Skip to content

Commit 8366ea3

Browse files
retadreamer-89
reta
and
dreamer-89
authored
Getting security exception due to access denied 'java.lang.RuntimePermission' 'accessDeclaredMembers' when trying to get snapshot with S3 IRSA (opensearch-project#4469)
Signed-off-by: Andriy Redko <[email protected]> Signed-off-by: Andriy Redko <[email protected]> Co-authored-by: Suraj Singh <[email protected]>
1 parent 763a89f commit 8366ea3

File tree

2 files changed

+15
-7
lines changed

2 files changed

+15
-7
lines changed

CHANGELOG.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -59,6 +59,7 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
5959
- [Segment Replication] Fix timeout issue by calculating time needed to process getSegmentFiles ([#4426](https://github.com/opensearch-project/OpenSearch/pull/4426))
6060
- [Bug]: gradle check failing with java heap OutOfMemoryError (([#4328](https://github.com/opensearch-project/OpenSearch/
6161
- `opensearch.bat` fails to execute when install path includes spaces ([#4362](https://github.com/opensearch-project/OpenSearch/pull/4362))
62+
- Getting security exception due to access denied 'java.lang.RuntimePermission' 'accessDeclaredMembers' when trying to get snapshot with S3 IRSA ([#4469](https://github.com/opensearch-project/OpenSearch/pull/4469))
6263
- Fixed flaky test `ResourceAwareTasksTests.testTaskIdPersistsInThreadContext` ([#4484](https://github.com/opensearch-project/OpenSearch/pull/4484))
6364

6465
### Security

plugins/repository-s3/src/main/java/org/opensearch/repositories/s3/S3Service.java

Lines changed: 14 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -305,21 +305,28 @@ static AWSCredentialsProvider buildCredentials(Logger logger, S3ClientSettings c
305305
}
306306

307307
if (irsaCredentials.getIdentityTokenFile() == null) {
308-
return new PrivilegedSTSAssumeRoleSessionCredentialsProvider<>(
309-
securityTokenService,
308+
final STSAssumeRoleSessionCredentialsProvider.Builder stsCredentialsProviderBuilder =
310309
new STSAssumeRoleSessionCredentialsProvider.Builder(irsaCredentials.getRoleArn(), irsaCredentials.getRoleSessionName())
311-
.withStsClient(securityTokenService)
312-
.build()
310+
.withStsClient(securityTokenService);
311+
312+
final STSAssumeRoleSessionCredentialsProvider stsCredentialsProvider = SocketAccess.doPrivileged(
313+
stsCredentialsProviderBuilder::build
313314
);
315+
316+
return new PrivilegedSTSAssumeRoleSessionCredentialsProvider<>(securityTokenService, stsCredentialsProvider);
314317
} else {
315-
return new PrivilegedSTSAssumeRoleSessionCredentialsProvider<>(
316-
securityTokenService,
318+
final STSAssumeRoleWithWebIdentitySessionCredentialsProvider.Builder stsCredentialsProviderBuilder =
317319
new STSAssumeRoleWithWebIdentitySessionCredentialsProvider.Builder(
318320
irsaCredentials.getRoleArn(),
319321
irsaCredentials.getRoleSessionName(),
320322
irsaCredentials.getIdentityTokenFile()
321-
).withStsClient(securityTokenService).build()
323+
).withStsClient(securityTokenService);
324+
325+
final STSAssumeRoleWithWebIdentitySessionCredentialsProvider stsCredentialsProvider = SocketAccess.doPrivileged(
326+
stsCredentialsProviderBuilder::build
322327
);
328+
329+
return new PrivilegedSTSAssumeRoleSessionCredentialsProvider<>(securityTokenService, stsCredentialsProvider);
323330
}
324331
} else if (basicCredentials != null) {
325332
logger.debug("Using basic key/secret credentials");

0 commit comments

Comments
 (0)