Fix entitlements in internalClusterTest #131539
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* Previously, entitlement checks got disabled when resetting the policy manager (which defaults to inactive). * The shared data dir is granted as additional data base directory. * Due to the lack of entitlement delegation and wipePendingDataDirectories using server's FileSystemUtils, node base directories won't be removed until after the test. * Disable entitlement checks for some command tests. * Disable entitlement checks for some tests requiring entitlement delegation.
mosche
added
>refactoring
test-windows
elasticsearchmachine
added
v9.2.0
Team:Core/Infra
|
Pinging @elastic/es-core-infra (Team:Core/Infra) |
mosche
commented
Jul 18, 2025
libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java
Show resolved
Hide resolved
mosche
commented
Jul 18, 2025
| @@ -115,20 +134,31 @@ private static Collection<Path> dataDirs(Settings settings, Path homeDir) { | |||
| : dataDirs.stream().map(TestEntitlementBootstrap::absolutePath).toList(); | |||
| } | |||
|
|
|||
| private static Path sharedDataDir(Settings settings) { | |||
There was a problem hiding this comment.
This is required for some tests, though it looks like we never grant PATH_SHARED_DATA_SETTING in production.
Is this a test-only thing? Or is that a bug?
prdoyle
reviewed
Jul 18, 2025
| @@ -93,6 +94,7 @@ | |||
| import static org.hamcrest.Matchers.startsWith; | |||
|
|
|||
| @ESIntegTestCase.ClusterScope(scope = ESIntegTestCase.Scope.TEST, numDataNodes = 0) | |||
| @ESTestCase.WithoutEntitlements // commands don't run with entitlements enforced | |||
There was a problem hiding this comment.
It's a bit unfortunate how often we need to do this. Makes me wonder if there's a more general rule we could apply so that WithoutEntitlements only needs to be used in exceptional cases. 🤔
prdoyle
approved these changes
Jul 18, 2025
… entitlement delegation
…xInternalClusterTest
…xInternalClusterTest
…xInternalClusterTest
…xInternalClusterTest
…xInternalClusterTest
…xInternalClusterTest
mosche
added
the
auto-backport
mosche
added a commit
to mosche/elasticsearch
that referenced
this pull request
Jul 29, 2025
Previously, entitlement checks got disabled when resetting the policy manager (which defaults to inactive). This change makes sure entitlements are correctly enabled during tests. Due to the lack of entitlement delegation (and usage of server's FileSystemUtils and similar in test code), there's a few remaining issues: - various tests have to run without entitlements - node base dirs cannot be removed immediately when shutting down the node due to pending cleanups (wipePendingDataDirectories) Due to Netty dependency issues (ES-12435), azure and inference tests have to run without entitlements.
💔 Backport failed
You can use sqren/backport to manually backport by running |
mosche
added a commit
to mosche/elasticsearch
that referenced
this pull request
Jul 29, 2025
Previously, entitlement checks got disabled when resetting the policy manager (which defaults to inactive). This change makes sure entitlements are correctly enabled during tests. Due to the lack of entitlement delegation (and usage of server's FileSystemUtils and similar in test code), there's a few remaining issues: - various tests have to run without entitlements - node base dirs cannot be removed immediately when shutting down the node due to pending cleanups (wipePendingDataDirectories) Due to Netty dependency issues (ES-12435), azure and inference tests have to run without entitlements. (cherry picked from commit 5d72a3f) # Conflicts: # modules/repository-azure/src/internalClusterTest/java/org/elasticsearch/repositories/azure/AzureBlobStoreRepositoryTests.java
💚 All backports created successfully
Questions ?Please refer to the Backport tool documentation |
elasticsearchmachine
pushed a commit
that referenced
this pull request
Jul 29, 2025
Previously, entitlement checks got disabled when resetting the policy manager (which defaults to inactive). This change makes sure entitlements are correctly enabled during tests. Due to the lack of entitlement delegation (and usage of server's FileSystemUtils and similar in test code), there's a few remaining issues: - various tests have to run without entitlements - node base dirs cannot be removed immediately when shutting down the node due to pending cleanups (wipePendingDataDirectories) Due to Netty dependency issues (ES-12435), azure and inference tests have to run without entitlements.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I'll follow up with better managing the lifecycle of test entitlement state, as discussed on Slack.