Getting security exception due to access denied 'java.lang.RuntimePer…

…mission' 'accessDeclaredMembers' when trying to get snapshot with S3 IRSA (#4469) (#4521) Signed-off-by: Andriy Redko <andriy.redko@aiven.io> Signed-off-by: Andriy Redko <andriy.redko@aiven.io> Co-authored-by: Suraj Singh <surajrider@gmail.com> (cherry picked from commit 8366ea3) Signed-off-by: Andriy Redko <andriy.redko@aiven.io> Signed-off-by: Andriy Redko <andriy.redko@aiven.io> Co-authored-by: Suraj Singh <surajrider@gmail.com>
opensearch-project · Sep 15, 2022 · 303a90a · 303a90a
1 parent d4a162b
commit 303a90a
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 7 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -29,6 +29,7 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 - Bugs for dependabot changelog verifier workflow ([#4364](https://github.com/opensearch-project/OpenSearch/pull/4364))
 - [Bug]: gradle check failing with java heap OutOfMemoryError (([#4328](https://github.com/opensearch-project/OpenSearch/
 - `opensearch.bat` fails to execute when install path includes spaces ([#4362](https://github.com/opensearch-project/OpenSearch/pull/4362))
+- Getting security exception due to access denied 'java.lang.RuntimePermission' 'accessDeclaredMembers' when trying to get snapshot with S3 IRSA ([#4469](https://github.com/opensearch-project/OpenSearch/pull/4469))
 
 ### Security
 - CVE-2022-25857 org.yaml:snakeyaml DOS vulnerability ([#4341](https://github.com/opensearch-project/OpenSearch/pull/4341))

diff --git a/plugins/repository-s3/src/main/java/org/opensearch/repositories/s3/S3Service.java b/plugins/repository-s3/src/main/java/org/opensearch/repositories/s3/S3Service.java
@@ -305,21 +305,28 @@ static AWSCredentialsProvider buildCredentials(Logger logger, S3ClientSettings c
             }
 
             if (irsaCredentials.getIdentityTokenFile() == null) {
-                return new PrivilegedSTSAssumeRoleSessionCredentialsProvider<>(
-                    securityTokenService,
+                final STSAssumeRoleSessionCredentialsProvider.Builder stsCredentialsProviderBuilder =
                     new STSAssumeRoleSessionCredentialsProvider.Builder(irsaCredentials.getRoleArn(), irsaCredentials.getRoleSessionName())
-                        .withStsClient(securityTokenService)
-                        .build()
+                        .withStsClient(securityTokenService);
+
+                final STSAssumeRoleSessionCredentialsProvider stsCredentialsProvider = SocketAccess.doPrivileged(
+                    stsCredentialsProviderBuilder::build
                 );
+
+                return new PrivilegedSTSAssumeRoleSessionCredentialsProvider<>(securityTokenService, stsCredentialsProvider);
             } else {
-                return new PrivilegedSTSAssumeRoleSessionCredentialsProvider<>(
-                    securityTokenService,
+                final STSAssumeRoleWithWebIdentitySessionCredentialsProvider.Builder stsCredentialsProviderBuilder =
                     new STSAssumeRoleWithWebIdentitySessionCredentialsProvider.Builder(
                         irsaCredentials.getRoleArn(),
                         irsaCredentials.getRoleSessionName(),
                         irsaCredentials.getIdentityTokenFile()
-                    ).withStsClient(securityTokenService).build()
+                    ).withStsClient(securityTokenService);
+
+                final STSAssumeRoleWithWebIdentitySessionCredentialsProvider stsCredentialsProvider = SocketAccess.doPrivileged(
+                    stsCredentialsProviderBuilder::build
                 );
+
+                return new PrivilegedSTSAssumeRoleSessionCredentialsProvider<>(securityTokenService, stsCredentialsProvider);
             }
         } else if (basicCredentials != null) {
             logger.debug("Using basic key/secret credentials");