minimal changes to always use entitlements

Author: ldematte

build-tools/src/main/java/org/elasticsearch/gradle/testclusters/RunTask.java

@@ -42,7 +42,7 @@ public abstract class RunTask extends DefaultTestClustersTask {
 
     private Boolean debug = false;
     private Boolean cliDebug = false;
-    private Boolean entitlementsEnabled = false;
+
     private Boolean apmServerEnabled = false;
 
     private Boolean preserveData = false;
@@ -74,9 +74,7 @@ public void setCliDebug(boolean enabled) {
         option = "entitlements",
         description = "Use the Entitlements agent system in place of SecurityManager to enforce sandbox policies."
     )
-    public void setEntitlementsEnabled(boolean enabled) {
-        this.entitlementsEnabled = enabled;
-    }
+    public void setEntitlementsEnabled(boolean enabled) {}
 
     @Input
     public Boolean getDebug() {
@@ -90,7 +88,7 @@ public Boolean getCliDebug() {
 
     @Input
     public Boolean getEntitlementsEnabled() {
-        return entitlementsEnabled;
+        return true;
     }
 
     @Input
@@ -240,9 +238,7 @@ else if (node.getSettingKeys().contains("telemetry.metrics.enabled") == false) {
         if (cliDebug) {
             enableCliDebug();
         }
-        if (entitlementsEnabled) {
-            enableEntitlements();
-        }
+        enableEntitlements();
     }
 
     @TaskAction

distribution/tools/server-cli/src/main/java/org/elasticsearch/server/cli/SystemJvmOptions.java

@@ -11,7 +11,6 @@
 
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.util.concurrent.EsExecutors;
-import org.elasticsearch.core.Booleans;
 import org.elasticsearch.jdk.RuntimeVersionFeature;
 
 import java.io.IOException;
@@ -27,9 +26,8 @@ final class SystemJvmOptions {
     static List<String> systemJvmOptions(Settings nodeSettings, final Map<String, String> sysprops) {
         String distroType = sysprops.get("es.distribution.type");
         boolean isHotspot = sysprops.getOrDefault("sun.management.compiler", "").contains("HotSpot");
-        boolean entitlementsExplicitlyEnabled = Booleans.parseBoolean(sysprops.getOrDefault("es.entitlements.enabled", "true"));
-        // java 24+ only supports entitlements, but it may be enabled on earlier versions explicitly
-        boolean useEntitlements = RuntimeVersionFeature.isSecurityManagerAvailable() == false || entitlementsExplicitlyEnabled;
+
+        boolean useEntitlements = true;
         return Stream.of(
             Stream.of(
                 /*

modules/analysis-common/build.gradle

@@ -38,14 +38,11 @@ tasks.named("yamlRestCompatTestTransform").configure { task ->
 }
 
 tasks.named("yamlRestTest").configure {
-  if (buildParams.getRuntimeJavaVersion().map{ it.majorVersion.toInteger() }.get() >= 24 ||
-    "-Des.entitlements.enabled=true".equals(System.getProperty("tests.jvm.argline"))) {
-    systemProperty 'tests.rest.blacklist',
-      [
-        // AWAITSFIX: this test relies on security manager, which doesn't exist in JDK 24.
-        // and entitlements don't yet replace the functionality.
-        // see https://github.com/elastic/elasticsearch/issues/119130
-        'analysis-common/40_token_filters/stemmer_override file access',
-      ].join(',')
-  }
+  systemProperty 'tests.rest.blacklist',
+    [
+      // AWAITSFIX: this test relies on security manager, which doesn't exist in JDK 24.
+      // and entitlements don't yet replace the functionality.
+      // see https://github.com/elastic/elasticsearch/issues/119130
+      'analysis-common/40_token_filters/stemmer_override file access',
+    ].join(',')
 }

modules/ingest-attachment/src/main/java/org/elasticsearch/ingest/attachment/TikaImpl.java

@@ -18,11 +18,9 @@
 import org.apache.tika.parser.ParserDecorator;
 import org.elasticsearch.SpecialPermission;
 import org.elasticsearch.bootstrap.FilePermissionUtils;
-import org.elasticsearch.core.Booleans;
 import org.elasticsearch.core.PathUtils;
 import org.elasticsearch.core.SuppressForbidden;
 import org.elasticsearch.jdk.JarHell;
-import org.elasticsearch.jdk.RuntimeVersionFeature;
 
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
@@ -129,9 +127,7 @@ static String parse(final byte content[], final Metadata metadata, final int lim
         : null;
 
     private static boolean isUsingSecurityManager() {
-        boolean entitlementsEnabled = Booleans.parseBoolean(System.getProperty("es.entitlements.enabled"), false)
-            || RuntimeVersionFeature.isSecurityManagerAvailable() == false;
-        return entitlementsEnabled == false;
+        return false;
     }
 
     // compute some minimal permissions for parsers. they only get r/w access to the java temp directory,

server/src/main/java/org/elasticsearch/bootstrap/Elasticsearch.java

@@ -28,7 +28,6 @@
 import org.elasticsearch.common.transport.BoundTransportAddress;
 import org.elasticsearch.common.util.concurrent.RunOnce;
 import org.elasticsearch.core.AbstractRefCounted;
-import org.elasticsearch.core.Booleans;
 import org.elasticsearch.core.CheckedConsumer;
 import org.elasticsearch.core.IOUtils;
 import org.elasticsearch.core.SuppressForbidden;
@@ -123,9 +122,8 @@ private static Bootstrap initPhase1() {
         final PrintStream out = getStdout();
         final PrintStream err = getStderr();
         final ServerArgs args;
-        final boolean entitlementsEnabled = Booleans.parseBoolean(System.getProperty("es.entitlements.enabled", "true"));
-        // java 24+ only supports entitlements, but it may be enabled on earlier versions explicitly
-        final boolean useEntitlements = RuntimeVersionFeature.isSecurityManagerAvailable() == false || entitlementsEnabled;
+
+        final boolean useEntitlements = true;
         try {
             initSecurityProperties();
 

x-pack/qa/security-example-spi-extension/src/main/java/org/elasticsearch/example/ExampleSecurityExtension.java

@@ -36,7 +36,7 @@
 public class ExampleSecurityExtension implements SecurityExtension {
 
     static {
-        final boolean useEntitlements = Boolean.parseBoolean(System.getProperty("es.entitlements.enabled"));
+        final boolean useEntitlements = true;
         if (useEntitlements == false && RuntimeVersionFeature.isSecurityManagerAvailable()) {
             // check that the extension's policy works.
             AccessController.doPrivileged((PrivilegedAction<Void>) () -> {