Skip to content

Commit 71442d0

Browse files
ldematteldematte
committed
More server entitlements
1 parent 4155d7d commit 71442d0

File tree

1 file changed

+36
-31
lines changed

1 file changed

+36
-31
lines changed

libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java

Lines changed: 36 additions & 31 deletions
Original file line numberDiff line numberDiff line change
@@ -52,7 +52,6 @@
5252
import java.nio.file.attribute.FileAttribute;
5353
import java.nio.file.spi.FileSystemProvider;
5454
import java.util.ArrayList;
55-
import java.util.Arrays;
5655
import java.util.HashMap;
5756
import java.util.List;
5857
import java.util.Map;
@@ -135,7 +134,6 @@ private static PolicyManager createPolicyManager() {
135134
EntitlementBootstrap.BootstrapArgs bootstrapArgs = EntitlementBootstrap.bootstrapArgs();
136135
Map<String, Policy> pluginPolicies = bootstrapArgs.pluginPolicies();
137136
var pathLookup = new PathLookup(getUserHome(), bootstrapArgs.configDir(), bootstrapArgs.dataDirs(), bootstrapArgs.tempDir());
138-
Path logsDir = EntitlementBootstrap.bootstrapArgs().logsDir();
139137

140138
// TODO(ES-10031): Decide what goes in the elasticsearch default policy and extend it
141139
var serverPolicy = new Policy(
@@ -160,31 +158,33 @@ private static PolicyManager createPolicyManager() {
160158
new LoadNativeLibrariesEntitlement(),
161159
new ManageThreadsEntitlement(),
162160
new FilesEntitlement(
163-
Stream.concat(
164-
Stream.of(
165-
FileData.ofPath(bootstrapArgs.tempDir(), READ_WRITE),
166-
FileData.ofPath(bootstrapArgs.configDir(), READ),
167-
FileData.ofPath(bootstrapArgs.logsDir(), READ_WRITE),
168-
// OS release on Linux
169-
FileData.ofPath(Path.of("/etc/os-release"), READ),
170-
FileData.ofPath(Path.of("/etc/system-release"), READ),
171-
FileData.ofPath(Path.of("/usr/lib/os-release"), READ),
172-
// read max virtual memory areas
173-
FileData.ofPath(Path.of("/proc/sys/vm/max_map_count"), READ),
174-
FileData.ofPath(Path.of("/proc/meminfo"), READ),
175-
// load averages on Linux
176-
FileData.ofPath(Path.of("/proc/loadavg"), READ),
177-
// control group stats on Linux. cgroup v2 stats are in an unpredicable
178-
// location under `/sys/fs/cgroup`, so unfortunately we have to allow
179-
// read access to the entire directory hierarchy.
180-
FileData.ofPath(Path.of("/proc/self/cgroup"), READ),
181-
FileData.ofPath(Path.of("/sys/fs/cgroup/"), READ),
182-
// // io stats on Linux
183-
FileData.ofPath(Path.of("/proc/self/mountinfo"), READ),
184-
FileData.ofPath(Path.of("/proc/diskstats"), READ)
185-
),
186-
Arrays.stream(bootstrapArgs.dataDirs()).map(d -> FileData.ofPath(d, READ_WRITE))
187-
).toList()
161+
List.of(
162+
// Base ES directories
163+
FileData.ofPath(bootstrapArgs.tempDir(), READ_WRITE),
164+
FileData.ofPath(bootstrapArgs.configDir(), READ),
165+
FileData.ofPath(bootstrapArgs.logsDir(), READ_WRITE),
166+
FileData.ofRelativePath(Path.of(""), FilesEntitlement.BaseDir.DATA, READ_WRITE),
167+
168+
// OS release on Linux
169+
FileData.ofPath(Path.of("/etc/os-release"), READ),
170+
FileData.ofPath(Path.of("/etc/system-release"), READ),
171+
FileData.ofPath(Path.of("/usr/lib/os-release"), READ),
172+
// read max virtual memory areas
173+
FileData.ofPath(Path.of("/proc/sys/vm/max_map_count"), READ),
174+
FileData.ofPath(Path.of("/proc/meminfo"), READ),
175+
// load averages on Linux
176+
FileData.ofPath(Path.of("/proc/loadavg"), READ),
177+
// control group stats on Linux. cgroup v2 stats are in an unpredicable
178+
// location under `/sys/fs/cgroup`, so unfortunately we have to allow
179+
// read access to the entire directory hierarchy.
180+
FileData.ofPath(Path.of("/proc/self/cgroup"), READ),
181+
FileData.ofPath(Path.of("/sys/fs/cgroup/"), READ),
182+
// // io stats on Linux
183+
FileData.ofPath(Path.of("/proc/self/mountinfo"), READ),
184+
FileData.ofPath(Path.of("/proc/diskstats"), READ)
185+
186+
// TODO: use FileData.ofPathSetting("repositories.fs.location", READ_WRITE)
187+
)
188188
)
189189
)
190190
),
@@ -196,13 +196,18 @@ private static PolicyManager createPolicyManager() {
196196
new LoadNativeLibrariesEntitlement(),
197197
new ManageThreadsEntitlement(),
198198
new FilesEntitlement(
199-
Stream.concat(
200-
Stream.of(FileData.ofPath(bootstrapArgs.configDir(), READ)),
201-
Arrays.stream(bootstrapArgs.dataDirs()).map(d -> FileData.ofPath(d, READ_WRITE))
202-
).toList()
199+
List.of(
200+
FileData.ofPath(bootstrapArgs.configDir(), READ),
201+
FileData.ofPath(bootstrapArgs.tempDir(), READ),
202+
FileData.ofRelativePath(Path.of(""), FilesEntitlement.BaseDir.DATA, READ_WRITE)
203+
)
203204
)
204205
)
205206
),
207+
new Scope(
208+
"org.apache.lucene.misc",
209+
List.of(new FilesEntitlement(List.of(FileData.ofRelativePath(Path.of(""), FilesEntitlement.BaseDir.DATA, READ_WRITE))))
210+
),
206211
new Scope("org.apache.logging.log4j.core", List.of(new ManageThreadsEntitlement())),
207212
new Scope(
208213
"org.elasticsearch.nativeaccess",

0 commit comments

Comments
 (0)