Fix security manager bug writing large blobs to GCS by jasontedor · Pull Request #55421 · elastic/elasticsearch

jasontedor · 2020-04-17T21:18:54Z

This commit addresses a security manager permissions issue writing large blobs (on the resumable upload path) to GCS. The underlying issue here is that we need to wrap the close and write calls on the channel. It is not enough to do this:

SocketAccess.doPrivilegedVoidIOException(
  () -> Streams.copy(
    inputStream,
    Channels.newOutputStream(client().writer(blobInfo, writeOptions))));

This reason that this is not enough is because Streams#copy will be in the stacktrace and it is not granted the security manager permissions needed to close or write this channel. We only grant those permissions to classes loaded in the plugin classloader, and Streams#copy is from the parent classloader. This is why we must wrap the close and write calls as privileged, to truncate the Streams#copy call out of the stacktrace.

The reason that this issue is not caught in testing is because the size of data that we use in testing is too small to trigger the large blob resumable upload path. Therefore, we address this by adding a system property to control the threshold, which we can then set in tests to exercise this code path. Prior to rewriting the writeBlobResumable method to wrap the close and write calls as privileged, with this additional test, we are able to reproduce the security manager permissions issue. After adding the wrapping, this test now passes.

Relates #51596

This commit addresses a security manager permissions issue writing large blobs (on the resumable upload path) to GCS. The underlying issue here is that we need to wrap the close and write calls on the channel. It is not enough to do this: SocketAccess.doPrivilegedVoidIOException( () -> Streams.copy( inputStream, Channels.newOutputStream(client().writer(blobInfo, writeOptions)))); This reason that this is not enough is because Streams#copy will be in the stacktrace and it is not granted the security manager permissions needed to close or write this channel. We only grant those permissions to classes loaded in the plugin classloader, and Streams#copy is from the parent classloader. This is why we must wrap the close and write calls as privileged, to truncate the Streams#copy call out of the stacktrace. The reason that this issue is not caught in testing is because the size of data that we use in testing is too small to trigger the large blob resumable upload path. Therefore, we address this by adding a system property to control the threshold, which we can then set in tests to exercise this code path. Prior to rewriting the writeBlobResumable method to wrap the close and write calls as privileged, with this additional test, we are able to reproduce the security manager permissions issue. After adding the wrapping, this test now passes.

elasticmachine · 2020-04-17T21:18:56Z

Pinging @elastic/es-distributed (:Distributed/Snapshot/Restore)

jasontedor · 2020-04-17T21:24:53Z

Here is a stacktrace that shows the issue

INTERNAL_SERVER_ERROR: com.google.cloud.storage.StorageException: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "setFactory")
        at com.google.cloud.storage.StorageException.translateAndThrow(StorageException.java:74)
        at com.google.cloud.storage.BlobWriteChannel.flushBuffer(BlobWriteChannel.java:67)
        at com.google.cloud.BaseWriteChannel.flush(BaseWriteChannel.java:112)
        at com.google.cloud.BaseWriteChannel.write(BaseWriteChannel.java:139)
        at java.base/java.nio.channels.Channels.writeFullyImpl(Channels.java:74)
        at java.base/java.nio.channels.Channels.writeFully(Channels.java:97)
        at java.base/java.nio.channels.Channels$1.write(Channels.java:172)
        at java.base/java.io.InputStream.transferTo(InputStream.java:777)
        at org.elasticsearch.core.internal.io.Streams.copy(Streams.java:47) <-- this does not have the necessary permission
        at org.elasticsearch.repositories.gcs.GoogleCloudStorageBlobStore.lambda$writeBlobResumable$5(GoogleCloudStorageBlobStore.java:216)
        at org.elasticsearch.repositories.gcs.SocketAccess.lambda$doPrivilegedVoidIOException$0(SocketAccess.java:54)
        at java.base/java.security.AccessController.doPrivileged(AccessController.java:554)
        at org.elasticsearch.repositories.gcs.SocketAccess.doPrivilegedVoidIOException(SocketAccess.java:53)
        at org.elasticsearch.repositories.gcs.GoogleCloudStorageBlobStore.writeBlobResumable(GoogleCloudStorageBlobStore.java:215)
        at org.elasticsearch.repositories.gcs.GoogleCloudStorageBlobStore.writeBlob(GoogleCloudStorageBlobStore.java:186)
        at org.elasticsearch.repositories.gcs.GoogleCloudStorageBlobContainer.writeBlob(GoogleCloudStorageBlobContainer.java:67)
        at org.elasticsearch.repositories.blobstore.BlobStoreRepository.snapshotFile(BlobStoreRepository.java:2075)
        at org.elasticsearch.repositories.blobstore.BlobStoreRepository.lambda$snapshotShard$55(BlobStoreRepository.java:1745)
        at org.elasticsearch.action.ActionRunnable$1.doRun(ActionRunnable.java:45)
        at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:692)
        at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
        at java.base/java.lang.Thread.run(Thread.java:832)
        Suppressed: com.google.cloud.storage.StorageException: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "setFactory")
                at com.google.cloud.storage.StorageException.translateAndThrow(StorageException.java:74)
                at com.google.cloud.storage.BlobWriteChannel.flushBuffer(BlobWriteChannel.java:67)
                at com.google.cloud.BaseWriteChannel.close(BaseWriteChannel.java:151)
                at java.base/java.nio.channels.Channels$1.close(Channels.java:177)
                at org.elasticsearch.core.internal.io.IOUtils.close(IOUtils.java:104)
                at org.elasticsearch.core.internal.io.IOUtils.close(IOUtils.java:74)
                at org.elasticsearch.core.internal.io.Streams.copy(Streams.java:54)
                ... 15 more
        Caused by: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "setFactory")
                at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
                at java.base/java.security.AccessController.checkPermission(AccessController.java:1036)
                at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:408)
                at java.base/java.lang.SecurityManager.checkSetFactory(SecurityManager.java:1487)
                at java.base/javax.net.ssl.HttpsURLConnection.setSSLSocketFactory(HttpsURLConnection.java:365)
                at com.google.api.client.http.javanet.NetHttpTransport.buildRequest(NetHttpTransport.java:158)
                at com.google.api.client.http.javanet.NetHttpTransport.buildRequest(NetHttpTransport.java:55)
                at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:889)
                at com.google.cloud.storage.spi.v1.HttpStorageRpc.write(HttpStorageRpc.java:753)
                at com.google.cloud.storage.BlobWriteChannel$1.run(BlobWriteChannel.java:60)
                at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
                at com.google.api.gax.retrying.DirectRetryingExecutor.submit(DirectRetryingExecutor.java:105)
                at com.google.cloud.RetryHelper.run(RetryHelper.java:76)
                at com.google.cloud.RetryHelper.runWithRetries(RetryHelper.java:50)
                at com.google.cloud.storage.BlobWriteChannel.flushBuffer(BlobWriteChannel.java:53)
                ... 20 more

