Can't use `~/.aws/credentials` file with discovery-ec2 plugin

[dadoonet]

Elasticsearch version: 5.0.0
Plugins installed: discovery-ec2

While I was working on #21039, I observed that loading key/secret from the default location ~/.aws/credentials is not possible.

[2016-10-20T13:42:07,749][DEBUG][c.a.a.AWSCredentialsProviderChain] Unable to load credentials from com.amazonaws.auth.profile.ProfileCredentialsProvider@bcbbaf: access denied ("java.io.FilePermission" "/home/ubuntu/.aws/credentials" "read")

I tried to work around this and added the following lines in plugin-security.policy file but it still does not work:

grant {
  // AWS ProfileCredentialsProvider needs read access to this dir ~/.aws/credentials
  permission java.io.FilePermission "~/.aws/credentials", "read";
};

I also tried with the following (just for testing purpose) and it is also failing:

grant {
  // AWS ProfileCredentialsProvider needs read access to this dir ~/.aws/credentials
  permission java.io.FilePermission "/home/ubuntu/.aws/credentials", "read";
};

I wrap the code with:

            SecurityManager sm = System.getSecurityManager();
            if (sm != null) {
                // unprivileged code such as scripts do not have SpecialPermission
                sm.checkPermission(new SpecialPermission());
            }
            descInstances = AccessController.doPrivileged(new PrivilegedAction<DescribeInstancesResult>() {
                @Override
                public DescribeInstancesResult run() {
                    return client.describeInstances(buildDescribeInstancesRequest());
                }
            });

I'm unsure if this is supposed to work or if we simply can't support this authentification method anymore.

[rjernst]

@dadoonet Can you again please run with -Djava.security.debug=access,failure so we can see what exact method is trying to read the file (and then we can look at the SDK and see if it will be cached after the first call, which is what I expect).

[dadoonet]

access: access denied ("java.io.FilePermission" "/home/ubuntu/.aws/credentials" "read")
java.lang.Exception: Stack trace
    at java.lang.Thread.dumpStack(Thread.java:1329)
    at java.security.AccessControlContext.checkPermission(AccessControlContext.java:462)
    at java.security.AccessController.checkPermission(AccessController.java:884)
    at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
    at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
    at java.io.File.exists(File.java:814)
    at com.amazonaws.auth.profile.ProfilesConfigFile.getCredentialProfilesFile(ProfilesConfigFile.java:200)
    at com.amazonaws.auth.profile.ProfilesConfigFile.<init>(ProfilesConfigFile.java:96)
    at com.amazonaws.auth.profile.ProfileCredentialsProvider.getCredentials(ProfileCredentialsProvider.java:159)
    at com.amazonaws.auth.AWSCredentialsProviderChain.getCredentials(AWSCredentialsProviderChain.java:115)
    at com.amazonaws.services.ec2.AmazonEC2Client.invoke(AmazonEC2Client.java:11117)
    at com.amazonaws.services.ec2.AmazonEC2Client.describeInstances(AmazonEC2Client.java:5403)
    at org.elasticsearch.discovery.ec2.AwsEc2UnicastHostsProvider.fetchDynamicNodes(AwsEc2UnicastHostsProvider.java:116)
    at org.elasticsearch.discovery.ec2.AwsEc2UnicastHostsProvider$DiscoNodesCache.refresh(AwsEc2UnicastHostsProvider.java:234)
    at org.elasticsearch.discovery.ec2.AwsEc2UnicastHostsProvider$DiscoNodesCache.refresh(AwsEc2UnicastHostsProvider.java:219)
    at org.elasticsearch.common.util.SingleObjectCache.getOrRefresh(SingleObjectCache.java:54)
    at org.elasticsearch.discovery.ec2.AwsEc2UnicastHostsProvider.buildDynamicNodes(AwsEc2UnicastHostsProvider.java:102)
    at org.elasticsearch.discovery.zen.ping.unicast.UnicastZenPing.sendPings(UnicastZenPing.java:358)
    at org.elasticsearch.discovery.zen.ping.unicast.UnicastZenPing$1$1.doRun(UnicastZenPing.java:276)
    at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:504)
    at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at java.lang.Thread.run(Thread.java:745)

So yes it is cached but after some time, it's checked again according to their code:

    public AWSCredentials getCredentials() {
        if (profilesConfigFile == null) {
            synchronized (this) {
                if (profilesConfigFile == null) {
                    profilesConfigFile = new ProfilesConfigFile();
                    lastRefreshed = System.nanoTime();
                }
            }
        }

        // Periodically check if the file on disk has been modified
        // since we last read it.
        //
        // For active applications, only have one thread block.
        // For applications that use this method in bursts, ensure the
        // credentials are never too stale.
        long now = System.nanoTime();
        long age = now - lastRefreshed;
        if (age > refreshForceIntervalNanos) {
            refresh();
        } else if (age > refreshIntervalNanos) {
            if (refreshSemaphore.tryAcquire()) {
                try {
                    refresh();
                } finally {
                    refreshSemaphore.release();
                }
            }
        }

        return profilesConfigFile.getCredentials(profileName);
    }

So we can probably make it work when the plugin is loaded but then it will probably fail again later, right?

[dadoonet]

@rjernst Any opinion on this one?

[rjernst]

I don't think we should be using any credentials files. With the new key store tool, all secure settings should be in there.

[dadoonet]

I agree. Thanks for confirming.
I'll remove this from the credential chain so we won't try it.

[dadoonet]

Closing in favor of #22567 which will take care of that.