opensearch-project · cwperks · Oct 28, 2025 · Oct 28, 2025 · Oct 29, 2025
@@ -32,7 +32,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Refactor the ThreadPoolStats.Stats class to use the Builder pattern instead of constructors ([#19317](https://github.com/opensearch-project/OpenSearch/pull/19317))
 - Refactor the IndexingStats.Stats class to use the Builder pattern instead of constructors ([#19306](https://github.com/opensearch-project/OpenSearch/pull/19306))
 - Remove FeatureFlag.MERGED_SEGMENT_WARMER_EXPERIMENTAL_FLAG. ([#19715](https://github.com/opensearch-project/OpenSearch/pull/19715))
--
+- Replace java.security.AccessController with org.opensearch.secure_sm.AccessController in sub projects with SocketAccess class ([#19803](https://github.com/opensearch-project/OpenSearch/pull/19803))
+
 ### Fixed
 - Fix Allocation and Rebalance Constraints of WeightFunction are incorrectly reset ([#19012](https://github.com/opensearch-project/OpenSearch/pull/19012))
 - Fix flaky test FieldDataLoadingIT.testIndicesFieldDataCacheSizeSetting ([#19571](https://github.com/opensearch-project/OpenSearch/pull/19571))

@@ -15,6 +15,8 @@
 import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider;
 import software.amazon.awssdk.core.SdkSystemSetting;
 
+import org.opensearch.secure_sm.AccessController;
+
 import java.util.function.Supplier;
 
 /**
@@ -44,7 +46,7 @@ private AwsCredentialsProvider initializeProvider() {
 
         @Override
         public AwsCredentials resolveCredentials() {
-            return SocketAccess.doPrivileged(credentials::resolveCredentials);
+            return AccessController.doPrivileged(credentials::resolveCredentials);
         }
     }
 

@@ -19,6 +19,7 @@
 import org.apache.logging.log4j.Logger;
 import org.opensearch.common.crypto.DataKeyPair;
 import org.opensearch.common.crypto.MasterKeyProvider;
+import org.opensearch.secure_sm.AccessController;
 
 import java.util.Map;
 import java.util.function.Supplier;
@@ -51,7 +52,7 @@ public DataKeyPair generateDataPair() {
                 .keySpec(DataKeySpec.AES_256)
                 .keyId(keyArn)
                 .build();
-            GenerateDataKeyResponse dataKeyPair = SocketAccess.doPrivileged(() -> clientReference.get().generateDataKey(request));
+            GenerateDataKeyResponse dataKeyPair = AccessController.doPrivileged(() -> clientReference.get().generateDataKey(request));
             return new DataKeyPair(dataKeyPair.plaintext().asByteArray(), dataKeyPair.ciphertextBlob().asByteArray());
         }
     }
@@ -63,7 +64,7 @@ public byte[] decryptKey(byte[] encryptedKey) {
                 .ciphertextBlob(SdkBytes.fromByteArray(encryptedKey))
                 .encryptionContext(encryptionContext)
                 .build();
-            DecryptResponse decryptResponse = SocketAccess.doPrivileged(() -> clientReference.get().decrypt(decryptRequest));
+            DecryptResponse decryptResponse = AccessController.doPrivileged(() -> clientReference.get().decrypt(decryptRequest));
             return decryptResponse.plaintext().asByteArray();
         }
     }

@@ -29,6 +29,7 @@
 import org.opensearch.common.settings.Setting;
 import org.opensearch.common.settings.Settings;
 import org.opensearch.core.common.Strings;
+import org.opensearch.secure_sm.AccessController;
 
 import java.io.Closeable;
 import java.net.URI;
@@ -70,10 +71,10 @@ public KmsService() {
     }
 
     private KmsClient buildClient(KmsClientSettings clientSettings) {
-        SocketAccess.doPrivilegedVoid(KmsService::setDefaultAwsProfilePath);
+        AccessController.doPrivileged(KmsService::setDefaultAwsProfilePath);
         final AwsCredentialsProvider awsCredentialsProvider = buildCredentials(clientSettings);
         final ClientOverrideConfiguration overrideConfiguration = buildOverrideConfiguration();
-        final ProxyConfiguration proxyConfiguration = SocketAccess.doPrivileged(() -> buildProxyConfiguration(clientSettings));
+        final ProxyConfiguration proxyConfiguration = AccessController.doPrivileged(() -> buildProxyConfiguration(clientSettings));
         return buildClient(
             awsCredentialsProvider,
             proxyConfiguration,
@@ -113,7 +114,7 @@ protected KmsClient buildClient(
             builder.region(Region.of(region));
         }
 
