main/plugin-metadata/plugin-security.policy
@@ -69,4 +69,6 @@ grant {
   // client binds to the address returned from the host name of any principal set up as a service principal
   // org.apache.hadoop.ipc.Client.Connection.setupConnection
   permission java.net.SocketPermission "localhost:0", "listen,resolve";
+
+  permission org.elasticsearch.secure_sm.ThreadPermission, "modifyArbitraryThreadGroup";
 };
diff --git a/server/src/main/resources/org/elasticsearch/bootstrap/test-framework.policy b/server/src/main/resources/org/elasticsearch/bootstrap/test-framework.policy
@@ -129,4 +129,5 @@ grant {
   permission java.nio.file.LinkPermission "symbolic";
   // needed for keystore tests
   permission java.lang.RuntimePermission "accessUserInformation";
+  permission org.elasticsearch.secure_sm.ThreadPermission, "modifyArbitraryThreadGroup";
 };