Now that entitlements are always used, there is no need to run tests
with security manager (a future enhancement will run tests with
entitlements). This commit removes setting up security manager from
tests.
The add string keystore command accepts input on stdin. In this case,
the terminal is responsible for separating input by newlines that are
system dependent. The mock terminal normally adds the system dependent
newline. However, we also have tests that ensure both unix and windows
style newlines are tested explicitly. This commit fixes the windows
style carriage returns to explicitly contain a newline.
closes#127089
As a followon to #126729, the add string keystore command doesn't need
to use a reader at all (and it was incorrect for it to close the reader
from the terminal). Instead, the Terminal abstraction already handles
how to get at line by line secrets. This commit removes that usage of
reader and uses readSecret calls instead.
closes#126882
With the change to using the logs dir as the working dir of the
Elasticsearch process we need to ensure the logs dir exists within the
CLI instead of later during startup.
relates #124966
When reading a string value from stdin the keystore add command
currently looks directly at stdin. However, stdin may also be consumed
while reading the keystore password. This commit changes the add command
to use the reader from the termainl instead of looking at stdin
directly.
closes#98115
In the unexpected case that Elasticsearch dies due to a segfault or
other similar native issue, a core dump is useful in diagnosing the
problem. Yet core dumps are written to the working directory, which is
read-only for most installations of Elasticsearch. This commit changes
the working directory to the logs dir which should always be writeable.
This PR replaces the parsing and formatting of SecurityManager policies with the parsing and formatting of Entitlements policy during plugin installation.
Relates to ES-10923
This PR adds a check and a warning message if the user is trying to install a plugin containing the legacy plugin-security.policy used by SecurityManager.
Relates to ES-10846
The JDK team has completely disabled the Java SecurityManager from Java 24. Elasticsearch has always used the Java SecurityManager as an additional protection mechanism; in order to retain this second line of defense, the Elasticsearch Core/Infra team has been working on the Entitlements project.
Similar to SecurityManager, Entitlements only allow calling specific methods in the JDK when the caller has a matching policy attached. In other words, if some code (in the main Elasticsearch codebase, in a plugin/module, or in a script) attempts to perform a "privileged" operation and it is not entitled to do so, a NotEntitledException will be thrown.
This PR includes the minimal set of changes to always use Entitlements, regardless of system properties or Java version.
Relates to ES-10921
Information about the system, and in particular the running JVM, is
logged relatively late in startup. When problems occur in low level
initialization, it is often useful to have this information. This commit
moves logging of system information to right after logging has been
initialized. Note that it no longer utilizes the JvmInfo class as most
was already easily available and the static init of JvmInfo does a lot.
By default Lucene only uses vectorization up to the JDK version
available at the time of its release. When testing against EA versions,
we want to still use vectorization. This commit adds a sysprop to force
lucene to use the current version for vectorization.
* Remove @UpdateForV9 annotation in RuntimeVersionFeature
Re ES-10338 the Core/Infra team agreed that this is not blocked on security manager removal. We should go ahead and remove these 2 instances of the @UpdateForV9 annotation, the code will be cleaned up soon with the removal of Security Manager.
* Remove @UpdateForV9 annotation from SystemJvmOptions
re ES-10338 the Core/Infra team agreed this is not blocked on security manager removal. We should go ahead and remove this instance of the @UpdateForV9 annotation.
The node environment has many paths. The accessors for these currently
use a "file" suffix, but they are always directories. This commit
renames the accessors to make it clear these paths are directories.
Since entitlements are still being developed, we are not yet ready to
enable them for all JDK versions. But we must use them for JDK 24+ since
the security manager is not useable there. This commit tweaks the logic
for determining whether to use entitlements to take into account the
runtime version.
* Refactor: separate check method name vs signature parsing
* Cosmetic: change checker comment format
* Entitlements for JDK-wide global state
* [CI] Auto commit changes from spotless
* Comment explaining entitlement add-exports
* @SuppressForbidden
* Refactor: rename dummy subclases
---------
Co-authored-by: elasticsearchmachine <infra-root+elasticsearchmachine@elastic.co>
* Refactor: treat "maybe" JVM options uniformly
* WIP
* Get entitlement running with bridge all the way through, with qualified
exports
* Cosmetic changes to SystemJvmOptions
* Disable entitlements by default
* Bridge module comments
* Fixup forbidden APIs
* spotless
* Rename EntitlementChecker
* Fixup InstrumenterTests
* exclude recursive dep
* Fix some compliance stuff
* Rename asm-provider
* Stop using bridge in InstrumenterTests
* Generalize readme for asm-provider
* InstrumenterTests doesn't need EntitlementCheckerHandle
* Better javadoc
* Call parseBoolean
* Add entitlement to internal module list
* Docs as requested by Lorenzo
* Changes from Jack
* Rename ElasticsearchEntitlementChecker
* Remove logging javadoc
* exportInitializationToAgent should reference EntitlementInitialization, not EntitlementBootstrap.