-        return SocketAccess.doPrivileged(builder::build);
+        return AccessController.doPrivileged(builder::build);
     }
 
     ProxyConfiguration buildProxyConfiguration(KmsClientSettings clientSettings) {
@@ -166,7 +167,7 @@ public AmazonKmsClientReference client(CryptoMetadata cryptoMetadata) {
                 return existing;
             }
             final AmazonKmsClientReference clientReference = new AmazonKmsClientReference(
-                SocketAccess.doPrivileged(() -> buildClient(clientSettings))
+                AccessController.doPrivileged(() -> buildClient(clientSettings))
             );
             clientReference.incRef();
             clientsCache = MapBuilder.newMapBuilder(clientsCache).put(clientSettings, clientReference).immutableMap();

@@ -12,6 +12,7 @@
 
 import org.opensearch.common.SuppressForbidden;
 import org.opensearch.common.io.PathUtils;
+import org.opensearch.secure_sm.AccessController;
 import org.opensearch.test.OpenSearchTestCase;
 
 import java.nio.file.Path;
@@ -42,13 +43,15 @@ private Path configPath() {
 
     @SuppressForbidden(reason = "set predictable aws defaults")
     private void setUpAwsProfile() throws Exception {
-        previousOpenSearchPathConf = SocketAccess.doPrivileged(() -> System.setProperty("opensearch.path.conf", configPath().toString()));
-        awsRegion = SocketAccess.doPrivileged(() -> System.setProperty("aws.region", "us-west-2"));
-        awsAccessKeyId = SocketAccess.doPrivileged(() -> System.setProperty("aws.accessKeyId", "aws-access-key-id"));
-        awsSecretAccessKey = SocketAccess.doPrivileged(() -> System.setProperty("aws.secretAccessKey", "aws-secret-access-key"));
+        previousOpenSearchPathConf = AccessController.doPrivileged(
+            () -> System.setProperty("opensearch.path.conf", configPath().toString())
+        );
+        awsRegion = AccessController.doPrivileged(() -> System.setProperty("aws.region", "us-west-2"));
+        awsAccessKeyId = AccessController.doPrivileged(() -> System.setProperty("aws.accessKeyId", "aws-access-key-id"));
+        awsSecretAccessKey = AccessController.doPrivileged(() -> System.setProperty("aws.secretAccessKey", "aws-secret-access-key"));
         awsSharedCredentialsFile = System.getProperty(ProfileFileSystemSetting.AWS_SHARED_CREDENTIALS_FILE.property());
         awsConfigFile = System.getProperty(ProfileFileSystemSetting.AWS_CONFIG_FILE.property());
-        SocketAccess.doPrivilegedVoid(KmsService::setDefaultAwsProfilePath);
+        AccessController.doPrivileged(KmsService::setDefaultAwsProfilePath);
     }
 
     @SuppressForbidden(reason = "reset aws settings")
@@ -64,9 +67,9 @@ private void resetAwsProfile() throws Exception {
     @SuppressForbidden(reason = "reset aws settings")
     private void resetPropertyValue(String key, String value) {
         if (value != null) {
-            SocketAccess.doPrivileged(() -> System.setProperty(key, value));
+            AccessController.doPrivileged(() -> System.setProperty(key, value));
         } else {
-            SocketAccess.doPrivileged(() -> System.clearProperty(key));
+            AccessController.doPrivileged(() -> System.clearProperty(key));
         }
     }
 }
@@ -20,6 +20,7 @@
 import org.opensearch.cluster.metadata.CryptoMetadata;
 import org.opensearch.common.settings.MockSecureSettings;
 import org.opensearch.common.settings.Settings;
+import org.opensearch.secure_sm.AccessController;
 
 public class KmsServiceTests extends AbstractAwsTestCase {
     private final CryptoMetadata cryptoMetadata = new CryptoMetadata("kp1", "kp2", Settings.EMPTY);
@@ -38,11 +39,11 @@ public void testAWSDefaultConfiguration() {
             assertNull(proxyConfiguration.password());
 
