Skip to content

Commit 6d0bccf

Browse files
prdoyleprdoyle
committed
Entitlement reporting mode
1 parent 4688364 commit 6d0bccf

File tree

2 files changed

+49
-46
lines changed

2 files changed

+49
-46
lines changed

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java

Lines changed: 48 additions & 45 deletions
Original file line numberDiff line numberDiff line change
@@ -43,6 +43,7 @@
4343
import java.util.stream.Stream;
4444

4545
import static java.lang.StackWalker.Option.RETAIN_CLASS_REFERENCE;
46+
import static java.util.Collections.newSetFromMap;
4647
import static java.util.Objects.requireNonNull;
4748
import static java.util.function.Predicate.not;
4849
import static java.util.stream.Collectors.groupingBy;
@@ -192,15 +193,13 @@ private void neverEntitled(Class<?> callerClass, Supplier<String> operationDescr
192193
return;
193194
}
194195

195-
throw new NotEntitledException(
196-
Strings.format(
197-
"Not entitled: component [%s], module [%s], class [%s], operation [%s]",
198-
getEntitlements(requestingClass).componentName(),
199-
requestingClass.getModule().getName(),
200-
requestingClass,
201-
operationDescription.get()
202-
)
203-
);
196+
notEntitled(Strings.format(
197+
"Not entitled: component [%s], module [%s], class [%s], operation [%s]",
198+
getEntitlements(requestingClass).componentName(),
199+
requestingClass.getModule().getName(),
200+
requestingClass,
201+
operationDescription.get()
202+
));
204203
}
205204

206205
public void checkExitVM(Class<?> callerClass) {
@@ -251,15 +250,13 @@ public void checkFileRead(Class<?> callerClass, Path path) {
251250

252251
ModuleEntitlements entitlements = getEntitlements(requestingClass);
253252
if (entitlements.fileAccess().canRead(path) == false) {
254-
throw new NotEntitledException(
255-
Strings.format(
256-
"Not entitled: component [%s], module [%s], class [%s], entitlement [file], operation [read], path [%s]",
257-
entitlements.componentName(),
258-
requestingClass.getModule(),
259-
requestingClass,
260-
path
261-
)
262-
);
253+
notEntitled(Strings.format(
254+
"Not entitled: component [%s], module [%s], class [%s], entitlement [file], operation [read], path [%s]",
255+
entitlements.componentName(),
256+
requestingClass.getModule(),
257+
requestingClass,
258+
path
259+
));
263260
}
264261
}
265262

@@ -276,15 +273,13 @@ public void checkFileWrite(Class<?> callerClass, Path path) {
276273

277274
ModuleEntitlements entitlements = getEntitlements(requestingClass);
278275
if (entitlements.fileAccess().canWrite(path) == false) {
279-
throw new NotEntitledException(
280-
Strings.format(
281-
"Not entitled: component [%s], module [%s], class [%s], entitlement [file], operation [write], path [%s]",
282-
entitlements.componentName(),
283-
requestingClass.getModule(),
284-
requestingClass,
285-
path
286-
)
287-
);
276+
notEntitled(Strings.format(
277+
"Not entitled: component [%s], module [%s], class [%s], entitlement [file], operation [write], path [%s]",
278+
entitlements.componentName(),
279+
requestingClass.getModule(),
280+
requestingClass,
281+
path
282+
));
288283
}
289284
}
290285

@@ -325,15 +320,13 @@ private static void checkFlagEntitlement(
325320
Class<?> requestingClass
326321
) {
327322
if (classEntitlements.hasEntitlement(entitlementClass) == false) {
328-
throw new NotEntitledException(
329-
Strings.format(
330-
"Not entitled: component [%s], module [%s], class [%s], entitlement [%s]",
331-
classEntitlements.componentName(),
332-
requestingClass.getModule().getName(),
333-
requestingClass,
334-
PolicyParser.getEntitlementTypeName(entitlementClass)
335-
)
336-
);
323+
notEntitled(Strings.format(
324+
"Not entitled: component [%s], module [%s], class [%s], entitlement [%s]",
325+
classEntitlements.componentName(),
326+
requestingClass.getModule().getName(),
327+
requestingClass,
328+
PolicyParser.getEntitlementTypeName(entitlementClass)
329+
));
337330
}
338331
logger.debug(
339332
() -> Strings.format(
@@ -365,17 +358,27 @@ public void checkWriteProperty(Class<?> callerClass, String property) {
365358
);
366359
return;
367360
}
368-
throw new NotEntitledException(
369-
Strings.format(
370-
"Not entitled: component [%s], module [%s], class [%s], entitlement [write_system_properties], property [%s]",
371-
entitlements.componentName(),
372-
requestingClass.getModule().getName(),
373-
requestingClass,
374-
property
375-
)
376-
);
361+
notEntitled(Strings.format(
362+
"Not entitled: component [%s], module [%s], class [%s], entitlement [write_system_properties], property [%s]",
363+
entitlements.componentName(),
364+
requestingClass.getModule().getName(),
365+
requestingClass,
366+
property
367+
));
368+
}
369+
370+
private static void notEntitled(String message) {
371+
if (true) {
372+
if (ALREADY_REPORTED.add(message)) {
373+
System.err.println(message);
374+
}
375+
} else {
376+
throw new NotEntitledException(message);
377+
}
377378
}
378379

380+
private static final Set<String> ALREADY_REPORTED = newSetFromMap(new ConcurrentHashMap<>());
381+
379382
public void checkManageThreadsEntitlement(Class<?> callerClass) {
380383
checkEntitlementPresent(callerClass, ManageThreadsEntitlement.class);
381384
}

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/entitlements/ManageThreadsEntitlement.java

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,6 @@
1212
import org.elasticsearch.entitlement.runtime.policy.ExternalEntitlement;
1313

1414
public record ManageThreadsEntitlement() implements Entitlement {
15-
@ExternalEntitlement
15+
@ExternalEntitlement(esModulesOnly = false)
1616
public ManageThreadsEntitlement {}
1717
}

0 commit comments

Comments
 (0)