From c3ba071948f01612f6e6858617fd040603ed3019 Mon Sep 17 00:00:00 2001 From: Moritz Mack Date: Fri, 18 Jul 2025 17:11:38 +0200 Subject: [PATCH 01/12] Fix entitlements in internalClusterTest * Previously, entitlement checks got disabled when resetting the policy manager (which defaults to inactive). * The shared data dir is granted as additional data base directory. * Due to the lack of entitlement delegation and wipePendingDataDirectories using server's FileSystemUtils, node base directories won't be removed until after the test. * Disable entitlement checks for some command tests. * Disable entitlement checks for some tests requiring entitlement delegation. --- .../runtime/policy/PolicyManager.java | 3 - .../action/admin/ReloadSecureSettingsIT.java | 2 + .../cluster/tasks/PendingTasksBlocksIT.java | 2 + .../coordination/RemoveCustomsCommandIT.java | 2 + .../RemoveIndexSettingsCommandIT.java | 2 + .../coordination/RemoveSettingsCommandIT.java | 2 + .../RemoveCorruptedShardDataCommandIT.java | 2 + .../bootstrap/TestEntitlementBootstrap.java | 64 ++++++++++++++----- .../runtime/policy/TestPolicyManager.java | 16 +++-- .../java/org/elasticsearch/node/MockNode.java | 9 +-- .../org/elasticsearch/test/ESTestCase.java | 2 +- .../policy/TestPolicyManagerTests.java | 4 +- 12 files changed, 80 insertions(+), 30 deletions(-) diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java index 7f0541911284c..0021a10b84c86 100644 --- a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java +++ b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java @@ -367,9 +367,6 @@ private ModuleEntitlements getModuleScopeEntitlements( * @return true if permission is granted regardless of the entitlement */ boolean isTriviallyAllowed(Class requestingClass) { - if (generalLogger.isTraceEnabled()) { - generalLogger.trace("Stack trace for upcoming trivially-allowed check", new Exception()); - } if (requestingClass == null) { generalLogger.debug("Entitlement trivially allowed: no caller frames outside the entitlement library"); return true; diff --git a/server/src/internalClusterTest/java/org/elasticsearch/action/admin/ReloadSecureSettingsIT.java b/server/src/internalClusterTest/java/org/elasticsearch/action/admin/ReloadSecureSettingsIT.java index 83e79ff7f45a8..82a6c1f6acf85 100644 --- a/server/src/internalClusterTest/java/org/elasticsearch/action/admin/ReloadSecureSettingsIT.java +++ b/server/src/internalClusterTest/java/org/elasticsearch/action/admin/ReloadSecureSettingsIT.java @@ -27,6 +27,7 @@ import org.elasticsearch.plugins.PluginsService; import org.elasticsearch.plugins.ReloadablePlugin; import org.elasticsearch.test.ESIntegTestCase; +import org.elasticsearch.test.ESTestCase; import org.junit.BeforeClass; import java.io.InputStream; @@ -47,6 +48,7 @@ import static org.hamcrest.Matchers.nullValue; @ESIntegTestCase.ClusterScope(minNumDataNodes = 2) +@ESTestCase.WithoutEntitlements // requires entitlement delegation ES-10920 public class ReloadSecureSettingsIT extends ESIntegTestCase { private static final String VALID_SECURE_SETTING_NAME = "some.setting.that.exists"; diff --git a/server/src/internalClusterTest/java/org/elasticsearch/action/admin/cluster/tasks/PendingTasksBlocksIT.java b/server/src/internalClusterTest/java/org/elasticsearch/action/admin/cluster/tasks/PendingTasksBlocksIT.java index 6475e80901ea7..bb048179a437a 100644 --- a/server/src/internalClusterTest/java/org/elasticsearch/action/admin/cluster/tasks/PendingTasksBlocksIT.java +++ b/server/src/internalClusterTest/java/org/elasticsearch/action/admin/cluster/tasks/PendingTasksBlocksIT.java @@ -12,6 +12,7 @@ import org.elasticsearch.common.settings.Settings; import org.elasticsearch.gateway.GatewayService; import org.elasticsearch.test.ESIntegTestCase; +import org.elasticsearch.test.ESTestCase; import org.elasticsearch.test.InternalTestCluster; import java.util.Arrays; @@ -22,6 +23,7 @@ import static org.elasticsearch.cluster.metadata.IndexMetadata.SETTING_READ_ONLY; import static org.elasticsearch.cluster.metadata.IndexMetadata.SETTING_READ_ONLY_ALLOW_DELETE; +@ESTestCase.WithoutEntitlements // requires entitlement delegation ES-10920 public class PendingTasksBlocksIT extends ESIntegTestCase { public void testPendingTasksWithIndexBlocks() { diff --git a/server/src/internalClusterTest/java/org/elasticsearch/cluster/coordination/RemoveCustomsCommandIT.java b/server/src/internalClusterTest/java/org/elasticsearch/cluster/coordination/RemoveCustomsCommandIT.java index 2b2dc114e8ffc..e88a08f983b90 100644 --- a/server/src/internalClusterTest/java/org/elasticsearch/cluster/coordination/RemoveCustomsCommandIT.java +++ b/server/src/internalClusterTest/java/org/elasticsearch/cluster/coordination/RemoveCustomsCommandIT.java @@ -18,12 +18,14 @@ import org.elasticsearch.env.Environment; import org.elasticsearch.env.TestEnvironment; import org.elasticsearch.test.ESIntegTestCase; +import org.elasticsearch.test.ESTestCase; import java.util.Map; import static org.hamcrest.Matchers.containsString; @ESIntegTestCase.ClusterScope(scope = ESIntegTestCase.Scope.TEST, numDataNodes = 0, autoManageMasterNodes = false) +@ESTestCase.WithoutEntitlements // commands don't run with entitlements enforced public class RemoveCustomsCommandIT extends ESIntegTestCase { public void testRemoveCustomsAbortedByUser() throws Exception { diff --git a/server/src/internalClusterTest/java/org/elasticsearch/cluster/coordination/RemoveIndexSettingsCommandIT.java b/server/src/internalClusterTest/java/org/elasticsearch/cluster/coordination/RemoveIndexSettingsCommandIT.java index 65e325a1291d8..62afa9c57cbaa 100644 --- a/server/src/internalClusterTest/java/org/elasticsearch/cluster/coordination/RemoveIndexSettingsCommandIT.java +++ b/server/src/internalClusterTest/java/org/elasticsearch/cluster/coordination/RemoveIndexSettingsCommandIT.java @@ -21,6 +21,7 @@ import org.elasticsearch.env.TestEnvironment; import org.elasticsearch.plugins.Plugin; import org.elasticsearch.test.ESIntegTestCase; +import org.elasticsearch.test.ESTestCase; import java.util.Collection; import java.util.List; @@ -31,6 +32,7 @@ import static org.hamcrest.Matchers.not; @ESIntegTestCase.ClusterScope(scope = ESIntegTestCase.Scope.TEST, numDataNodes = 0, autoManageMasterNodes = false) +@ESTestCase.WithoutEntitlements // commands don't run with entitlements enforced public class RemoveIndexSettingsCommandIT extends ESIntegTestCase { static final Setting FOO = Setting.intSetting("index.foo", 1, Setting.Property.IndexScope, Setting.Property.Dynamic); diff --git a/server/src/internalClusterTest/java/org/elasticsearch/cluster/coordination/RemoveSettingsCommandIT.java b/server/src/internalClusterTest/java/org/elasticsearch/cluster/coordination/RemoveSettingsCommandIT.java index d7ed6bb47b98b..1a68211c6ea8e 100644 --- a/server/src/internalClusterTest/java/org/elasticsearch/cluster/coordination/RemoveSettingsCommandIT.java +++ b/server/src/internalClusterTest/java/org/elasticsearch/cluster/coordination/RemoveSettingsCommandIT.java @@ -19,6 +19,7 @@ import org.elasticsearch.env.Environment; import org.elasticsearch.env.TestEnvironment; import org.elasticsearch.test.ESIntegTestCase; +import org.elasticsearch.test.ESTestCase; import java.util.Map; @@ -27,6 +28,7 @@ import static org.hamcrest.Matchers.not; @ESIntegTestCase.ClusterScope(scope = ESIntegTestCase.Scope.TEST, numDataNodes = 0, autoManageMasterNodes = false) +@ESTestCase.WithoutEntitlements // commands don't run with entitlements enforced public class RemoveSettingsCommandIT extends ESIntegTestCase { public void testRemoveSettingsAbortedByUser() throws Exception { diff --git a/server/src/internalClusterTest/java/org/elasticsearch/index/shard/RemoveCorruptedShardDataCommandIT.java b/server/src/internalClusterTest/java/org/elasticsearch/index/shard/RemoveCorruptedShardDataCommandIT.java index b9513dfb95187..d1cff7b2a30d1 100644 --- a/server/src/internalClusterTest/java/org/elasticsearch/index/shard/RemoveCorruptedShardDataCommandIT.java +++ b/server/src/internalClusterTest/java/org/elasticsearch/index/shard/RemoveCorruptedShardDataCommandIT.java @@ -58,6 +58,7 @@ import org.elasticsearch.plugins.Plugin; import org.elasticsearch.test.CorruptionUtils; import org.elasticsearch.test.ESIntegTestCase; +import org.elasticsearch.test.ESTestCase; import org.elasticsearch.test.InternalSettingsPlugin; import org.elasticsearch.test.InternalTestCluster; import org.elasticsearch.test.engine.MockEngineSupport; @@ -93,6 +94,7 @@ import static org.hamcrest.Matchers.startsWith; @ESIntegTestCase.ClusterScope(scope = ESIntegTestCase.Scope.TEST, numDataNodes = 0) +@ESTestCase.WithoutEntitlements // commands don't run with entitlements enforced public class RemoveCorruptedShardDataCommandIT extends ESIntegTestCase { @Override diff --git a/test/framework/src/main/java/org/elasticsearch/entitlement/bootstrap/TestEntitlementBootstrap.java b/test/framework/src/main/java/org/elasticsearch/entitlement/bootstrap/TestEntitlementBootstrap.java index 3e6f09915358b..4ce2702dc178c 100644 --- a/test/framework/src/main/java/org/elasticsearch/entitlement/bootstrap/TestEntitlementBootstrap.java +++ b/test/framework/src/main/java/org/elasticsearch/entitlement/bootstrap/TestEntitlementBootstrap.java @@ -9,6 +9,7 @@ package org.elasticsearch.entitlement.bootstrap; +import org.apache.lucene.tests.mockfile.FilterPath; import org.elasticsearch.bootstrap.TestBuildInfo; import org.elasticsearch.bootstrap.TestBuildInfoParser; import org.elasticsearch.bootstrap.TestScopeResolver; @@ -38,6 +39,7 @@ import java.util.ArrayList; import java.util.Arrays; import java.util.Collection; +import java.util.Collections; import java.util.HashMap; import java.util.HashSet; import java.util.List; @@ -54,6 +56,7 @@ import static org.elasticsearch.env.Environment.PATH_DATA_SETTING; import static org.elasticsearch.env.Environment.PATH_HOME_SETTING; import static org.elasticsearch.env.Environment.PATH_REPO_SETTING; +import static org.elasticsearch.env.Environment.PATH_SHARED_DATA_SETTING; public class TestEntitlementBootstrap { @@ -82,30 +85,46 @@ public static void registerNodeBaseDirs(Settings settings, Path configPath) { if (policyManager == null) { return; } - Path homeDir = absolutePath(PATH_HOME_SETTING.get(settings)); - Path configDir = configPath != null ? configPath : homeDir.resolve("config"); - Collection dataDirs = dataDirs(settings, homeDir); - Collection repoDirs = repoDirs(settings); + var homeDir = homeDir(settings); + var configDir = configDir(configPath, homeDir); + var sharedDataDir = sharedDataDir(settings); + var dataDirs = dataDirs(settings, homeDir); + var repoDirs = repoDirs(settings); logger.debug("Registering node dirs: config [{}], dataDirs [{}], repoDirs [{}]", configDir, dataDirs, repoDirs); baseDirPaths.compute(BaseDir.CONFIG, baseDirModifier(paths -> paths.add(configDir))); + if (sharedDataDir != null) { + baseDirPaths.compute(BaseDir.DATA, baseDirModifier(paths -> paths.add(sharedDataDir))); + } baseDirPaths.compute(BaseDir.DATA, baseDirModifier(paths -> paths.addAll(dataDirs))); baseDirPaths.compute(BaseDir.SHARED_REPO, baseDirModifier(paths -> paths.addAll(repoDirs))); - policyManager.reset(); + policyManager.clearModuleEntitlementsCache(); } public static void unregisterNodeBaseDirs(Settings