             // retry policy
-            RetryPolicy retryPolicyConfiguration = SocketAccess.doPrivileged(kmsService::buildRetryPolicy);
+            RetryPolicy retryPolicyConfiguration = AccessController.doPrivileged(kmsService::buildRetryPolicy);
 
             assertEquals(retryPolicyConfiguration.numRetries().intValue(), 10);
 
-            ClientOverrideConfiguration clientOverrideConfiguration = SocketAccess.doPrivileged(kmsService::buildOverrideConfiguration);
+            ClientOverrideConfiguration clientOverrideConfiguration = AccessController.doPrivileged(kmsService::buildOverrideConfiguration);
             assertTrue(clientOverrideConfiguration.retryPolicy().isPresent());
             assertEquals(clientOverrideConfiguration.retryPolicy().get().numRetries().intValue(), 10);
         }
@@ -63,7 +64,7 @@ public void testAWSConfigurationWithAwsSettings() {
 
         try (KmsService kmsService = new KmsService()) {
             // proxy configuration
-            final ProxyConfiguration proxyConfiguration = SocketAccess.doPrivileged(
+            final ProxyConfiguration proxyConfiguration = AccessController.doPrivileged(
                 () -> kmsService.buildProxyConfiguration(KmsClientSettings.getClientSettings(settings))
             );
 
@@ -73,10 +74,10 @@ public void testAWSConfigurationWithAwsSettings() {
             assertEquals(proxyConfiguration.password(), "aws_proxy_password");
 
             // retry policy
-            RetryPolicy retryPolicyConfiguration = SocketAccess.doPrivileged(kmsService::buildRetryPolicy);
+            RetryPolicy retryPolicyConfiguration = AccessController.doPrivileged(kmsService::buildRetryPolicy);
             assertEquals(retryPolicyConfiguration.numRetries().intValue(), 10);
 
-            ClientOverrideConfiguration clientOverrideConfiguration = SocketAccess.doPrivileged(kmsService::buildOverrideConfiguration);
+            ClientOverrideConfiguration clientOverrideConfiguration = AccessController.doPrivileged(kmsService::buildOverrideConfiguration);
             assertTrue(clientOverrideConfiguration.retryPolicy().isPresent());
             assertEquals(clientOverrideConfiguration.retryPolicy().get().numRetries().intValue(), 10);
         }

@@ -46,6 +46,7 @@
 import org.opensearch.plugins.Plugin;
 import org.opensearch.repositories.AbstractThirdPartyRepositoryTestCase;
 import org.opensearch.repositories.blobstore.BlobStoreRepository;
+import org.opensearch.secure_sm.AccessController;
 import org.opensearch.test.OpenSearchIntegTestCase;
 import org.junit.AfterClass;
 
@@ -121,7 +122,7 @@ private void ensureSasTokenPermissions() {
             final Tuple<BlobServiceClient, Supplier<Context>> client = blobStore.getService().client(account);
             final BlobContainerClient blobContainer = client.v1().getBlobContainerClient(blobStore.toString());
             try {
-                SocketAccess.doPrivilegedException(() -> blobContainer.existsWithResponse(null, client.v2().get()));
+                AccessController.doPrivilegedChecked(() -> blobContainer.existsWithResponse(null, client.v2().get()));
                 future.onFailure(
                     new RuntimeException(
                         "The SAS token used in this test allowed for checking container existence. This test only supports tokens "

@@ -67,6 +67,7 @@
 import org.opensearch.common.collect.Tuple;
 import org.opensearch.common.util.concurrent.AbstractRunnable;
 import org.opensearch.repositories.azure.AzureRepository.Repository;
+import org.opensearch.secure_sm.AccessController;
 import org.opensearch.threadpool.ThreadPool;
 