They're currently in the same module, but if that ever changes, this code would have become wrong.
* Some suggestions from Mark
---------
Co-authored-by: Ryan Ernst <ryan@iernst.net>
The distribution tools are meant to be CLIs. This commit moves the
entitlements jar projects to the libs dir, under a single
libs/entitlement root directory to keep the related jars together.
The libs projects are configured to all begin with `elasticsearch-`.
While this is desireable for the artifacts to contain this consistent
prefix, it means the project names don't match up with their
directories. Additionally, it creates complexities for subproject naming
that must be manually adjusted.
This commit adjusts the project names for those under libs to be their
directory names. The resulting artifacts for these libs are kept the
same, all beginning with `elasticsearch-`.
This change adds entitlement policy parsing with the following design:
* YAML file for readability and re-use of our x-content parsers
* hierarchical structure to group entitlements under a single scope
* no general entitlements without a scope or for the entire project
* Entitlements for System.exit
* Respond to Simon's comments
* Rename trampoline -> bridge
* Require exactly one bridge jar
* Use Type helpers to generate descriptor strings
* Various cleanup from PR comments
* Remove null "receiver" for static methods
* Use List<Type> instead of voidDescriptor
* Clarifying comment
* Whoops, getMethod
* SuppressForbidden System.exit
* Spotless
* Use embedded provider plugin to keep ASM off classpath
* Oops... forgot the punchline
* Move ASM license to impl
* Use ProviderLocator and simplify bridgeJar logic
* Avoid eager resolution of configurations during task configuration
* Remove compile-time dependency agent->bridge
---------
Co-authored-by: Mark Vieira <portugee@gmail.com>
Regardless of JDK version, ES should always use CLDR locale database from 9.0.0.
This also removes IsoCalendarDataProvider used to override week-date calculations for the root locale only.
* Initial hello-world entitlements agent
* Respond to Ryan's comments
* License header
* Fix forbidden APIs setup
* Rename EntitlementAgent
* Automated refactor missed one
* Automated rename really let me down here
* Very serious test name
* README files for the new modules
* Use "tasks.named('jar')"
Co-authored-by: Rene Groeschke <rene@breskeby.com>
* Use 'tasks.named('test')'
Co-authored-by: Rene Groeschke <rene@breskeby.com>
* More deferral of gradle tasks
Co-authored-by: Rene Groeschke <rene@breskeby.com>
* Even more deferral
Co-authored-by: Rene Groeschke <rene@breskeby.com>
* FIx gradle syntax for javaagent arg
---------
Co-authored-by: Rene Groeschke <rene@breskeby.com>
The version checker ensures custom JDKs used to run Elasticsearch meet
the minimum Java version. It uses a multi-release jar to pass through
the "ok" versions, falling back to a java 8 version to print an error.
However, a multi-release jar is not necessary, we can instead do simple
string version parsing for the check, special casing Java 1.8.
JDK 23 removes the COMPAT locale provider, leaving CLDR as the only option. This commit configures Elasticsearch
to use the CLDR provider when on JDK 23, but still use the existing COMPAT provider when on JDK 22 and below.
This causes some differences in locale behaviour; this also adapts various tests to still work whether run on COMPAT or CLDR.
When the server CLI is preparing to start Elasticsearch, it may receive
a SIGTERM. That signal causes the close method of the CLI to be invoked,
which checks for a non-null server process, and stops it if it exists.
Since shutdown occurs in a different thread, it is possible close is
invoked, sees the server process is null, so skips calling close, but
then before close finishes the server process is started.
Normally the above case is ok; the close method will cause Java to exit,
and the child process will be sent a SIGTERM. However, in the case of
serverless, close is wrapped so that the CLI can wait on uploading
possible heapdumps. This presents the possibility that close thinks the
child process has been stopped, but it hasn't, so the wrapped close
waits indefinitely on the child process that was started up during the
race.
This commit guards against the startup race by locking the critical
sections that create the child process and stop it. Either the child
process is created first, and will then be stopped immediately, or close
is invoked first, marking that the CLI is shutting down, and creating
the child process will be skipped.
