Support GKE Workload Identity for Searchable Snapshots (#82974) (#83126)

arteam · web-flow · commit 656e8cf495eb · 2022-01-26T15:52:09.000+01:00
Searchable snapshots perform naked calls of `GoogleCloudStorageBlobContainer#readBlob` without the Security Manager. The client fails to get Compute Engine credentials because of that. It works for normal snapshot/restore because they do a privileged call of `GoogleCloudStorageBlobStore.writeBlob` during the verification of the repo. The simplest fix is just to make sure `ServiceOptions.getDefaultProjectId` and `GoogleCredentials::getApplicationDefault` are get called under the SecurityManager (which they should because they perform network calls). Unfortunately, we can't write an integration test for the issue, because the test framework does the repo verification automatically, which works around the bug. Writing a unit test also seems not possible, because `ComputeEngineCredentials#getMetadataServerUrl` relies on the `GCE_METADATA_HOST` environment variable. See elastic/cloud-on-k8s#5230 Resolves #82702
diff --git a/docs/changelog/82974.yaml b/docs/changelog/82974.yaml
@@ -0,0 +1,6 @@
+pr: 82974
+summary: Support GKE Workload Identity for Searchable Snapshots
+area: Snapshot/Restore
+type: bug
+issues:
+ - 82702
diff --git a/modules/repository-gcs/src/main/java/org/elasticsearch/repositories/gcs/GoogleCloudStorageService.java b/modules/repository-gcs/src/main/java/org/elasticsearch/repositories/gcs/GoogleCloudStorageService.java
@@ -195,7 +195,7 @@ StorageOptions createStorageOptions(
         } else {
             String defaultProjectId = null;
             try {
-                defaultProjectId = ServiceOptions.getDefaultProjectId();
+                defaultProjectId = SocketAccess.doPrivilegedIOException(ServiceOptions::getDefaultProjectId);
                 if (defaultProjectId != null) {
                     storageOptionsBuilder.setProjectId(defaultProjectId);
                 }
@@ -219,7 +219,7 @@ StorageOptions createStorageOptions(
         }
         if (gcsClientSettings.getCredential() == null) {
             try {
-                storageOptionsBuilder.setCredentials(GoogleCredentials.getApplicationDefault());
+                storageOptionsBuilder.setCredentials(SocketAccess.doPrivilegedIOException(GoogleCredentials::getApplicationDefault));
             } catch (Exception e) {
                 logger.warn("failed to load Application Default Credentials", e);
             }

Original file line number	Diff line number	Diff line change
`@@ -195,7 +195,7 @@ StorageOptions createStorageOptions(`
`195`	`195`	`} else {`
`196`	`196`	`String defaultProjectId = null;`
`197`	`197`	`try {`
`198`		`- defaultProjectId = ServiceOptions.getDefaultProjectId();`
	`198`	`+ defaultProjectId = SocketAccess.doPrivilegedIOException(ServiceOptions::getDefaultProjectId);`
`199`	`199`	`if (defaultProjectId != null) {`
`200`	`200`	`storageOptionsBuilder.setProjectId(defaultProjectId);`
`201`	`201`	`}`
`@@ -219,7 +219,7 @@ StorageOptions createStorageOptions(`
`219`	`219`	`}`
`220`	`220`	`if (gcsClientSettings.getCredential() == null) {`
`221`	`221`	`try {`
`222`		`- storageOptionsBuilder.setCredentials(GoogleCredentials.getApplicationDefault());`
	`222`	`+ storageOptionsBuilder.setCredentials(SocketAccess.doPrivilegedIOException(GoogleCredentials::getApplicationDefault));`
`223`	`223`	`} catch (Exception e) {`
`224`	`224`	`logger.warn("failed to load Application Default Credentials", e);`
`225`	`225`	`}`