Remove shutdown hook permission from hdfs plugin (#65016)

gradle/ide.gradle

@@ -41,7 +41,7 @@ if (System.getProperty('idea.active') == 'true') {
   tasks.register('buildDependencyArtifacts') {
     group = 'ide'
     description = 'Builds artifacts needed as dependency for IDE modules'
-    dependsOn ':client:rest-high-level:shadowJar'
+    dependsOn ':client:rest-high-level:shadowJar', ':plugins:repository-hdfs:hadoop-common:shadowJar'
   }
 
   idea {

plugins/repository-hdfs/build.gradle

@@ -48,7 +48,7 @@ configurations {
 
 dependencies {
   api "org.apache.hadoop:hadoop-client:${versions.hadoop2}"
-  api "org.apache.hadoop:hadoop-common:${versions.hadoop2}"
+  api project(path: 'hadoop-common', configuration: 'shadow')
   api "org.apache.hadoop:hadoop-annotations:${versions.hadoop2}"
   api "org.apache.hadoop:hadoop-auth:${versions.hadoop2}"
   api "org.apache.hadoop:hadoop-hdfs:${versions.hadoop2}"
@@ -303,25 +303,10 @@ integTestSecureHa {
 thirdPartyAudit {
   ignoreMissingClasses()
   ignoreViolations(
-    // internal java api: sun.net.dns.ResolverConfiguration
-    // internal java api: sun.net.util.IPAddressUtil
-    'org.apache.hadoop.security.SecurityUtil$QualifiedHostResolver',
-
     // internal java api: sun.misc.Unsafe
     'com.google.common.primitives.UnsignedBytes$LexicographicalComparatorHolder$UnsafeComparator',
     'com.google.common.primitives.UnsignedBytes$LexicographicalComparatorHolder$UnsafeComparator$1',
-    'org.apache.hadoop.io.FastByteComparisons$LexicographicalComparerHolder$UnsafeComparer',
-    'org.apache.hadoop.io.FastByteComparisons$LexicographicalComparerHolder$UnsafeComparer$1',
-    'org.apache.hadoop.io.nativeio.NativeIO',
     'org.apache.hadoop.hdfs.shortcircuit.ShortCircuitShm',
     'org.apache.hadoop.hdfs.shortcircuit.ShortCircuitShm$Slot',
-
-    // internal java api: sun.nio.ch.DirectBuffer
-    // internal java api: sun.misc.Cleaner
-    'org.apache.hadoop.io.nativeio.NativeIO$POSIX',
-    'org.apache.hadoop.crypto.CryptoStreamUtils',
-
-    // internal java api: sun.misc.SignalHandler
-    'org.apache.hadoop.util.SignalLogger$Handler',
   )
 }

plugins/repository-hdfs/hadoop-common/build.gradle

@@ -0,0 +1,10 @@
+apply plugin: 'elasticsearch.java'
+apply plugin: 'com.github.johnrengelman.shadow'
+
+dependencies {
+  implementation "org.apache.hadoop:hadoop-common:${project.parent.versions.hadoop2}"
+}
+
+tasks.named('shadowJar').configure {
+  exclude 'org/apache/hadoop/util/ShutdownHookManager$*.class'
+}

plugins/repository-hdfs/hadoop-common/src/main/java/org/apache/hadoop/util/ShutdownHookManager.java

@@ -0,0 +1,58 @@
+/*
+ * Licensed to Elasticsearch under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.hadoop.util;
+
+import java.util.concurrent.TimeUnit;
+
+/**
+ * A replacement for the ShutdownHookManager from hadoop.
+ *
+ * This class does not actually add a shutdown hook. Hadoop's shutdown hook
+ * manager does not fail gracefully when it lacks security manager permissions
+ * to add shutdown hooks. This implements the same api as the hadoop class, but
+ * with no-ops.
+ */
+public class ShutdownHookManager {
+    private static final ShutdownHookManager MGR = new ShutdownHookManager();
+
+    public static ShutdownHookManager get() {
+        return MGR;
+    }
+
+    private ShutdownHookManager() {}
+
+    public void addShutdownHook(Runnable shutdownHook, int priority) {}
+
+    public void addShutdownHook(Runnable shutdownHook, int priority, long timeout, TimeUnit unit) {}
+
+    public boolean removeShutdownHook(Runnable shutdownHook) {
+        return false;
+    }
+
+    public boolean hasShutdownHook(Runnable shutdownHook) {
+        return false;
+    }
+
+    public boolean isShutdownInProgress() {
+        return false;
+    }
+
+    public void clearShutdownHooks() {}
+}

plugins/repository-hdfs/licenses/hadoop-common-2.8.5.jar.sha1

@@ -1 +0,0 @@
-376e807b4f9df627b03aeaf85999cd1ffe496f05

plugins/repository-hdfs/src/main/plugin-metadata/plugin-security.policy

@@ -33,9 +33,6 @@ grant {
   // org.apache.hadoop.util.StringUtils clinit
   permission java.util.PropertyPermission "*", "read,write";
 
-  // org.apache.hadoop.util.ShutdownHookManager clinit
-  permission java.lang.RuntimePermission "shutdownHooks";
-  
   // JAAS is used by Hadoop for authentication purposes
   // The Hadoop Login JAAS module modifies a Subject's private credentials and principals
   // The Hadoop RPC Layer must be able to read these credentials, and initiate Kerberos connections