 import java.io.IOException;
@@ -183,7 +184,7 @@ public boolean blobExists(String blob) throws URISyntaxException, BlobStorageExc
         // Container name must be lower case.
         final Tuple<BlobServiceClient, Supplier<Context>> client = client();
         final BlobContainerClient blobContainer = client.v1().getBlobContainerClient(container);
-        return SocketAccess.doPrivilegedException(() -> {
+        return AccessController.doPrivileged(() -> {
             final BlobClient azureBlob = blobContainer.getBlobClient(blob);
             final Response<Boolean> response = azureBlob.existsWithResponse(timeout(), client.v2().get());
             return response.getValue();
@@ -195,7 +196,7 @@ public void deleteBlob(String blob) throws URISyntaxException, BlobStorageExcept
         // Container name must be lower case.
         final BlobContainerClient blobContainer = client.v1().getBlobContainerClient(container);
         logger.trace(() -> new ParameterizedMessage("delete blob for container [{}], blob [{}]", container, blob));
-        SocketAccess.doPrivilegedVoidException(() -> {
+        AccessController.doPrivilegedChecked(() -> {
             final BlobClient azureBlob = blobContainer.getBlobClient(blob);
             logger.trace(() -> new ParameterizedMessage("container [{}]: blob [{}] found. removing.", container, blob));
             final Response<Void> response = azureBlob.deleteWithResponse(null, null, timeout(), client.v2().get());
@@ -215,7 +216,7 @@ public DeleteResult deleteBlobDirectory(String path, Executor executor) throws U
         final AtomicLong bytesDeleted = new AtomicLong();
         final ListBlobsOptions listBlobsOptions = new ListBlobsOptions().setPrefix(path);
 
-        SocketAccess.doPrivilegedVoidException(() -> {
+        AccessController.doPrivilegedChecked(() -> {
             for (final BlobItem blobItem : blobContainer.listBlobs(listBlobsOptions, timeout())) {
                 // Skipping prefixes as those are not deletable and should not be there
                 assert (blobItem.isPrefix() == null || !blobItem.isPrefix()) : "Only blobs (not prefixes) are expected";
@@ -278,7 +279,7 @@ public InputStream getInputStream(String blob, long position, @Nullable Long len
         final BlobClient azureBlob = blobContainer.getBlobClient(blob);
         logger.trace(() -> new ParameterizedMessage("reading container [{}], blob [{}]", container, blob));
 
-        return SocketAccess.doPrivilegedException(() -> {
+        return AccessController.doPrivileged(() -> {
             if (length == null) {
                 return azureBlob.openInputStream(new BlobRange(position), null);
             } else {
@@ -299,7 +300,7 @@ public Map<String, BlobMetadata> listBlobsByPrefix(String keyPath, String prefix
         final ListBlobsOptions listBlobsOptions = new ListBlobsOptions().setDetails(new BlobListDetails().setRetrieveMetadata(true))
             .setPrefix(keyPath + (prefix == null ? "" : prefix));
 
-        SocketAccess.doPrivilegedVoidException(() -> {
+        AccessController.doPrivilegedChecked(() -> {
             for (final BlobItem blobItem : blobContainer.listBlobsByHierarchy("/", listBlobsOptions, timeout())) {
                 // Skipping over the prefixes, only look for the blobs
                 if (blobItem.isPrefix() != null && blobItem.isPrefix()) {
@@ -327,7 +328,7 @@ public Map<String, BlobContainer> children(BlobPath path) throws URISyntaxExcept
         final ListBlobsOptions listBlobsOptions = new ListBlobsOptions().setDetails(new BlobListDetails().setRetrieveMetadata(true))
             .setPrefix(keyPath);
 
-        SocketAccess.doPrivilegedVoidException(() -> {
+        AccessController.doPrivilegedChecked(() -> {
             for (final BlobItem blobItem : blobContainer.listBlobsByHierarchy("/", listBlobsOptions, timeout())) {
                 // Skipping over the blobs, only look for prefixes
                 if (blobItem.isPrefix() != null && blobItem.isPrefix()) {
@@ -361,7 +362,7 @@ public void writeBlob(String blobName, InputStream inputStream, long blobSize, b
                 blobRequestConditions.setIfNoneMatch(Constants.HeaderConstants.ETAG_WILDCARD);
             }
 
-            SocketAccess.doPrivilegedVoidException(() -> {
+            AccessController.doPrivilegedChecked(() -> {
                 final Response<?> response = blob.uploadWithResponse(
                     new BlobParallelUploadOptions(inputStream, blobSize).setRequestConditions(blobRequestConditions)
                         .setParallelTransferOptions(service.getBlobRequestOptionsForWriteBlob()),