settings, Path configPath) { if (policyManager == null) { return; } - Path homeDir = absolutePath(PATH_HOME_SETTING.get(settings)); - Path configDir = configPath != null ? configPath : homeDir.resolve("config"); - Collection dataDirs = dataDirs(settings, homeDir); - Collection repoDirs = repoDirs(settings); + var homeDir = homeDir(settings); + var configDir = configDir(configPath, homeDir); + var sharedDataDir = sharedDataDir(settings); + var dataDirs = dataDirs(settings, homeDir); + var repoDirs = repoDirs(settings); logger.debug("Unregistering node dirs: config [{}], dataDirs [{}], repoDirs [{}]", configDir, dataDirs, repoDirs); baseDirPaths.compute(BaseDir.CONFIG, baseDirModifier(paths -> paths.remove(configDir))); + if (sharedDataDir != null) { + baseDirPaths.compute(BaseDir.DATA, baseDirModifier(paths -> paths.remove(sharedDataDir))); + } baseDirPaths.compute(BaseDir.DATA, baseDirModifier(paths -> paths.removeAll(dataDirs))); baseDirPaths.compute(BaseDir.SHARED_REPO, baseDirModifier(paths -> paths.removeAll(repoDirs))); - policyManager.reset(); + policyManager.clearModuleEntitlementsCache(); + } + + private static Path homeDir(Settings settings) { + return absolutePath(PATH_HOME_SETTING.get(settings)); + } + + private static Path configDir(Path configDir, Path homeDir) { + return configDir != null ? unwrapFilterPath(configDir) : homeDir.resolve("config"); } private static Collection dataDirs(Settings settings, Path homeDir) { @@ -115,20 +134,31 @@ private static Collection dataDirs(Settings settings, Path homeDir) { : dataDirs.stream().map(TestEntitlementBootstrap::absolutePath).toList(); } + private static Path sharedDataDir(Settings settings) { + String sharedDataDir = PATH_SHARED_DATA_SETTING.get(settings); + return sharedDataDir.isEmpty() ? null : TestEntitlementBootstrap.absolutePath(sharedDataDir); + } + private static Collection repoDirs(Settings settings) { return PATH_REPO_SETTING.get(settings).stream().map(TestEntitlementBootstrap::absolutePath).toList(); } private static BiFunction, Collection> baseDirModifier(Consumer> consumer) { + // always return a new unmodifiable copy return (BaseDir baseDir, Collection paths) -> { - if (paths == null) { - paths = new HashSet<>(); - } + paths = paths == null ? new HashSet<>() : new HashSet<>(paths); consumer.accept(paths); - return paths; + return Collections.unmodifiableCollection(paths); }; } + private static Path unwrapFilterPath(Path path) { + while (path instanceof FilterPath fPath) { + path = fPath.getDelegate(); + } + return path; + } + @SuppressForbidden(reason = "must be resolved using the default file system, rather then the mocked test file system") private static Path absolutePath(String path) { return Paths.get(path).toAbsolutePath().normalize(); @@ -158,9 +188,11 @@ public static void setEntitledTestPackages(String[] entitledTestPackages) { policyManager.setEntitledTestPackages(entitledTestPackages); } - public static void reset() { + public static void resetAfterTest() { + // reset all base dirs except TEMP, which is initialized just once statically + baseDirPaths.keySet().retainAll(List.of(TEMP)); if (policyManager != null) { - policyManager.reset(); + policyManager.resetAfterTest(); } } diff --git a/test/framework/src/main/java/org/elasticsearch/entitlement/runtime/policy/TestPolicyManager.java b/test/framework/src/main/java/org/elasticsearch/entitlement/runtime/policy/TestPolicyManager.java index b504e51e119f7..bd1e6a468de31 100644 --- a/test/framework/src/main/java/org/elasticsearch/entitlement/runtime/policy/TestPolicyManager.java +++ b/test/framework/src/main/java/org/elasticsearch/entitlement/runtime/policy/TestPolicyManager.java @@ -53,7 +53,7 @@ public TestPolicyManager( super(serverPolicy, apmAgentEntitlements, pluginPolicies, scopeResolver, name -> classpath, pathLookup); this.classpath = classpath; this.testOnlyClasspath = testOnlyClasspath; - reset(); + resetAfterTest(); } public void setActive(boolean newValue) { @@ -77,13 +77,21 @@ public void setEntitledTestPackages(String... entitledTestPackages) { /** * Called between tests so each test is not affected by prior tests */ - public final void reset() { - assert moduleEntitlementsMap.isEmpty() : "We're not supposed to be using moduleEntitlementsMap in tests"; - classEntitlementsMap.clear(); + public final void resetAfterTest() { + clearModuleEntitlementsCache(); isActive = false; isTriviallyAllowingTestCode = true; } + /** + * Clear cached module entitlements. + * This is required after updating entries in {@link TestPathLookup}. + */ + public final void clearModuleEntitlementsCache() { + assert moduleEntitlementsMap.isEmpty() : "We're not supposed to be using moduleEntitlementsMap in tests"; + classEntitlementsMap.clear(); + } + @Override protected boolean isTrustedSystemClass(Class requestingClass) { ClassLoader loader = requestingClass.getClassLoader(); diff --git a/test/framework/src/main/java/org/elasticsearch/node/MockNode.java b/test/framework/src/main/java/org/elasticsearch/node/MockNode.java index 3d5229435e729..be21a1c8ab694 100644 --- a/test/framework/src/main/java/org/elasticsearch/node/MockNode.java +++ b/test/framework/src/main/java/org/elasticsearch/node/MockNode.java @@ -54,11 +54,11 @@ import org.elasticsearch.transport.TransportService; import org.elasticsearch.transport.TransportSettings; -import java.io.IOException; import java.nio.file.Path; import java.util.Collection; import java.util.Collections; import java.util.Map; +import java.util.concurrent.TimeUnit; import java.util.function.Function; import java.util.function.LongSupplier; @@ -286,11 +286,12 @@ private static Environment