Remove doPrivileged uses from server (#127781) (#128929)

Now that SecurityManager is no longer used, doPrivileged is no longer
necessary. This commit removes uses of it from core and server

Author: rjernst

libs/core/src/main/java/org/elasticsearch/core/internal/provider/EmbeddedImplClassLoader.java

@@ -23,10 +23,8 @@
 import java.nio.file.FileSystems;
 import java.nio.file.Files;
 import java.nio.file.Path;
-import java.security.AccessController;
 import java.security.CodeSigner;
 import java.security.CodeSource;
-import java.security.PrivilegedAction;
 import java.security.SecureClassLoader;
 import java.util.ArrayList;
 import java.util.Collections;
@@ -96,8 +94,7 @@ record JarMeta(String prefix, boolean isMultiRelease, Set<String> packages, Map<
     private final ClassLoader parent;
 
     static EmbeddedImplClassLoader getInstance(ClassLoader parent, String providerName) {
-        PrivilegedAction<EmbeddedImplClassLoader> pa = () -> new EmbeddedImplClassLoader(parent, getProviderPrefixes(parent, providerName));
-        return AccessController.doPrivileged(pa);
+        return new EmbeddedImplClassLoader(parent, getProviderPrefixes(parent, providerName));
     }
 
     private EmbeddedImplClassLoader(ClassLoader parent, Map<JarMeta, CodeSource> prefixToCodeBase) {
@@ -120,14 +117,12 @@ private EmbeddedImplClassLoader(ClassLoader parent, Map<JarMeta, CodeSource> pre
     record Resource(InputStream inputStream, CodeSource codeSource) {}
 
     /** Searches for the named resource. Iterates over all prefixes. */
-    private Resource privilegedGetResourceOrNull(JarMeta jarMeta, String pkg, String filepath) {
-        return AccessController.doPrivileged((PrivilegedAction<Resource>) () -> {
-            InputStream is = findResourceInLoaderPkgOrNull(jarMeta, pkg, filepath, parent::getResourceAsStream);
-            if (is != null) {
-                return new Resource(is, prefixToCodeBase.get(jarMeta.prefix()));
-            }
-            return null;
-        });
+    private Resource getResourceOrNull(JarMeta jarMeta, String pkg, String filepath) {
+        InputStream is = findResourceInLoaderPkgOrNull(jarMeta, pkg, filepath, parent::getResourceAsStream);
+        if (is != null) {
+            return new Resource(is, prefixToCodeBase.get(jarMeta.prefix()));
+        }
+        return null;
     }
 
     @Override
@@ -148,7 +143,7 @@ public Class<?> findClass(String name) throws ClassNotFoundException {
         String pkg = toPackageName(filepath);
         JarMeta jarMeta = packageToJarMeta.get(pkg);
         if (jarMeta != null) {
-            Resource res = privilegedGetResourceOrNull(jarMeta, pkg, filepath);
+            Resource res = getResourceOrNull(jarMeta, pkg, filepath);
             if (res != null) {
                 try (InputStream in = res.inputStream()) {
                     byte[] bytes = in.readAllBytes();

libs/core/src/main/java/org/elasticsearch/core/internal/provider/ProviderLocator.java

@@ -15,9 +15,6 @@
 import java.io.UncheckedIOException;
 import java.lang.module.Configuration;
 import java.lang.module.ModuleFinder;
-import java.security.AccessController;
-import java.security.PrivilegedActionException;
-import java.security.PrivilegedExceptionAction;
 import java.util.Locale;
 import java.util.Objects;
 import java.util.ServiceConfigurationError;
@@ -97,10 +94,9 @@ public ProviderLocator(String providerName, Class<T> providerType, String provid
     @Override
     public T get() {
         try {
-            PrivilegedExceptionAction<T> pa = this::load;
-            return AccessController.doPrivileged(pa);
-        } catch (PrivilegedActionException e) {
-            throw new UncheckedIOException((IOException) e.getCause());
+            return load();
+        } catch (IOException e) {
+            throw new UncheckedIOException(e);
         }
     }
 

qa/evil-tests/src/test/java/org/elasticsearch/common/logging/EvilLoggerTests.java

