Add jdk.management.agent module to server

Author: mark-vieira

distribution/tools/server-cli/src/main/java/org/elasticsearch/server/cli/ServerProcessBuilder.java

@@ -109,6 +109,7 @@ private List<String> getJvmArgs() {
             esHome.resolve("lib").toString(),
             // Special circumstances require some modules (not depended on by the main server module) to be explicitly added:
             "--add-modules=jdk.net", // needed to reflectively set extended socket options
+            "--add-modules=jdk.management.agent", // needed by external debug tools to grab thread and heap dumps
             // we control the module path, which may have additional modules not required by server
             "--add-modules=ALL-MODULE-PATH",
             "-m",

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java

@@ -34,7 +34,6 @@
 import java.lang.StackWalker.StackFrame;
 import java.lang.module.ModuleFinder;
 import java.lang.module.ModuleReference;
-import java.lang.module.ResolvedModule;
 import java.nio.file.Path;
 import java.util.ArrayList;
 import java.util.HashSet;
@@ -124,10 +123,20 @@ ModuleEntitlements policyEntitlements(String componentName, String moduleName, L
 
     public static final String ALL_UNNAMED = "ALL-UNNAMED";
 
-    private static final Set<ModuleReference> systemModules = findSystemModules();
+    private static final Set<Module> systemModules = findSystemModules();
 
-    private static Set<ModuleReference> findSystemModules() {
-        return ModuleFinder.ofSystem().findAll().stream().collect(Collectors.toUnmodifiableSet());
+    private static Set<Module> findSystemModules() {
+        var systemModulesDescriptors = ModuleFinder.ofSystem()
+            .findAll()
+            .stream()
+            .map(ModuleReference::descriptor)
+            .collect(Collectors.toUnmodifiableSet());
+        return Stream.concat(
+            // entitlements is a "system" module, we can do anything from it
+            Stream.of(PolicyManager.class.getModule()),
+            // anything in the boot layer is also part of the system
+            ModuleLayer.boot().modules().stream().filter(m -> systemModulesDescriptors.contains(m.getDescriptor()))
+        ).collect(Collectors.toUnmodifiableSet());
     }
 
     /**
@@ -606,31 +615,14 @@ private static boolean isTriviallyAllowed(Class<?> requestingClass) {
             logger.debug("Entitlement trivially allowed: no caller frames outside the entitlement library");
             return true;
         }
-        if (isSystemModule(requestingClass.getModule())) {
+        if (systemModules.contains(requestingClass.getModule())) {
             logger.debug("Entitlement trivially allowed from system module [{}]", requestingClass.getModule().getName());
             return true;
         }
         logger.trace("Entitlement not trivially allowed");
         return false;
     }
 
-    /**
-     * Determines if the given {@link Module} is a system module. That is, a module that is included as part of the Java runtime.
-     */
-    private static boolean isSystemModule(Module module) {
-        if (module.getLayer() == null) {
-            // This is an unnamed module, so not a system module
-            return false;
-        }
-
-        ModuleReference moduleReference = module.getLayer()
-            .configuration()
-            .findModule(module.getName())
-            .map(ResolvedModule::reference)
-            .orElse(null);
-        return module == PolicyManager.class.getModule() || (moduleReference != null && systemModules.contains(moduleReference));
-    }
-
     @Override
     public String toString() {
         return "PolicyManager{" + "serverEntitlements=" + serverEntitlements + ", pluginsEntitlements=" + pluginsEntitlements + '}';