Merge branch 'main' into to-aggregate-metric-double-function

Author: limotova

build-tools-internal/src/main/java/org/elasticsearch/gradle/internal/toolchain/ArchivedOracleJdkToolchainResolver.java

@@ -29,7 +29,7 @@
  */
 public abstract class ArchivedOracleJdkToolchainResolver extends AbstractCustomJavaToolchainResolver {
 
-    private static final Map<Integer, String> ARCHIVED_BASE_VERSIONS = Maps.of(20, "20.0.2", 19, "19.0.2", 18, "18.0.2.1");
+    private static final Map<Integer, String> ARCHIVED_BASE_VERSIONS = Maps.of(21, "21.0.6", 20, "20.0.2", 19, "19.0.2", 18, "18.0.2.1");
 
     @Override
     public Optional<JavaToolchainDownload> resolve(JavaToolchainRequest request) {

build-tools/src/main/java/org/elasticsearch/gradle/testclusters/RunTask.java

@@ -42,7 +42,7 @@ public abstract class RunTask extends DefaultTestClustersTask {
 
     private Boolean debug = false;
     private Boolean cliDebug = false;
-    private Boolean entitlementsEnabled = false;
+
     private Boolean apmServerEnabled = false;
 
     private Boolean preserveData = false;
@@ -74,9 +74,7 @@ public void setCliDebug(boolean enabled) {
         option = "entitlements",
         description = "Use the Entitlements agent system in place of SecurityManager to enforce sandbox policies."
     )
-    public void setEntitlementsEnabled(boolean enabled) {
-        this.entitlementsEnabled = enabled;
-    }
+    public void setEntitlementsEnabled(boolean enabled) {}
 
     @Input
     public Boolean getDebug() {
@@ -90,7 +88,7 @@ public Boolean getCliDebug() {
 
     @Input
     public Boolean getEntitlementsEnabled() {
-        return entitlementsEnabled;
+        return true;
     }
 
     @Input
@@ -240,9 +238,7 @@ else if (node.getSettingKeys().contains("telemetry.metrics.enabled") == false) {
         if (cliDebug) {
             enableCliDebug();
         }
-        if (entitlementsEnabled) {
-            enableEntitlements();
-        }
+        enableEntitlements();
     }
 
     @TaskAction

build.gradle

@@ -404,6 +404,34 @@ allprojects {
   apply plugin: 'elasticsearch.formatting'
 }
 
+tasks.named("updateDaemonJvm") {
+  def myPlatforms = [
+    BuildPlatformFactory.of(
+      org.gradle.platform.Architecture.AARCH64,
+      org.gradle.platform.OperatingSystem.MAC_OS
+    ),
+    BuildPlatformFactory.of(
+      org.gradle.platform.Architecture.AARCH64,
+      org.gradle.platform.OperatingSystem.LINUX
+    ),
+    BuildPlatformFactory.of(
+      org.gradle.platform.Architecture.X86_64,
+      org.gradle.platform.OperatingSystem.LINUX
+    ),
+    BuildPlatformFactory.of(
+      org.gradle.platform.Architecture.X86_64,
+      org.gradle.platform.OperatingSystem.WINDOWS
+    ),
+    // anyone still using x86 osx?
+    BuildPlatformFactory.of(
+      org.gradle.platform.Architecture.X86_64,
+      org.gradle.platform.OperatingSystem.MAC_OS
+    )
+  ]
+  toolchainPlatforms.set(myPlatforms)
+  languageVersion = JavaLanguageVersion.of(21)
+  vendor = JvmVendorSpec.ADOPTIUM
+}
 
 tasks.register("verifyBwcTestsEnabled") {
   doLast {

distribution/tools/server-cli/src/main/java/org/elasticsearch/server/cli/SystemJvmOptions.java

@@ -11,7 +11,6 @@
 
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.util.concurrent.EsExecutors;
-import org.elasticsearch.core.Booleans;
 import org.elasticsearch.jdk.RuntimeVersionFeature;
 
 import java.io.IOException;
@@ -28,9 +27,8 @@ static List<String> systemJvmOptions(Settings nodeSettings, final Map<String, St
         String distroType = sysprops.get("es.distribution.type");
         String javaType = sysprops.get("es.java.type");
         boolean isHotspot = sysprops.getOrDefault("sun.management.compiler", "").contains("HotSpot");
-        boolean entitlementsExplicitlyEnabled = Booleans.parseBoolean(sysprops.getOrDefault("es.entitlements.enabled", "true"));
-        // java 24+ only supports entitlements, but it may be enabled on earlier versions explicitly
-        boolean useEntitlements = RuntimeVersionFeature.isSecurityManagerAvailable() == false || entitlementsExplicitlyEnabled;
+
+        boolean useEntitlements = true;
         return Stream.of(
             Stream.of(
                 /*

distribution/tools/server-cli/src/test/java/org/elasticsearch/server/cli/ServerCliTests.java

