@@ -134,20 +134,6 @@ private static Bootstrap initPhase1() {
134134 final boolean useEntitlements = true ;
135135 try {
136136 initSecurityProperties ();
137-
138- /*
139- * We want the JVM to think there is a security manager installed so that if internal policy decisions that would be based on
140- * the presence of a security manager or lack thereof act as if there is a security manager present (e.g., DNS cache policy).
141- * This forces such policies to take effect immediately.
142- */
143- if (useEntitlements == false && RuntimeVersionFeature .isSecurityManagerAvailable ()) {
144- org .elasticsearch .bootstrap .Security .setSecurityManager (new SecurityManager () {
145- @ Override
146- public void checkPermission (Permission perm ) {
147- // grant all permissions so that we can later set the security manager to the one that we want
148- }
149- });
150- }
151137 LogConfigurator .registerErrorListener ();
152138
153139 BootstrapInfo .init ();
@@ -245,61 +231,48 @@ private static void initPhase2(Bootstrap bootstrap) throws IOException {
245231
246232 final PluginsLoader pluginsLoader ;
247233
248- if (bootstrap .useEntitlements ()) {
249- LogManager .getLogger (Elasticsearch .class ).info ("Bootstrapping Entitlements" );
250-
251- var pluginData = Stream .concat (
252- modulesBundles .stream ()
253- .map (bundle -> new PolicyUtils .PluginData (bundle .getDir (), bundle .pluginDescriptor ().isModular (), false )),
254- pluginsBundles .stream ()
255- .map (bundle -> new PolicyUtils .PluginData (bundle .getDir (), bundle .pluginDescriptor ().isModular (), true ))
256- ).toList ();
257-
258- var pluginPolicyPatches = collectPluginPolicyPatches (modulesBundles , pluginsBundles , logger );
259- var pluginPolicies = PolicyUtils .createPluginPolicies (pluginData , pluginPolicyPatches , Build .current ().version ());
260- var serverPolicyPatch = PolicyUtils .parseEncodedPolicyIfExists (
261- System .getProperty (SERVER_POLICY_PATCH_NAME ),
262- Build .current ().version (),
263- false ,
264- "server" ,
265- PolicyManager .SERVER_LAYER_MODULES .stream ().map (Module ::getName ).collect (Collectors .toUnmodifiableSet ())
266- );
234+ LogManager .getLogger (Elasticsearch .class ).info ("Bootstrapping Entitlements" );
235+
236+ var pluginData = Stream .concat (
237+ modulesBundles .stream ()
238+ .map (bundle -> new PolicyUtils .PluginData (bundle .getDir (), bundle .pluginDescriptor ().isModular (), false )),
239+ pluginsBundles .stream ()
240+ .map (bundle -> new PolicyUtils .PluginData (bundle .getDir (), bundle .pluginDescriptor ().isModular (), true ))
241+ ).toList ();
242+
243+ var pluginPolicyPatches = collectPluginPolicyPatches (modulesBundles , pluginsBundles , logger );
244+ var pluginPolicies = PolicyUtils .createPluginPolicies (pluginData , pluginPolicyPatches , Build .current ().version ());
245+ var serverPolicyPatch = PolicyUtils .parseEncodedPolicyIfExists (
246+ System .getProperty (SERVER_POLICY_PATCH_NAME ),
247+ Build .current ().version (),
248+ false ,
249+ "server" ,
250+ PolicyManager .SERVER_LAYER_MODULES .stream ().map (Module ::getName ).collect (Collectors .toUnmodifiableSet ())
251+ );
267252
268- pluginsLoader = PluginsLoader .createPluginsLoader (modulesBundles , pluginsBundles , findPluginsWithNativeAccess (pluginPolicies ));
269-
270- var scopeResolver = ScopeResolver .create (pluginsLoader .pluginLayers (), APM_AGENT_PACKAGE_NAME );
271- Map <String , Path > sourcePaths = Stream .concat (modulesBundles .stream (), pluginsBundles .stream ())
272- .collect (Collectors .toUnmodifiableMap (bundle -> bundle .pluginDescriptor ().getName (), PluginBundle ::getDir ));
273- EntitlementBootstrap .bootstrap (
274- serverPolicyPatch ,
275- pluginPolicies ,
276- scopeResolver ::resolveClassToScope ,
277- nodeEnv .settings ()::getValues ,
278- nodeEnv .dataDirs (),
279- nodeEnv .repoDirs (),
280- nodeEnv .configDir (),
281- nodeEnv .libDir (),
282- nodeEnv .modulesDir (),
283- nodeEnv .pluginsDir (),
284- sourcePaths ,
285- nodeEnv .logsDir (),
286- nodeEnv .tmpDir (),
287- args .pidFile (),
288- Set .of (EntitlementSelfTester .class )
289- );
290- EntitlementSelfTester .entitlementSelfTest ();
291- } else {
292- assert RuntimeVersionFeature .isSecurityManagerAvailable ();
293- // no need to explicitly enable native access for legacy code
294- pluginsLoader = PluginsLoader .createPluginsLoader (modulesBundles , pluginsBundles , Map .of ());
295- // install SM after natives, shutdown hooks, etc.
296- LogManager .getLogger (Elasticsearch .class ).info ("Bootstrapping java SecurityManager" );
297- org .elasticsearch .bootstrap .Security .configure (
298- nodeEnv ,
299- SECURITY_FILTER_BAD_DEFAULTS_SETTING .get (args .nodeSettings ()),
300- args .pidFile ()
301- );
302- }
253+ pluginsLoader = PluginsLoader .createPluginsLoader (modulesBundles , pluginsBundles , findPluginsWithNativeAccess (pluginPolicies ));
254+
255+ var scopeResolver = ScopeResolver .create (pluginsLoader .pluginLayers (), APM_AGENT_PACKAGE_NAME );
256+ Map <String , Path > sourcePaths = Stream .concat (modulesBundles .stream (), pluginsBundles .stream ())
257+ .collect (Collectors .toUnmodifiableMap (bundle -> bundle .pluginDescriptor ().getName (), PluginBundle ::getDir ));
258+ EntitlementBootstrap .bootstrap (
259+ serverPolicyPatch ,
260+ pluginPolicies ,
261+ scopeResolver ::resolveClassToScope ,
262+ nodeEnv .settings ()::getValues ,
263+ nodeEnv .dataDirs (),
264+ nodeEnv .repoDirs (),
265+ nodeEnv .configDir (),
266+ nodeEnv .libDir (),
267+ nodeEnv .modulesDir (),
268+ nodeEnv .pluginsDir (),
269+ sourcePaths ,
270+ nodeEnv .logsDir (),
271+ nodeEnv .tmpDir (),
272+ args .pidFile (),
273+ Set .of (EntitlementSelfTester .class )
274+ );
275+ EntitlementSelfTester .entitlementSelfTest ();
303276
304277 bootstrap .setPluginsLoader (pluginsLoader );
305278 }
0 commit comments