prepareEnvironment(final Settings settings, final Pat } @Override - public synchronized void close() throws IOException { + public synchronized boolean awaitClose(long timeout, TimeUnit timeUnit) throws InterruptedException { try { - super.close(); + return super.awaitClose(timeout, timeUnit); } finally { - TestEntitlementBootstrap.unregisterNodeBaseDirs(getEnvironment().settings(), getEnvironment().configDir()); + // wipePendingDataDirectories requires entitlement delegation to work due to this using FileSystemUtils ES-10920 + // TestEntitlementBootstrap.unregisterNodeBaseDirs(settings(), getEnvironment().configDir()); } } diff --git a/test/framework/src/main/java/org/elasticsearch/test/ESTestCase.java b/test/framework/src/main/java/org/elasticsearch/test/ESTestCase.java index 6ced34ce72759..d3ea21bac9f88 100644 --- a/test/framework/src/main/java/org/elasticsearch/test/ESTestCase.java +++ b/test/framework/src/main/java/org/elasticsearch/test/ESTestCase.java @@ -546,7 +546,7 @@ public static void setupEntitlementsForClass() { @AfterClass public static void resetEntitlements() { - TestEntitlementBootstrap.reset(); + TestEntitlementBootstrap.resetAfterTest(); } // setup mock filesystems for this test run. we change PathUtils diff --git a/test/framework/src/test/java/org/elasticsearch/entitlement/runtime/policy/TestPolicyManagerTests.java b/test/framework/src/test/java/org/elasticsearch/entitlement/runtime/policy/TestPolicyManagerTests.java index 4a62355f398d8..c0f1aaa227cdb 100644 --- a/test/framework/src/test/java/org/elasticsearch/entitlement/runtime/policy/TestPolicyManagerTests.java +++ b/test/framework/src/test/java/org/elasticsearch/entitlement/runtime/policy/TestPolicyManagerTests.java @@ -41,13 +41,13 @@ public void setupPolicyManager() { policyManager.setActive(true); } - public void testReset() { + public void testResetAfterTest() { assertTrue(policyManager.classEntitlementsMap.isEmpty()); assertEquals("example-plugin1", policyManager.getEntitlements(getClass()).componentName()); assertEquals("example-plugin1", policyManager.getEntitlements(getClass()).componentName()); assertFalse(policyManager.classEntitlementsMap.isEmpty()); - policyManager.reset(); + policyManager.resetAfterTest(); assertTrue(policyManager.classEntitlementsMap.isEmpty()); assertEquals("example-plugin2", policyManager.getEntitlements(getClass()).componentName()); From 3bf8256e3169dd5d2b62c29213c2fc4f504f440c Mon Sep 17 00:00:00 2001 From: Moritz Mack Date: Mon, 21 Jul 2025 12:36:19 +0200 Subject: [PATCH 02/12] continue logging stacktrace in isTriviallyAllowed --- .../entitlement/runtime/policy/PolicyManager.java | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java index 0021a10b84c86..4db0c5e7ce126 100644 --- a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java +++ b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java @@ -376,10 +376,13 @@ boolean isTriviallyAllowed(Class requestingClass) { return true; } if (isTrustedSystemClass(requestingClass)) { + // note: logging prior to allowing trusted system classes can fail if loading of new classes is necessary generalLogger.debug("Entitlement trivially allowed from system module [{}]", requestingClass.getModule().getName()); return true; } - generalLogger.trace("Entitlement not trivially allowed"); + if (generalLogger.isTraceEnabled()) { + generalLogger.trace("Stack trace if entitlement not trivially allowed", new Exception()); + } return false; } From 707e7927f7187de500daa5d769a6fd4e6aefb6b3 Mon Sep 17 00:00:00 2001 From: Moritz Mack Date: Tue, 22 Jul 2025 12:23:35 +0200 Subject: [PATCH 03/12] Run Azure tests without entitlements until ES-12435 --- .../repositories/azure/AzureBlobStoreRepositoryTests.java | 2 ++ .../repositories/azure/AzureRepositoryMissingCredentialsIT.java | 2 ++ 2 files changed, 4 insertions(+) diff --git a/modules/repository-azure/src/internalClusterTest/java/org/elasticsearch/repositories/azure/AzureBlobStoreRepositoryTests.java b/modules/repository-azure/src/internalClusterTest/java/org/elasticsearch/repositories/azure/AzureBlobStoreRepositoryTests.java index c6c1868d5bbc1..493f4d10eea6d 100644 --- a/modules/repository-azure/src/internalClusterTest/java/org/elasticsearch/repositories/azure/AzureBlobStoreRepositoryTests.java +++ b/modules/repository-azure/src/internalClusterTest/java/org/elasticsearch/repositories/azure/AzureBlobStoreRepositoryTests.java @@ -41,6 +41,7 @@ import org.elasticsearch.telemetry.Measurement; import org.elasticsearch.telemetry.TestTelemetryPlugin; import org.elasticsearch.test.BackgroundIndexer; +import org.elasticsearch.test.ESTestCase; import org.elasticsearch.threadpool.ThreadPool; import java.io.ByteArrayInputStream; @@ -73,6 +74,7 @@ import static org.hamcrest.Matchers.is; @SuppressForbidden(reason = "this test uses a HttpServer to emulate an Azure endpoint") +@ESTestCase.WithoutEntitlements // due to dependency issue ES-12435 public class AzureBlobStoreRepositoryTests extends ESMockAPIBasedRepositoryIntegTestCase { protected static final String DEFAULT_ACCOUNT_NAME = "account"; diff --git a/modules/repository-azure/src/internalClusterTest/java/org/elasticsearch/repositories/azure/AzureRepositoryMissingCredentialsIT.java b/modules/repository-azure/src/internalClusterTest/java/org/elasticsearch/repositories/azure/AzureRepositoryMissingCredentialsIT.java index 947f73c2ce580..5e3cad4534b7c 100644 --- a/modules/repository-azure/src/internalClusterTest/java/org/elasticsearch/repositories/azure/AzureRepositoryMissingCredentialsIT.java +++ b/modules/repository-azure/src/internalClusterTest/java/org/elasticsearch/repositories/azure/AzureRepositoryMissingCredentialsIT.java @@ -18,12 +18,14 @@ import org.elasticsearch.plugins.Plugin; import org.elasticsearch.repositories.RepositoryVerificationException; import org.elasticsearch.test.ESIntegTestCase; +import org.elasticsearch.test.ESTestCase; import java.util.Collection; import static org.hamcrest.Matchers.allOf; import static org.hamcrest.Matchers.containsString; +@ESTestCase.WithoutEntitlements // due to dependency issue ES-12435 public class AzureRepositoryMissingCredentialsIT extends ESIntegTestCase { @Override From 491f8b625e7d9fb5e445111a54022d08eaae42d5 Mon Sep 17 00:00:00 2001 From: Moritz Mack Date: Tue, 22 Jul 2025 12:40:55 +0200 Subject: [PATCH 04/12] Run inference tests without entitlements until ES-12435 --- .../filter/ShardBulkInferenceActionFilterBasicLicenseIT.java | 2 ++ .../action/filter/ShardBulkInferenceActionFilterIT.java | 2 ++ .../integration/InferenceRevokeDefaultEndpointsIT.java | 2 ++ .../xpack/inference/integration/ModelRegistryIT.java | 2 ++ .../xpack/inference/integration/SemanticTextIndexOptionsIT.java | 2 ++ .../xpack/inference/integration/SemanticTextIndexVersionIT.java | 2 ++ .../inference/rest/ServerSentEventsRestActionListenerTests.java | 2 ++ 7 files changed, 14 insertions(+) diff --git a/x-pack/plugin/inference/src/internalClusterTest/java/org/elasticsearch/xpack/inference/action/filter/ShardBulkInferenceActionFilterBasicLicenseIT.java b/x-pack/plugin/inference/src/internalClusterTest/java/org/elasticsearch/xpack/inference/action/filter/ShardBulkInferenceActionFilterBasicLicenseIT.java index e2d00b8c52781..33b9adb431a0a 100644 --- a/x-pack/plugin/inference/src/internalClusterTest/java/org/elasticsearch/xpack/inference/action/filter/ShardBulkInferenceActionFilterBasicLicenseIT.java +++ b/x-pack/plugin/inference/src/internalClusterTest/java/org/elasticsearch/xpack/inference/action/filter/ShardBulkInferenceActionFilterBasicLicenseIT.java @@ -23,6 +23,7 @@ import org.elasticsearch.license.LicenseSettings; import org.elasticsearch.plugins.Plugin; import org.elasticsearch.test.ESIntegTestCase; +import org.elasticsearch.test.ESTestCase; import org.elasticsearch.xpack.core.XPackField; import org.elasticsearch.xpack.inference.LocalStateInferencePlugin; import org.elasticsearch.xpack.inference.Utils; @@ -42,6 +43,7 @@ import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.instanceOf; +@ESTestCase.WithoutEntitlements // due to dependency issue ES-12435 public class ShardBulkInferenceActionFilterBasicLicenseIT extends ESIntegTestCase { public static final String INDEX_NAME = "test-index"; diff --git a/x-pack/plugin/inference/src/internalClusterTest/java/org/elasticsearch/xpack/inference/action/filter/ShardBulkInferenceActionFilterIT.java b/x-pack/plugin/inference/src/internalClusterTest/java/org/elasticsearch/xpack/inference/action/filter/ShardBulkInferenceActionFilterIT.java index 8405fba22460f..7ddbf4fc55ffd 100644 --- a/x-pack/plugin/inference/src/internalClusterTest/java/org/elasticsearch/xpack/inference/action/filter/ShardBulkInferenceActionFilterIT.java +++ b/x-pack/plugin/inference/src/internalClusterTest/java/org/elasticsearch/xpack/inference/action/filter/ShardBulkInferenceActionFilterIT.java @@ -32,6 +32,7 @@ import org.elasticsearch.plugins.Plugin; import org.elasticsearch.search.builder.SearchSourceBuilder; import org.elasticsearch.test.ESIntegTestCase; +import org.elasticsearch.test.ESTestCase; import org.elasticsearch.test.InternalTestCluster; import org.elasticsearch.xpack.inference.InferenceIndex; import org.elasticsearch.xpack.inference.LocalStateInferencePlugin; @@ -56,6 +57,7 @@ import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.equalTo; +@ESTestCase.WithoutEntitlements // due to dependency issue ES-12435 public class ShardBulkInferenceActionFilterIT extends ESIntegTestCase { public static final String INDEX_NAME = "test-index"; diff --git a/x-pack/plugin/inference/src/internalClusterTest/java/org/elasticsearch/xpack/inference/integration/InferenceRevokeDefaultEndpointsIT.java b/x-pack/plugin/inference/src/internalClusterTest/java/org/elasticsearch/xpack/inference/integration/InferenceRevokeDefaultEndpointsIT.java index 1eb530ac1bb9e..a0055332a36c2 100644 --- a/x-pack/plugin/inference/src/internalClusterTest/java/org/elasticsearch/xpack/inference/integration/InferenceRevokeDefaultEndpointsIT.java +++ b/x-pack/plugin/inference/src/internalClusterTest/java/org/elasticsearch/xpack/inference/integration/InferenceRevokeDefaultEndpointsIT.java @@ -20,6 +20,7 @@ import org.elasticsearch.plugins.Plugin; import org.elasticsearch.reindex.ReindexPlugin; import org.elasticsearch.test.ESSingleNodeTestCase; +import org.elasticsearch.test.ESTestCase; import org.elasticsearch.test.http.MockResponse; import org.elasticsearch.test.http.MockWebServer; import org.elasticsearch.threadpool.ThreadPool; @@ -47,6 +48,7 @@ import static org.hamcrest.Matchers.containsInAnyOrder; import static org.mockito.Mockito.mock; +@ESTestCase.WithoutEntitlements // due to dependency issue ES-12435 public class InferenceRevokeDefaultEndpointsIT extends ESSingleNodeTestCase { private static final TimeValue TIMEOUT = new TimeValue(30, TimeUnit.SECONDS); diff --git a/x-pack/plugin/inference/src/internalClusterTest/java/org/elasticsearch/xpack/inference/integration/ModelRegistryIT.java b/x-pack/plugin/inference/src/internalClusterTest/java/org/elasticsearch/xpack/inference/integration/ModelRegistryIT.java index e56782bd00ef5..3c09e73c55411 100644 --- a/x-pack/plugin/inference/src/internalClusterTest/java/org/elasticsearch/xpack/inference/integration/ModelRegistryIT.java +++ b/x-pack/plugin/inference/src/internalClusterTest/java/org/elasticsearch/xpack/inference/integration/ModelRegistryIT.java @@ -34,6 +34,7 @@ import org.elasticsearch.plugins.Plugin; import org.elasticsearch.reindex.ReindexPlugin; import org.elasticsearch.test.ESSingleNodeTestCase; +import org.elasticsearch.test.ESTestCase; import org.elasticsearch.threadpool.ThreadPool; import org.elasticsearch.xcontent.ToXContentObject; import org.elasticsearch.xcontent.XContentBuilder; @@ -74,6 +75,7 @@ import static org.mockito.Mockito.doAnswer; import static org.mockito.Mockito.mock; +@ESTestCase.WithoutEntitlements // due to dependency issue ES-12435 public class ModelRegistryIT extends ESSingleNodeTestCase { private static final TimeValue TIMEOUT = new TimeValue(30, TimeUnit.SECONDS); diff --git a/x-pack/plugin/inference/src/internalClusterTest/java/org/elasticsearch/xpack/inference/integration/SemanticTextIndexOptionsIT.java b/x-pack/plugin/inference/src/internalClusterTest/java/org/elasticsearch/xpack/inference/integration/SemanticTextIndexOptionsIT.java index 035ec4dc9593d..08d3f0a6a9b9f 100644 --- a/x-pack/plugin/inference/src/internalClusterTest/java/org/elasticsearch/xpack/inference/integration/SemanticTextIndexOptionsIT.java +++ b/x-pack/plugin/inference/src/internalClusterTest/java/org/elasticsearch/xpack/inference/integration/SemanticTextIndexOptionsIT.java @@ -30,6 +30,7 @@ import org.elasticsearch.protocol.xpack.license.GetLicenseRequest; import org.elasticsearch.reindex.ReindexPlugin; import org.elasticsearch.test.ESIntegTestCase; +import org.elasticsearch.test.ESTestCase; import org.elasticsearch.test.InternalTestCluster; import org.elasticsearch.xcontent.ToXContent; import org.elasticsearch.xcontent.XContentBuilder; @@ -55,6 +56,7 @@ import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertAcked; import static org.hamcrest.CoreMatchers.equalTo; +@ESTestCase.WithoutEntitlements // due to dependency issue ES-12435 public class SemanticTextIndexOptionsIT extends ESIntegTestCase { private static final String INDEX_NAME = "test-index"; private static final Map BBQ_COMPATIBLE_SERVICE_SETTINGS = Map.of( diff --git a/x-pack/plugin/inference/src/internalClusterTest/java/org/elasticsearch/xpack/inference/integration/SemanticTextIndexVersionIT.java b/x-pack/plugin/inference/src/internalClusterTest/java/org/elasticsearch/xpack/inference/integration/SemanticTextIndexVersionIT.java index 6f8992b5bd200..8986b0a158e9f 100644 --- a/x-pack/plugin/inference/src/internalClusterTest/java/org/elasticsearch/xpack/inference/integration/SemanticTextIndexVersionIT.java +++ b/x-pack/plugin/inference/src/internalClusterTest/java/org/elasticsearch/xpack/inference/integration/SemanticTextIndexVersionIT.java @@ -24,6 +24,7 @@ import org.elasticsearch.search.builder.SearchSourceBuilder; import org.elasticsearch.search.fetch.subphase.highlight.HighlightBuilder; import org.elasticsearch.test.ESIntegTestCase; +import org.elasticsearch.test.ESTestCase; import org.elasticsearch.test.index.IndexVersionUtils; import org.elasticsearch.xcontent.XContentBuilder; import org.elasticsearch.xcontent.XContentFactory; @@ -50,6 +51,7 @@ import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertResponse; import static org.hamcrest.Matchers.equalTo; +@ESTestCase.WithoutEntitlements // due to dependency issue ES-12435 public class SemanticTextIndexVersionIT extends ESIntegTestCase { private static final int MAXIMUM_NUMBER_OF_VERSIONS_TO_TEST = 25; private static final String SPARSE_SEMANTIC_FIELD = "sparse_field"; diff --git a/x-pack/plugin/inference/src/internalClusterTest/java/org/elasticsearch/xpack/inference/rest/ServerSentEventsRestActionListenerTests.java b/x-pack/plugin/inference/src/internalClusterTest/java/org/elasticsearch/xpack/inference/rest/ServerSentEventsRestActionListenerTests.java index 87e14e4e89d88..3287995588d86 100644 --- a/x-pack/plugin/inference/src/internalClusterTest/java/org/elasticsearch/xpack/inference/rest/ServerSentEventsRestActionListenerTests.java +++ b/x-pack/plugin/inference/src/internalClusterTest/java/org/elasticsearch/xpack/inference/rest/ServerSentEventsRestActionListenerTests.java @@ -45,6 +45,7 @@ import org.elasticsearch.rest.RestRequest; import org.elasticsearch.rest.RestStatus; import org.elasticsearch.test.ESIntegTestCase; +import org.elasticsearch.test.ESTestCase; import org.elasticsearch.threadpool.ThreadPool; import org.elasticsearch.xcontent.ToXContent; import org.elasticsearch.xpack.core.inference.action.InferenceAction; @@ -75,6 +76,7 @@ import static org.hamcrest.Matchers.nullValue; @ESIntegTestCase.ClusterScope(numDataNodes = 1) +@ESTestCase.WithoutEntitlements // due to dependency issue ES-12435 public class ServerSentEventsRestActionListenerTests extends ESIntegTestCase { private static final String INFERENCE_ROUTE = "/_inference"; private static final String REQUEST_COUNT = "request_count"; From 02757bf24bf1237b37e8bf4b8d5dd1a449b6c6c2 Mon Sep 17 00:00:00 2001 From: Moritz Mack Date: Tue, 22 Jul 2025 14:55:08 +0200 Subject: [PATCH 05/12] Don't log exception in isTriviallyAllowed --- .../entitlement/runtime/policy/PolicyManager.java | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java index 4db0c5e7ce126..df68da2e251ac 100644 --- a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java +++ b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java @@ -367,6 +367,7 @@ private ModuleEntitlements getModuleScopeEntitlements( * @return true if permission is granted regardless of the entitlement */ boolean isTriviallyAllowed(Class requestingClass) { + // note: do not log exceptions in here, this could interfere with loading of additionally necessary classes such as