Merge remote-tracking branch 'es/main' into runtime_fields_synthetic_source

Author: martijnvg

docs/changelog/132967.yaml

@@ -0,0 +1,5 @@
+pr: 132967
+summary: ES-11331 streams params restriction
+area: Data streams
+type: enhancement
+issues: []

docs/changelog/133848.yaml

@@ -0,0 +1,5 @@
+pr: 133848
+summary: Delay S3 repo warning if default region absent
+area: Snapshot/Restore
+type: bug
+issues: []

docs/changelog/133952.yaml

@@ -0,0 +1,6 @@
+pr: 133952
+summary: Fix warning when creating an OTel data stream
+area: TSDB
+type: bug
+issues:
+ - 132918

docs/reference/elasticsearch/elasticsearch-audit-events.md

@@ -31,7 +31,7 @@ Certain audit events require the `security_config_change` event type to log the
 $$$event-access-denied$$$
 
 `access_denied`
-:   Logged when an authenticated user attempts to execute an action they do not have the necessary [privilege](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/elasticsearch-privileges.md) to perform.
+:   Logged when an authenticated user attempts to execute an action they do not have the necessary [privilege](/reference/elasticsearch/security-privileges.md) to perform.
 
     ::::{dropdown} Example
     ```js
@@ -510,7 +510,7 @@ $$$event-realm-auth-failed$$$
 $$$event-runas-denied$$$
 
 `run_as_denied`
-:   Logged when an authenticated user attempts to [run as](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/submitting-requests-on-behalf-of-other-users.md) another user that they do not have the necessary [privileges](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/elasticsearch-privileges.md) to do so.
+:   Logged when an authenticated user attempts to [run as](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/submitting-requests-on-behalf-of-other-users.md) another user that they do not have the necessary [privileges](/reference/elasticsearch/security-privileges.md) to do so.
 
     ::::{dropdown} Example
     ```js

docs/reference/elasticsearch/rest-apis/create-index-from-source.md

@@ -26,7 +26,7 @@ For the most up-to-date API details, refer to [Index APIs](https://www.elastic.c
 
 ## {{api-prereq-title}} [indices-create-index-from-source-api-prereqs]
 
-* If the {{es}} {{security-features}} are enabled, you must have the `manage` [index privilege](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/elasticsearch-privileges.md#privileges-list-indices) for the index.
+* If the {{es}} {{security-features}} are enabled, you must have the `manage` [index privilege](/reference/elasticsearch/security-privileges.md#privileges-list-indices) for the index.
 
 
 ## {{api-description-title}} [indices-create-index-from-source-api-desc]

docs/reference/elasticsearch/rest-apis/reindex-data-stream.md

@@ -33,7 +33,7 @@ This api runs in the background because reindexing all indices in a large data s
 
 ## {{api-prereq-title}} [data-stream-reindex-api-prereqs]
 
-* If the {{es}} {{security-features}} are enabled, you must have the `manage` [index privilege](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/elasticsearch-privileges.md#privileges-list-indices) for the data stream.
+* If the {{es}} {{security-features}} are enabled, you must have the `manage` [index privilege](/reference/elasticsearch/security-privileges.md#privileges-list-indices) for the data stream.
 
 
 ## {{api-request-body-title}} [data-stream-reindex-body]

docs/reference/search-connectors/release-notes.md

@@ -13,6 +13,9 @@ If you are an Enterprise Search user and want to upgrade to Elastic 9.0, refer t
 It includes detailed steps, tooling, and resources to help you transition to supported alternatives in 9.x, such as Elasticsearch, the Open Web Crawler, and self-managed connectors.
 :::
 
+## 9.1.3 [connectors-9.1.3-release-notes]
+There are no new features, enhancements, fixes, known issues, or deprecations associated with this release.
+
 ## 9.1.2 [connectors-9.1.2-release-notes]
 There are no new features, enhancements, fixes, known issues, or deprecations associated with this release.
 
@@ -29,6 +32,9 @@ Permissions granted to the `Everyone Except External Users` group were previousl
 ## 9.1.0 [connectors-9.1.0-release-notes]
 There are no new features, enhancements, fixes, known issues, or deprecations associated with this release.
 
+## 9.0.6 [connectors-9.0.6-release-notes]
+No changes since 9.0.5
+
 ## 9.0.5 [connectors-9.0.5-release-notes]
 
 ### Fixes [connectors-9.0.5-fixes]

libs/entitlement/bridge/src/main/java/org/elasticsearch/entitlement/bridge/EntitlementChecker.java

@@ -136,6 +136,10 @@ public interface EntitlementChecker {
 
     void check$java_net_URLClassLoader$(Class<?> callerClass, String name, URL[] urls, ClassLoader parent, URLStreamHandlerFactory factory);
 
+    void check$java_net_URLClassLoader$$newInstance(Class<?> callerClass, URL[] urls, ClassLoader parent);
+
+    void check$java_net_URLClassLoader$$newInstance(Class<?> callerClass, URL[] urls);
+
     void check$java_security_SecureClassLoader$(Class<?> callerClass);
 
     void check$java_security_SecureClassLoader$(Class<?> callerClass, ClassLoader parent);

libs/entitlement/qa/entitlement-test-plugin/src/main/java/org/elasticsearch/entitlement/qa/test/JvmActions.java

@@ -72,6 +72,20 @@ static void createClassLoader() throws IOException {
         }
     }
 
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void createClassLoaderNewInstance1() throws IOException {
+        try (var classLoader = URLClassLoader.newInstance(new URL[0])) {
+            // intentionally empty, just let the loader close
+        }
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void createClassLoaderNewInstance2() throws IOException {
+        try (var classLoader = URLClassLoader.newInstance(new URL[0], RestEntitlementsCheckAction.class.getClassLoader())) {
+            // intentionally empty, just let the loader close
+        }
+    }
+
     @EntitlementTest(expectedAccess = ALWAYS_DENIED)
     static void createLogManager() {
         new java.util.logging.LogManager() {

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/ElasticsearchEntitlementChecker.java

@@ -194,6 +194,16 @@ public ElasticsearchEntitlementChecker(PolicyChecker policyChecker) {
         policyChecker.checkCreateClassLoader(callerClass);
     }
 
+    @Override
+    public void check$java_net_URLClassLoader$$newInstance(Class<?> callerClass, URL[] urls) {
+        policyChecker.checkCreateClassLoader(callerClass);
+    }
+
+    @Override
+    public void check$java_net_URLClassLoader$$newInstance(Class<?> callerClass, URL[] urls, ClassLoader parent) {
+        policyChecker.checkCreateClassLoader(callerClass);
+    }
+
     @Override
     public void check$java_security_SecureClassLoader$(Class<?> callerClass) {
         policyChecker.checkCreateClassLoader(callerClass);