@@ -174,7 +174,7 @@ public void testConcurrentDeprecationLogger() throws IOException, BrokenBarrierE
             assertLogLine(
                 deprecationEvents.get(i),
                 DeprecationLogger.CRITICAL,
-                "org.elasticsearch.common.logging.DeprecationLogger.lambda\\$doPrivilegedLog\\$0",
+                "org.elasticsearch.common.logging.DeprecationLogger.logDeprecation",
                 ".*This is a maybe logged deprecation message" + i + ".*"
             );
         }
@@ -207,7 +207,7 @@ public void testDeprecatedSettings() throws IOException {
             assertLogLine(
                 deprecationEvents.get(0),
                 DeprecationLogger.CRITICAL,
-                "org.elasticsearch.common.logging.DeprecationLogger.lambda\\$doPrivilegedLog\\$0",
+                "org.elasticsearch.common.logging.DeprecationLogger.logDeprecation",
                 ".*\\[deprecated.foo\\] setting was deprecated in Elasticsearch and will be removed in a future release..*"
             );
         }

server/src/main/java/org/elasticsearch/bootstrap/ElasticsearchUncaughtExceptionHandler.java

@@ -14,8 +14,6 @@
 import org.elasticsearch.core.SuppressForbidden;
 
 import java.io.IOError;
-import java.security.AccessController;
-import java.security.PrivilegedAction;
 
 class ElasticsearchUncaughtExceptionHandler implements Thread.UncaughtExceptionHandler {
     private static final Logger logger = LogManager.getLogger(ElasticsearchUncaughtExceptionHandler.class);
@@ -53,41 +51,17 @@ static boolean isFatalUncaught(Throwable e) {
 
     void onFatalUncaught(final String threadName, final Throwable t) {
         final String message = "fatal error in thread [" + threadName + "], exiting";
-        logErrorMessage(t, message);
+        logger.error(message, t);
     }
 
     void onNonFatalUncaught(final String threadName, final Throwable t) {
         final String message = "uncaught exception in thread [" + threadName + "]";
-        logErrorMessage(t, message);
-    }
-
-    private static void logErrorMessage(Throwable t, String message) {
-        AccessController.doPrivileged((PrivilegedAction<Void>) () -> {
-            logger.error(message, t);
-            return null;
-        });
+        logger.error(message, t);
     }
 
+    @SuppressForbidden(reason = "intentionally halting")
     void halt(int status) {
-        AccessController.doPrivileged(new PrivilegedHaltAction(status));
+        // we halt to prevent shutdown hooks from running
+        Runtime.getRuntime().halt(status);
     }
-
-    static class PrivilegedHaltAction implements PrivilegedAction<Void> {
-
-        private final int status;
-
-        private PrivilegedHaltAction(final int status) {
-            this.status = status;
-        }
-
-        @SuppressForbidden(reason = "halt")
-        @Override
-        public Void run() {
-            // we halt to prevent shutdown hooks from running
-            Runtime.getRuntime().halt(status);
-            return null;
-        }
-
-    }
-
 }

server/src/main/java/org/elasticsearch/common/blobstore/fs/FsBlobStore.java

@@ -18,8 +18,6 @@
 import java.io.IOException;
 import java.nio.file.Files;
 import java.nio.file.Path;
-import java.security.AccessController;
-import java.security.PrivilegedAction;
 import java.util.Iterator;
 import java.util.List;
 