rjernst

LGTM

...sitory-gcs/src/main/java/org/elasticsearch/repositories/gcs/GoogleCloudStorageBlobStore.java

* Fix security manager bug writing large blobs to GCS This commit addresses a security manager permissions issue writing large blobs (on the resumable upload path) to GCS. The underlying issue here is that we need to wrap the close and write calls on the channel. It is not enough to do this: SocketAccess.doPrivilegedVoidIOException( () -> Streams.copy( inputStream, Channels.newOutputStream(client().writer(blobInfo, writeOptions)))); This reason that this is not enough is because Streams#copy will be in the stacktrace and it is not granted the security manager permissions needed to close or write this channel. We only grant those permissions to classes loaded in the plugin classloader, and Streams#copy is from the parent classloader. This is why we must wrap the close and write calls as privileged, to truncate the Streams#copy call out of the stacktrace. The reason that this issue is not caught in testing is because the size of data that we use in testing is too small to trigger the large blob resumable upload path. Therefore, we address this by adding a system property to control the threshold, which we can then set in tests to exercise this code path. Prior to rewriting the writeBlobResumable method to wrap the close and write calls as privileged, with this additional test, we are able to reproduce the security manager permissions issue. After adding the wrapping, this test now passes. * Fix forbidden APIs issue * Remove leftover debugging

jasontedor added >non-issue blocker :Distributed/Snapshot/Restore Anything directly related to the `_snapshot/*` APIs v8.0.0 v7.7.0 v7.8.0 labels Apr 17, 2020

jasontedor requested review from original-brownbear and rjernst April 17, 2020 21:18

rjernst approved these changes Apr 17, 2020

View reviewed changes

...sitory-gcs/src/main/java/org/elasticsearch/repositories/gcs/GoogleCloudStorageBlobStore.java Outdated Show resolved Hide resolved

jasontedor added 2 commits April 17, 2020 17:26

Fix forbidden APIs issue

8ad5470

Remove leftover debugging

cc3d9a3

jasontedor merged commit a10b25e into elastic:master Apr 17, 2020

jasontedor deleted the repository-gcs-permissions-issue branch April 17, 2020 22:52

jasontedor mentioned this pull request Apr 23, 2020

Enhance Repository Third Party Tests to Cover Large Files #55642

Closed

jakelandis added v8.0.0-alpha1 and removed v8.0.0 labels Jul 26, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix security manager bug writing large blobs to GCS#55421

Fix security manager bug writing large blobs to GCS#55421
jasontedor merged 3 commits intoelastic:masterfrom
jasontedor:repository-gcs-permissions-issue

jasontedor commented Apr 17, 2020

Uh oh!

elasticmachine commented Apr 17, 2020

Uh oh!

jasontedor commented Apr 17, 2020

Uh oh!

rjernst left a comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

jasontedor commented Apr 17, 2020

Uh oh!

elasticmachine commented Apr 17, 2020

Uh oh!

jasontedor commented Apr 17, 2020

Uh oh!

rjernst left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants