GCS Repository: Remove specifying credential file on disk (#24727)

This commit removes the ability to specify the google credential json
file on disk, which is deprecated in 5.5.0.

docs/reference/migration/migrate_6_0/plugins.asciidoc

@@ -55,6 +55,11 @@ You must set those settings per repository instead. Respectively `account`, `con
 `location_mode`, `chunk_size` and `compress`.
 See {plugins}/repository-azure-usage.html#repository-azure-repository-settings[Azure Repository settings].
 
+==== GCS Repository plugin
+
+* The `service_account` setting has been removed. A service account json credential file must now be
+specified in the <<secure-settings, elasticsearch keystore>>.
+
 ==== EC2 Discovery plugin
 
 * Specifying ec2 signer type has been removed, including `cloud.aws.signer` and `cloud.aws.ec2.signer`.

plugins/repository-gcs/src/main/java/org/elasticsearch/repositories/gcs/GoogleCloudStorageRepository.java

@@ -62,8 +62,6 @@ class GoogleCloudStorageRepository extends BlobStoreRepository {
             byteSizeSetting("chunk_size", MAX_CHUNK_SIZE, MIN_CHUNK_SIZE, MAX_CHUNK_SIZE, Property.NodeScope, Property.Dynamic);
     static final Setting<String> APPLICATION_NAME =
             new Setting<>("application_name", GoogleCloudStoragePlugin.NAME, Function.identity(), Property.NodeScope, Property.Dynamic);
-    static final Setting<String> SERVICE_ACCOUNT =
-            new Setting<>("service_account", "_default_", Function.identity(), Property.NodeScope, Property.Dynamic, Property.Deprecated);
     static final Setting<String> CLIENT_NAME = new Setting<>("client", "default", Function.identity());
     static final Setting<TimeValue> HTTP_READ_TIMEOUT =
             timeSetting("http.read_timeout", NO_TIMEOUT, Property.NodeScope, Property.Dynamic);
@@ -82,7 +80,6 @@ class GoogleCloudStorageRepository extends BlobStoreRepository {
 
         String bucket = getSetting(BUCKET, metadata);
         String application = getSetting(APPLICATION_NAME, metadata);
-        String serviceAccount = SERVICE_ACCOUNT.get(metadata.settings());
         String clientName = CLIENT_NAME.get(metadata.settings());
 
         String basePath = BASE_PATH.get(metadata.settings());
@@ -115,7 +112,7 @@ class GoogleCloudStorageRepository extends BlobStoreRepository {
         logger.debug("using bucket [{}], base_path [{}], chunk_size [{}], compress [{}], application [{}]",
                 bucket, basePath, chunkSize, compress, application);
 
-        Storage client = storageService.createClient(serviceAccount, clientName, application, connectTimeout, readTimeout);
+        Storage client = storageService.createClient(clientName, application, connectTimeout, readTimeout);
         this.blobStore = new GoogleCloudStorageBlobStore(settings, bucket, client);
     }
 

plugins/repository-gcs/src/main/java/org/elasticsearch/repositories/gcs/GoogleCloudStorageService.java

@@ -63,14 +63,13 @@ interface GoogleCloudStorageService {
     /**
      * Creates a client that can be used to manage Google Cloud Storage objects.
      *
-     * @param serviceAccount path to service account file
      * @param clientName     name of client settings to use from secure settings
      * @param application    name of the application
      * @param connectTimeout connection timeout for HTTP requests
      * @param readTimeout    read timeout for HTTP requests
      * @return a Client instance that can be used to manage objects
      */
-    Storage createClient(String serviceAccount, String clientName, String application,
+    Storage createClient(String clientName, String application,
                          TimeValue connectTimeout, TimeValue readTimeout) throws Exception;
 
     /**
@@ -92,10 +91,10 @@ interface GoogleCloudStorageService {
         }
 
         @Override
-        public Storage createClient(String serviceAccountFile, String clientName, String application,
+        public Storage createClient(String clientName, String application,
                                     TimeValue connectTimeout, TimeValue readTimeout) throws Exception {
             try {
-                GoogleCredential credential = getCredential(serviceAccountFile, clientName);
+                GoogleCredential credential = getCredential(clientName);
                 NetHttpTransport httpTransport = GoogleNetHttpTransport.newTrustedTransport();
 
                 Storage.Builder storage = new Storage.Builder(httpTransport, JacksonFactory.getDefaultInstance(),
@@ -111,25 +110,10 @@ interface GoogleCloudStorageService {
         }
 