@@ -185,7 +185,7 @@ public void testElasticsearchSettingCanNotBeEmpty() throws Exception {
     }
 
     public void testElasticsearchSettingCanNotBeDuplicated() throws Exception {
-        assertUsage(containsString("setting [foo] already set, saw [bar] and [baz]"), "-E", "foo=bar", "-E", "foo=baz");
+        assertUsage(containsString("setting [foo] set twice via command line -E"), "-E", "foo=bar", "-E", "foo=baz");
     }
 
     public void testUnknownOption() throws Exception {

docs/changelog/120869.yaml

@@ -0,0 +1,5 @@
+pr: 120869
+summary: Threadpool merge scheduler
+area: Engine
+type: feature
+issues: []

docs/changelog/125054.yaml

@@ -0,0 +1,6 @@
+pr: 125054
+summary: Truncate `step_info` and error reason in ILM execution state and history
+area: ILM+SLM
+type: enhancement
+issues:
+ - 124181

docs/changelog/125117.yaml

@@ -0,0 +1,8 @@
+pr: 125117
+summary: "Permanently switch from Java SecurityManager to Entitlements.
+  The Java SecurityManager has been deprecated since Java 17, and it is now completely disabled in Java 24. In order
+  to retain an similar level of protection, Elasticsearch implemented its own protection mechanism, Entitlements.
+  Starting with this version, Entitlements will permanently replace the Java SecurityManager."
+area: Infra/Core
+type: upgrade
+issues: []

docs/reference/elasticsearch/configuration-reference/auding-settings.md

@@ -2,6 +2,10 @@
 navigation_title: "Auditing settings"
 mapped_pages:
   - https://www.elastic.co/guide/en/elasticsearch/reference/current/auditing-settings.html
+applies_to:
+  deployment:
+    ess:
+    self:
 ---
 
 # Auditing security settings [auditing-settings]
@@ -20,7 +24,7 @@ If configured, auditing settings must be set on every node in the cluster. Stati
 
 $$$xpack-security-audit-enabled$$$
 
-`xpack.security.audit.enabled`
+`xpack.security.audit.enabled` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on Elastic Cloud Hosted")
 :   ([Static](docs-content://deploy-manage/deploy/self-managed/configure-elasticsearch.md#static-cluster-setting)) Set to `true` to enable auditing on the node. The default value is `false`. This puts the auditing events in a dedicated file named `<clustername>_audit.json` on each node.
 
     If enabled, this setting must be configured in `elasticsearch.yml` on all nodes in the cluster.
@@ -33,17 +37,17 @@ The events and some other information about what gets logged can be controlled b
 
 $$$xpack-sa-lf-events-include$$$
 
-`xpack.security.audit.logfile.events.include`
+`xpack.security.audit.logfile.events.include` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on Elastic Cloud Hosted")
 :   ([Dynamic](docs-content://deploy-manage/deploy/self-managed/configure-elasticsearch.md#dynamic-cluster-setting)) Specifies the [kind of events](/reference/elasticsearch/elasticsearch-audit-events.md) to print in the auditing output. In addition, `_all` can be used to exhaustively audit all the events, but this is usually discouraged since it will get very verbose. The default list value contains: `access_denied, access_granted, anonymous_access_denied, authentication_failed, connection_denied, tampered_request, run_as_denied, run_as_granted, security_config_change`.
 
 $$$xpack-sa-lf-events-exclude$$$
 
-`xpack.security.audit.logfile.events.exclude`
+`xpack.security.audit.logfile.events.exclude` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on Elastic Cloud Hosted")
 :   ([Dynamic](docs-content://deploy-manage/deploy/self-managed/configure-elasticsearch.md#dynamic-cluster-setting)) Excludes the specified [kind of events](/reference/elasticsearch/elasticsearch-audit-events.md) from the include list. This is useful in the case where the `events.include` setting contains the special value `_all`. The default is the empty list.
 
 $$$xpack-sa-lf-events-emit-request$$$
 
-`xpack.security.audit.logfile.events.emit_request_body`
+`xpack.security.audit.logfile.events.emit_request_body` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on Elastic Cloud Hosted")
 :   ([Dynamic](docs-content://deploy-manage/deploy/self-managed/configure-elasticsearch.md#dynamic-cluster-setting)) Specifies whether to include the full request body from REST requests as an attribute of certain kinds of audit events. This setting can be used to [audit search queries](docs-content://deploy-manage/monitor/logging-configuration/auditing-search-queries.md).
 
