This PR adjusts the list of supported ciphers to reflect ciphers
available in JDK 24.
JDK 24 [drops](https://bugs.openjdk.org/browse/JDK-8245545) support for
`TLS_RSA` suites. These ciphers will no longer be supported in
Elasticsearch with a bundled JDK with version >= 24. JDK's of lower
versions will continue to support to dropped ciphers.
I will follow up this PR with a separate docs PR.
All CLIs in elasticsearch support command line flags for controlling the
output level. When --silent is used, the expectation is that normal
logging is omitted. Yet the log4j logger is still configured to output
error level logs. This commit sets the appropriate log level for log4j
depending on the Terminal log level.
This commit reworks the settings globs to be more useable. Primarily it
expands the values so that the settings may be lists, iterating over
each value. Additionally it simplifies the function to also allow
non-glob settings so that this single method may be used to lookup all
values for a given setting pattern, whether it contains a glob or not.
The setting based paths could be either absolute or relative, and they
are always relative to the config dir. This commit renames the
path_setting to make it clear it is related to config, and removes the
relative variant.
SSL file utils currently only handle security manager access control
exceptions around file read checks. This PR extends these to support
entitlement checks as well.
There is no easy way to unit test this since we can't run unit tests
with entitlements enabled (for now). The PR includes a REST test
instead.
Relates: https://github.com/elastic/elasticsearch/issues/121960
This adds an exclusive parameter for FilesEntitlement where a path can be made exclusive for a certain
module. Should two modules attempt to both specify the same path as exclusive an exception is
thrown.
File entitlements which read a setting may actually contain urls. This
commit adds an optional `ignore_url` property for the entitlement to
skip any values which are urls.
* Enable entitlements by default (#122907)
Entitlements are almost complete. This commit enables them by default,
in preparation for 8.18/9.0.
* mute test
---------
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
The NamedComponentReader reads a file created upon plugin installation
for stable plugins from the plugin installation dir. This commit passes
the plugins directory through to entitlements and grants server access.
* Consider entitlement lib as system module
Entitlements sometimes needs to perform sensitive operations,
particularly within the FileAccessTree. This commit expands the
trivially allowed check to include entitlements as one of the system
modules alongside the jdk. One consequence is that the self test must be
moved outside entitlements.
* [CI] Auto commit changes from spotless
* remove old method call
---------
Co-authored-by: elasticsearchmachine <infra-root+elasticsearchmachine@elastic.co>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Some file paths are OS specific. This commit adds a `platform` property
to each file in a files entitlement that can be used to limit that file
to a specific platform.
Co-authored-by: Moritz Mack <mmack@apache.org>
Co-authored-by: Lorenzo Dematte <lorenzo.dematte@elastic.co>
* java.base entitlements
* SuppressForbidden, and add a missing test
* Revert logging back to commented-out printlns
* Merge FileCheckActions and rename for overloads
* Remove stray logger
* Remove more traces of logging change
* Remove more traces of logging
With Security Manager we have SecuredConfigFileSettingAccessPermission.
This commit adds an entitlement equivalent. With each entry in files
entitlement, a `path_setting` can now be used. The value may be an
explicit setting, or a setting glob with a single `*`.
relates ES-10844
This commit adds instrumentation for File methods that require read permissions.
see #122109 for the write side
(cherry picked from commit bf1cbb0e47)
# Conflicts:
# x-pack/plugin/security/src/main/plugin-metadata/entitlement-policy.yaml
Co-authored-by: Ryan Ernst <ryan@iernst.net>
Add missing entitlements for trust store if running in fips mode.
Fixes#122546, fixes#122569, fixes#122568, fixes#122680, fixes
#122566
(cherry picked from commit 87c58ff93f)
# Conflicts:
# muted-tests.yml
# x-pack/plugin/security/src/main/plugin-metadata/entitlement-policy.yaml
This commit switches to using records in place of classes for FileData
impls. It moves them outside the interface so that they can be private.
This does not change the fact the interface is sealed, nor the factory
methods for creating them.