         // pkg private for tests
-        GoogleCredential getCredential(String serviceAccountFile, String clientName) throws IOException {
-            if (DEFAULT.equalsIgnoreCase(serviceAccountFile) == false) {
-                deprecationLogger.deprecated("Using GCS service account file from disk is deprecated. " +
-                    "Move the file into the elasticsearch keystore.");
-                Path account = environment.configFile().resolve(serviceAccountFile);
-                if (Files.exists(account) == false) {
-                    throw new IllegalArgumentException("Unable to find service account file [" + serviceAccountFile
-                        + "] defined for repository");
-                }
-
-                try (InputStream is = Files.newInputStream(account)) {
-                    GoogleCredential credential = GoogleCredential.fromStream(is);
-                    if (credential.createScopedRequired()) {
-                        credential = credential.createScoped(Collections.singleton(StorageScopes.DEVSTORAGE_FULL_CONTROL));
-                    }
-                    return credential;
-                }
-            } else if (credentials.containsKey(clientName)) {
-                return credentials.get(clientName);
+        GoogleCredential getCredential(String clientName) throws IOException {
+            GoogleCredential cred = credentials.get(clientName);
+            if (cred != null) {
+                return cred;
             }
             return getDefaultCredential();
         }

plugins/repository-gcs/src/test/java/org/elasticsearch/repositories/gcs/GoogleCloudStorageBlobStoreRepositoryTests.java

@@ -78,9 +78,8 @@ public class GoogleCloudStorageBlobStoreRepositoryTests extends ESBlobStoreRepos
 
     public static class MockGoogleCloudStorageService implements GoogleCloudStorageService {
         @Override
-        public Storage createClient(String serviceAccount, String accountName, String application,
-                                    TimeValue connectTimeout, TimeValue readTimeout) throws
-                Exception {
+        public Storage createClient(String accountName, String application,
+                                    TimeValue connectTimeout, TimeValue readTimeout) throws Exception {
             return storage.get();
         }
     }

plugins/repository-gcs/src/test/java/org/elasticsearch/repositories/gcs/GoogleCloudStorageServiceTests.java

@@ -49,30 +49,7 @@ public class GoogleCloudStorageServiceTests extends ESTestCase {
                 return cred;
             }
         };
-        assertSame(cred, service.getCredential("_default_", "default"));
-    }
-
-    public void testFileCredentialBackcompat() throws Exception {
-        Path home = createTempDir();
-        Path config = home.resolve("config");
-        Files.createDirectories(config);
-        Settings settings = Settings.builder()
-            .put("path.home", home).build();
-        Environment env = new Environment(settings);
-        Files.copy(getDummyCredentialStream(), config.resolve("test-cred.json"));
-        InternalGoogleCloudStorageService service = new InternalGoogleCloudStorageService(env, Collections.emptyMap());
-        GoogleCredential cred = service.getCredential("test-cred.json", "default");
-        assertEquals("some-project-name@appspot.gserviceaccount.com", cred.getServiceAccountId());
-        assertWarnings("Using GCS service account file from disk is deprecated. Move the file into the elasticsearch keystore.");
-    }
-
-    public void testFileCredentialMissing() throws Exception {
-        Environment env = new Environment(Settings.builder().put("path.home", createTempDir()).build());
-        InternalGoogleCloudStorageService service = new InternalGoogleCloudStorageService(env, Collections.emptyMap());
-        IllegalArgumentException e = expectThrows(IllegalArgumentException.class, () ->
-            service.getCredential("test-cred.json", "default"));
-        assertThat(e.getMessage(), containsString("Unable to find service account file"));
-        assertWarnings("Using GCS service account file from disk is deprecated. Move the file into the elasticsearch keystore.");
+        assertSame(cred, service.getCredential("default"));
     }
 
     public void testClientCredential() throws Exception {
@@ -80,6 +57,6 @@ public class GoogleCloudStorageServiceTests extends ESTestCase {
         Map<String, GoogleCredential> credentials = Collections.singletonMap("clientname", cred);
         Environment env = new Environment(Settings.builder().put("path.home", createTempDir()).build());
         InternalGoogleCloudStorageService service = new InternalGoogleCloudStorageService(env, credentials);
-        assertSame(cred, service.getCredential("_default_", "clientname"));
+        assertSame(cred, service.getCredential("clientname"));
     }
 }