@@ -57,14 +55,11 @@ public int bufferSizeInBytes() {
     public BlobContainer blobContainer(BlobPath path) {
         Path f = buildPath(path);
         if (readOnly == false) {
-            AccessController.doPrivileged((PrivilegedAction<Void>) () -> {
-                try {
-                    Files.createDirectories(f);
-                } catch (IOException ex) {
-                    throw new ElasticsearchException("failed to create blob container", ex);
-                }
-                return null;
-            });
+            try {
+                Files.createDirectories(f);
+            } catch (IOException ex) {
+                throw new ElasticsearchException("failed to create blob container", ex);
+            }
         }
         return new FsBlobContainer(this, path, f);
     }

server/src/main/java/org/elasticsearch/common/logging/DeprecationLogger.java

@@ -15,8 +15,6 @@
 import org.elasticsearch.common.regex.Regex;
 import org.elasticsearch.common.settings.Settings;
 
-import java.security.AccessController;
-import java.security.PrivilegedAction;
 import java.util.Collections;
 import java.util.List;
 
@@ -119,18 +117,11 @@ private DeprecationLogger logDeprecation(Level level, DeprecationCategory catego
             String opaqueId = HeaderWarning.getXOpaqueId();
             String productOrigin = HeaderWarning.getProductOrigin();
             ESLogMessage deprecationMessage = DeprecatedMessage.of(category, key, opaqueId, productOrigin, msg, params);
-            doPrivilegedLog(level, deprecationMessage);
+            logger.log(level, deprecationMessage);
         }
         return this;
     }
 
-    private void doPrivilegedLog(Level level, ESLogMessage deprecationMessage) {
-        AccessController.doPrivileged((PrivilegedAction<Void>) () -> {
-            logger.log(level, deprecationMessage);
-            return null;
-        });
-    }
-
     /**
      * Used for handling previous version RestApiCompatible logic.
      * Logs a message at the {@link DeprecationLogger#CRITICAL} level

server/src/main/java/org/elasticsearch/common/util/concurrent/EsExecutors.java

@@ -17,8 +17,6 @@
 import org.elasticsearch.core.SuppressForbidden;
 import org.elasticsearch.node.Node;
 
-import java.security.AccessController;
-import java.security.PrivilegedAction;
 import java.util.List;
 import java.util.Optional;
 import java.util.concurrent.AbstractExecutorService;
@@ -393,11 +391,9 @@ static class EsThreadFactory implements ThreadFactory {
 
         @Override
         public Thread newThread(Runnable r) {
-            return AccessController.doPrivileged((PrivilegedAction<Thread>) () -> {
-                Thread t = new EsThread(group, r, namePrefix + "[T#" + threadNumber.getAndIncrement() + "]", 0, isSystem);
-                t.setDaemon(true);
-                return t;
-            });
+            Thread t = new EsThread(group, r, namePrefix + "[T#" + threadNumber.getAndIncrement() + "]", 0, isSystem);
+            t.setDaemon(true);
+            return t;
         }
     }
 

server/src/main/java/org/elasticsearch/plugins/ExtendedPluginsClassLoader.java

@@ -9,8 +9,6 @@
 
 package org.elasticsearch.plugins;
 
-import java.security.AccessController;
-import java.security.PrivilegedAction;
 import java.util.Collections;
 import java.util.List;
 
@@ -43,8 +41,6 @@ protected Class<?> findClass(String name) throws ClassNotFoundException {
      * Return a new classloader across the parent and extended loaders.
      */
     public static ExtendedPluginsClassLoader create(ClassLoader parent, List<ClassLoader> extendedLoaders) {
-        return AccessController.doPrivileged(
-            (PrivilegedAction<ExtendedPluginsClassLoader>) () -> new ExtendedPluginsClassLoader(parent, extendedLoaders)
-        );
+        return new ExtendedPluginsClassLoader(parent, extendedLoaders);
     }
 }