ThrowableProxy if (requestingClass == null) { generalLogger.debug("Entitlement trivially allowed: no caller frames outside the entitlement library"); return true; @@ -376,13 +377,10 @@ boolean isTriviallyAllowed(Class requestingClass) { return true; } if (isTrustedSystemClass(requestingClass)) { - // note: logging prior to allowing trusted system classes can fail if loading of new classes is necessary generalLogger.debug("Entitlement trivially allowed from system module [{}]", requestingClass.getModule().getName()); return true; } - if (generalLogger.isTraceEnabled()) { - generalLogger.trace("Stack trace if entitlement not trivially allowed", new Exception()); - } + generalLogger.trace("Entitlement not trivially allowed"); return false; } From ca4fd4b919d982073bb5642ce6f59fbc3ff356dc Mon Sep 17 00:00:00 2001 From: Moritz Mack Date: Wed, 23 Jul 2025 11:59:01 +0200 Subject: [PATCH 06/12] Grant file entitlements for shared data dir to ES base due to lack of entitlement delegation --- .../entitlement/bootstrap/HardcodedEntitlements.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/bootstrap/HardcodedEntitlements.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/bootstrap/HardcodedEntitlements.java index 278b9e773ae1f..de5d690796b6d 100644 --- a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/bootstrap/HardcodedEntitlements.java +++ b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/bootstrap/HardcodedEntitlements.java @@ -92,8 +92,9 @@ private static List createServerEntitlements(Path pidFile) { new CreateClassLoaderEntitlement(), new FilesEntitlement( List.of( - // TODO: what in es.base is accessing shared repo? + // necessary due to lack of delegation ES-12382 FilesEntitlement.FileData.ofBaseDirPath(SHARED_REPO, READ_WRITE), + FilesEntitlement.FileData.ofBaseDirPath(SHARED_DATA, READ_WRITE), FilesEntitlement.FileData.ofBaseDirPath(DATA, READ_WRITE) ) ) From eac1835c23f52773a8c6238de579c0c086ae6d5d Mon Sep 17 00:00:00 2001 From: Moritz Mack Date: Wed, 23 Jul 2025 13:20:12 +0200 Subject: [PATCH 07/12] grant shared_data dir to lucene --- .../entitlement/bootstrap/HardcodedEntitlements.java | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/bootstrap/HardcodedEntitlements.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/bootstrap/HardcodedEntitlements.java index de5d690796b6d..a1a63020f3231 100644 --- a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/bootstrap/HardcodedEntitlements.java +++ b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/bootstrap/HardcodedEntitlements.java @@ -123,6 +123,7 @@ private static List createServerEntitlements(Path pidFile) { new FilesEntitlement( List.of( FilesEntitlement.FileData.ofBaseDirPath(CONFIG, READ), + FilesEntitlement.FileData.ofBaseDirPath(SHARED_DATA, READ), FilesEntitlement.FileData.ofBaseDirPath(DATA, READ_WRITE) ) ) @@ -131,6 +132,7 @@ private static List createServerEntitlements(Path pidFile) { new Scope( "org.apache.lucene.misc", List.of( + new FilesEntitlement(List.of(FilesEntitlement.FileData.ofBaseDirPath(SHARED_DATA, READ_WRITE))), new FilesEntitlement(List.of(FilesEntitlement.FileData.ofBaseDirPath(DATA, READ_WRITE))), new ReadStoreAttributesEntitlement() ) @@ -146,6 +148,7 @@ private static List createServerEntitlements(Path pidFile) { "org.elasticsearch.nativeaccess", List.of( new LoadNativeLibrariesEntitlement(), + new FilesEntitlement(List.of(FilesEntitlement.FileData.ofBaseDirPath(SHARED_DATA, READ_WRITE))), new FilesEntitlement(List.of(FilesEntitlement.FileData.ofBaseDirPath(DATA, READ_WRITE))) ) ) From b85aff5140c21854250501235c8428cd62089c58 Mon Sep 17 00:00:00 2001 From: Moritz Mack Date: Wed, 23 Jul 2025 13:47:26 +0200 Subject: [PATCH 08/12] fix --- .../bootstrap/HardcodedEntitlements.java | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/bootstrap/HardcodedEntitlements.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/bootstrap/HardcodedEntitlements.java index a1a63020f3231..79571482480fc 100644 --- a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/bootstrap/HardcodedEntitlements.java +++ b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/bootstrap/HardcodedEntitlements.java @@ -132,8 +132,12 @@ private static List createServerEntitlements(Path pidFile) { new Scope( "org.apache.lucene.misc", List.of( - new FilesEntitlement(List.of(FilesEntitlement.FileData.ofBaseDirPath(SHARED_DATA, READ_WRITE))), - new FilesEntitlement(List.of(FilesEntitlement.FileData.ofBaseDirPath(DATA, READ_WRITE))), + new FilesEntitlement( + List.of( + FilesEntitlement.FileData.ofBaseDirPath(SHARED_DATA, READ_WRITE), + FilesEntitlement.FileData.ofBaseDirPath(DATA, READ_WRITE) + ) + ), new ReadStoreAttributesEntitlement() ) ), @@ -148,8 +152,12 @@ private static List createServerEntitlements(Path pidFile) { "org.elasticsearch.nativeaccess", List.of( new LoadNativeLibrariesEntitlement(), - new FilesEntitlement(List.of(FilesEntitlement.FileData.ofBaseDirPath(SHARED_DATA, READ_WRITE))), - new FilesEntitlement(List.of(FilesEntitlement.FileData.ofBaseDirPath(DATA, READ_WRITE))) + new FilesEntitlement( + List.of( + FilesEntitlement.FileData.ofBaseDirPath(SHARED_DATA, READ_WRITE), + FilesEntitlement.FileData.ofBaseDirPath(DATA, READ_WRITE) + ) + ) ) ) ); From 7b7a7f3b022bd31c373b30d1a71d2f9b444f1216 Mon Sep 17 00:00:00 2001 From: Moritz Mack Date: Wed, 23 Jul 2025 14:22:54 +0200 Subject: [PATCH 09/12] fix --- .../entitlement/bootstrap/HardcodedEntitlements.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/bootstrap/HardcodedEntitlements.