1111
1212import org .elasticsearch .core .Strings ;
1313import org .elasticsearch .core .SuppressForbidden ;
14+ import org .elasticsearch .entitlement .bootstrap .EntitlementBootstrap ;
1415import org .elasticsearch .entitlement .instrumentation .InstrumentationService ;
1516import org .elasticsearch .entitlement .runtime .api .NotEntitledException ;
1617import org .elasticsearch .entitlement .runtime .policy .entitlements .CreateClassLoaderEntitlement ;
@@ -217,7 +218,8 @@ private void neverEntitled(Class<?> callerClass, Supplier<String> operationDescr
217218 requestingClass .getModule ().getName (),
218219 requestingClass ,
219220 operationDescription .get ()
220- )
221+ ),
222+ callerClass
221223 );
222224 }
223225
@@ -276,7 +278,8 @@ public void checkFileRead(Class<?> callerClass, Path path) {
276278 requestingClass .getModule ().getName (),
277279 requestingClass ,
278280 path
279- )
281+ ),
282+ callerClass
280283 );
281284 }
282285 }
@@ -301,7 +304,8 @@ public void checkFileWrite(Class<?> callerClass, Path path) {
301304 requestingClass .getModule ().getName (),
302305 requestingClass ,
303306 path
304- )
307+ ),
308+ callerClass
305309 );
306310 }
307311 }
@@ -362,14 +366,15 @@ public void checkAllNetworkAccess(Class<?> callerClass) {
362366 }
363367
364368 var classEntitlements = getEntitlements (requestingClass );
365- checkFlagEntitlement (classEntitlements , InboundNetworkEntitlement .class , requestingClass );
366- checkFlagEntitlement (classEntitlements , OutboundNetworkEntitlement .class , requestingClass );
369+ checkFlagEntitlement (classEntitlements , InboundNetworkEntitlement .class , requestingClass , callerClass );
370+ checkFlagEntitlement (classEntitlements , OutboundNetworkEntitlement .class , requestingClass , callerClass );
367371 }
368372
369373 private static void checkFlagEntitlement (
370374 ModuleEntitlements classEntitlements ,
371375 Class <? extends Entitlement > entitlementClass ,
372- Class <?> requestingClass
376+ Class <?> requestingClass ,
377+ Class <?> callerClass
373378 ) {
374379 if (classEntitlements .hasEntitlement (entitlementClass ) == false ) {
375380 notEntitled (
@@ -379,7 +384,8 @@ private static void checkFlagEntitlement(
379384 requestingClass .getModule ().getName (),
380385 requestingClass ,
381386 PolicyParser .getEntitlementTypeName (entitlementClass )
382- )
387+ ),
388+ callerClass
383389 );
384390 }
385391 logger .debug (
@@ -419,12 +425,18 @@ public void checkWriteProperty(Class<?> callerClass, String property) {
419425 requestingClass .getModule ().getName (),
420426 requestingClass ,
421427 property
422- )
428+ ),
429+ callerClass
423430 );
424431 }
425432
426- private static void notEntitled (String message ) {
427- throw new NotEntitledException (message );
433+ private static void notEntitled (String message , Class <?> callerClass ) {
434+ var exception = new NotEntitledException (message );
435+ // don't log self tests in EntitlementBootstrap
436+ if (EntitlementBootstrap .class .equals (callerClass ) == false ) {
437+ logger .warn (message , exception );
438+ }
439+ throw exception ;
428440 }
429441
430442 public void checkManageThreadsEntitlement (Class <?> callerClass ) {
@@ -436,7 +448,7 @@ private void checkEntitlementPresent(Class<?> callerClass, Class<? extends Entit
436448 if (isTriviallyAllowed (requestingClass )) {
437449 return ;
438450 }
439- checkFlagEntitlement (getEntitlements (requestingClass ), entitlementClass , requestingClass );
451+ checkFlagEntitlement (getEntitlements (requestingClass ), entitlementClass , requestingClass , callerClass );
440452 }
441453
442454 ModuleEntitlements getEntitlements (Class <?> requestingClass ) {
0 commit comments