server/src/main/java/org/elasticsearch/plugins/PluginsLoader.java

@@ -27,8 +27,6 @@
 import java.net.URL;
 import java.net.URLClassLoader;
 import java.nio.file.Path;
-import java.security.AccessController;
-import java.security.PrivilegedAction;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.HashMap;
@@ -423,7 +421,7 @@ static LayerAndLoader createModuleLayer(
             finder,
             Set.of(moduleName)
         );
-        var controller = privilegedDefineModulesWithOneLoader(configuration, parentLayersOrBoot(parentLayers), parentLoader);
+        var controller = ModuleLayer.defineModulesWithOneLoader(configuration, parentLayersOrBoot(parentLayers), parentLoader);
         var pluginModule = controller.layer().findModule(moduleName).get();
         ensureEntryPointAccessible(controller, pluginModule, className);
         // export/open upstream modules to this plugin module
@@ -432,7 +430,7 @@ static LayerAndLoader createModuleLayer(
         addPluginExportsServices(qualifiedExports, controller);
         enableNativeAccess(moduleName, modulesWithNativeAccess, controller);
         logger.debug(() -> "Loading bundle: created module layer and loader for module " + moduleName);
-        return new LayerAndLoader(controller.layer(), privilegedFindLoader(controller.layer(), moduleName));
+        return new LayerAndLoader(controller.layer(), controller.layer().findLoader(moduleName));
     }
 
     /** Determines the module name of the SPI module, given its URL. */
@@ -490,18 +488,6 @@ private static void ensureEntryPointAccessible(Controller controller, Module plu
         }
     }
 
-    @SuppressWarnings("removal")
-    static Controller privilegedDefineModulesWithOneLoader(Configuration cf, List<ModuleLayer> parentLayers, ClassLoader parentLoader) {
-        return AccessController.doPrivileged(
-            (PrivilegedAction<Controller>) () -> ModuleLayer.defineModulesWithOneLoader(cf, parentLayers, parentLoader)
-        );
-    }
-
-    @SuppressWarnings("removal")
-    static ClassLoader privilegedFindLoader(ModuleLayer layer, String name) {
-        return AccessController.doPrivileged((PrivilegedAction<ClassLoader>) () -> layer.findLoader(name));
-    }
-
     private static List<ModuleLayer> parentLayersOrBoot(List<ModuleLayer> parentLayers) {
         if (parentLayers == null || parentLayers.isEmpty()) {
             return List.of(ModuleLayer.boot());

server/src/main/java/org/elasticsearch/plugins/PluginsService.java

@@ -32,8 +32,6 @@
 import java.io.IOException;
 import java.lang.reflect.Constructor;
 import java.nio.file.Path;
-import java.security.AccessController;
-import java.security.PrivilegedAction;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
@@ -395,7 +393,7 @@ private void loadBundle(PluginLayer pluginLayer, Map<String, LoadedPlugin> loade
             // Set context class loader to plugin's class loader so that plugins
             // that have dependencies with their own SPI endpoints have a chance to load
             // and initialize them appropriately.
-            privilegedSetContextClassLoader(pluginLayer.pluginClassLoader());
+            Thread.currentThread().setContextClassLoader(pluginLayer.pluginClassLoader());
 
             Plugin plugin;
             if (pluginBundle.pluginDescriptor().isStable()) {
@@ -428,7 +426,7 @@ We need to pass a name though so that we can show that a plugin was loaded (via
             }
             loadedPlugins.put(name, new LoadedPlugin(pluginBundle.plugin, plugin, pluginLayer.pluginClassLoader()));
         } finally {
-            privilegedSetContextClassLoader(cl);
+            Thread.currentThread().setContextClassLoader(cl);
         }
     }
 
@@ -537,12 +535,4 @@ private static String signatureMessage(final Class<? extends Plugin> clazz) {
     public final <T> Stream<T> filterPlugins(Class<T> type) {
         return plugins().stream().filter(x -> type.isAssignableFrom(x.instance().getClass())).map(p -> ((T) p.instance()));
     }
-
-    @SuppressWarnings("removal")
-    private static void privilegedSetContextClassLoader(ClassLoader loader) {
-        AccessController.doPrivileged((PrivilegedAction<Void>) () -> {
-            Thread.currentThread().setContextClassLoader(loader);
-            return null;
-        });
-    }
 }