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/bootstrap/HardcodedEntitlements.java index 79571482480fc..01e1092f53d00 100644 --- a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/bootstrap/HardcodedEntitlements.java +++ b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/bootstrap/HardcodedEntitlements.java @@ -123,7 +123,7 @@ private static List createServerEntitlements(Path pidFile) { new FilesEntitlement( List.of( FilesEntitlement.FileData.ofBaseDirPath(CONFIG, READ), - FilesEntitlement.FileData.ofBaseDirPath(SHARED_DATA, READ), + FilesEntitlement.FileData.ofBaseDirPath(SHARED_DATA, READ_WRITE), FilesEntitlement.FileData.ofBaseDirPath(DATA, READ_WRITE) ) ) From 6351ddef892d19d4084bd5adfe5912cec761a3df Mon Sep 17 00:00:00 2001 From: Moritz Mack Date: Thu, 24 Jul 2025 09:08:18 +0200 Subject: [PATCH 10/12] logging --- .../bootstrap/TestEntitlementBootstrap.java | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/test/framework/src/main/java/org/elasticsearch/entitlement/bootstrap/TestEntitlementBootstrap.java b/test/framework/src/main/java/org/elasticsearch/entitlement/bootstrap/TestEntitlementBootstrap.java index 2343b283eaec1..d9c10d0d251e5 100644 --- a/test/framework/src/main/java/org/elasticsearch/entitlement/bootstrap/TestEntitlementBootstrap.java +++ b/test/framework/src/main/java/org/elasticsearch/entitlement/bootstrap/TestEntitlementBootstrap.java @@ -91,7 +91,13 @@ public static void registerNodeBaseDirs(Settings settings, Path configPath) { Collection dataDirs = dataDirs(settings, homeDir); Collection sharedDataDir = sharedDataDir(settings); Collection repoDirs = repoDirs(settings); - logger.debug("Registering node dirs: config [{}], dataDirs [{}], repoDirs [{}]", configDir, dataDirs, repoDirs); + logger.debug( + "Registering node dirs: config [{}], dataDirs [{}], sharedDataDir [{}], repoDirs [{}]", + configDir, + dataDirs, + sharedDataDir, + repoDirs + ); baseDirPaths.compute(BaseDir.CONFIG, baseDirModifier(paths -> paths.add(configDir))); baseDirPaths.compute(BaseDir.DATA, baseDirModifier(paths -> paths.addAll(dataDirs))); baseDirPaths.compute(BaseDir.SHARED_DATA, baseDirModifier(paths -> paths.addAll(sharedDataDir))); @@ -109,7 +115,13 @@ public static void unregisterNodeBaseDirs(Settings settings, Path configPath) { Collection dataDirs = dataDirs(settings, homeDir); Collection sharedDataDir = sharedDataDir(settings); Collection repoDirs = repoDirs(settings); - logger.debug("Unregistering node dirs: config [{}], dataDirs [{}], repoDirs [{}]", configDir, dataDirs, repoDirs); + logger.debug( + "Unregistering node dirs: config [{}], dataDirs [{}], sharedDataDir [{}], repoDirs [{}]", + configDir, + dataDirs, + sharedDataDir, + repoDirs + ); baseDirPaths.compute(BaseDir.CONFIG, baseDirModifier(paths -> paths.remove(configDir))); baseDirPaths.compute(BaseDir.DATA, baseDirModifier(paths -> paths.removeAll(dataDirs))); baseDirPaths.compute(BaseDir.SHARED_DATA, baseDirModifier(paths -> paths.removeAll(sharedDataDir))); From 43f856e13e449693efa0165c66ac3f8133bcb045 Mon Sep 17 00:00:00 2001 From: Moritz Mack Date: Thu, 24 Jul 2025 09:13:15 +0200 Subject: [PATCH 11/12] grant shared_data dir to plugins that have a grant on data dir indices/ --- .../store-smb/src/main/plugin-metadata/entitlement-policy.yaml | 3 +++ .../src/main/plugin-metadata/entitlement-policy.yaml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/plugins/store-smb/src/main/plugin-metadata/entitlement-policy.yaml b/plugins/store-smb/src/main/plugin-metadata/entitlement-policy.yaml index 1022253171a11..dbe45c7527967 100644 --- a/plugins/store-smb/src/main/plugin-metadata/entitlement-policy.yaml +++ b/plugins/store-smb/src/main/plugin-metadata/entitlement-policy.yaml @@ -3,3 +3,6 @@ ALL-UNNAMED: - relative_path: "indices/" relative_to: data mode: read_write + - relative_path: "" + relative_to: shared_data + mode: read_write diff --git a/x-pack/plugin/searchable-snapshots/src/main/plugin-metadata/entitlement-policy.yaml b/x-pack/plugin/searchable-snapshots/src/main/plugin-metadata/entitlement-policy.yaml index 69eead6707114..d21ee299b832d 100644 --- a/x-pack/plugin/searchable-snapshots/src/main/plugin-metadata/entitlement-policy.yaml +++ b/x-pack/plugin/searchable-snapshots/src/main/plugin-metadata/entitlement-policy.yaml @@ -6,3 +6,6 @@ org.elasticsearch.searchablesnapshots: - relative_path: indices relative_to: data mode: read_write + - relative_path: "" + relative_to: shared_data + mode: read_write From 35dfa0d33df21822037433c6391235f0f9ec2ee8 Mon Sep 17 00:00:00 2001 From: Moritz Mack Date: Thu, 24 Jul 2025 09:58:27 +0200 Subject: [PATCH 12/12] fix parser --- .../runtime/policy/entitlements/FilesEntitlement.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/entitlements/FilesEntitlement.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/entitlements/FilesEntitlement.java index 872a083a76ba6..cc9ef9d263dd1 100644 --- a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/entitlements/FilesEntitlement.java +++ b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/entitlements/FilesEntitlement.java @@ -182,8 +182,9 @@ private static BaseDir parseBaseDir(String baseDir) { case "config" -> BaseDir.CONFIG; case "data" -> BaseDir.DATA; case "home" -> BaseDir.USER_HOME; + case "shared_data" -> BaseDir.SHARED_DATA; // it would be nice to limit this to just ES modules, but we don't have a way to plumb that through to here - // however, we still don't document in the error case below that shared_repo is valid + // however, we still don't document in the error case below that shared_repo and shared_data is valid case "shared_repo" -> BaseDir.SHARED_REPO; default -> throw new PolicyValidationException( "invalid relative directory: " + baseDir + ", valid values: [config, data, home]"