     The default value is `false`, so request bodies are not printed.
@@ -58,22 +62,22 @@ $$$xpack-sa-lf-events-emit-request$$$
 
 $$$xpack-sa-lf-emit-node-name$$$
 
-`xpack.security.audit.logfile.emit_node_name`
+`xpack.security.audit.logfile.emit_node_name` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on Elastic Cloud Hosted")
 :   ([Dynamic](docs-content://deploy-manage/deploy/self-managed/configure-elasticsearch.md#dynamic-cluster-setting)) Specifies whether to include the [node name](docs-content://deploy-manage/deploy/self-managed/important-settings-configuration.md#node-name) as a field in each audit event. The default value is `false`.
 
 $$$xpack-sa-lf-emit-node-host-address$$$
 
-`xpack.security.audit.logfile.emit_node_host_address`
+`xpack.security.audit.logfile.emit_node_host_address` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on Elastic Cloud Hosted")
 :   ([Dynamic](docs-content://deploy-manage/deploy/self-managed/configure-elasticsearch.md#dynamic-cluster-setting)) Specifies whether to include the node’s IP address as a field in each audit event. The default value is `false`.
 
 $$$xpack-sa-lf-emit-node-host-name$$$
 
-`xpack.security.audit.logfile.emit_node_host_name`
+`xpack.security.audit.logfile.emit_node_host_name` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on Elastic Cloud Hosted")
 :   ([Dynamic](docs-content://deploy-manage/deploy/self-managed/configure-elasticsearch.md#dynamic-cluster-setting)) Specifies whether to include the node’s host name as a field in each audit event. The default value is `false`.
 
 $$$xpack-sa-lf-emit-node-id$$$
 
-`xpack.security.audit.logfile.emit_node_id`
+`xpack.security.audit.logfile.emit_node_id` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on Elastic Cloud Hosted")
 :   ([Dynamic](docs-content://deploy-manage/deploy/self-managed/configure-elasticsearch.md#dynamic-cluster-setting)) Specifies whether to include the node id as a field in each audit event. Unlike [node name](docs-content://deploy-manage/deploy/self-managed/important-settings-configuration.md#node-name), whose value might change if the administrator changes the setting in the config file, the node id will persist across cluster restarts and the administrator cannot change it. The default value is `true`.
 
 
@@ -83,27 +87,27 @@ The following settings affect the [ignore policies](docs-content://deploy-manage
 
 $$$xpack-sa-lf-events-ignore-users$$$
 
-`xpack.security.audit.logfile.events.ignore_filters.<policy_name>.users`
+`xpack.security.audit.logfile.events.ignore_filters.<policy_name>.users` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on Elastic Cloud Hosted")
 :   ([Dynamic](docs-content://deploy-manage/deploy/self-managed/configure-elasticsearch.md#dynamic-cluster-setting)) A list of user names or wildcards. The specified policy will not print audit events for users matching these values.
 
 $$$xpack-sa-lf-events-ignore-realms$$$
 
-`xpack.security.audit.logfile.events.ignore_filters.<policy_name>.realms`
+`xpack.security.audit.logfile.events.ignore_filters.<policy_name>.realms` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on Elastic Cloud Hosted")
 :   ([Dynamic](docs-content://deploy-manage/deploy/self-managed/configure-elasticsearch.md#dynamic-cluster-setting)) A list of authentication realm names or wildcards. The specified policy will not print audit events for users in these realms.
 
 $$$xpack-sa-lf-events-ignore-actions$$$
 
-`xpack.security.audit.logfile.events.ignore_filters.<policy_name>.actions`
+`xpack.security.audit.logfile.events.ignore_filters.<policy_name>.actions` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on Elastic Cloud Hosted")
 :   ([Dynamic](docs-content://deploy-manage/deploy/self-managed/configure-elasticsearch.md#dynamic-cluster-setting)) A list of action names or wildcards. Action name can be found in the `action` field of the audit event. The specified policy will not print audit events for actions matching these values.
 
 $$$xpack-sa-lf-events-ignore-roles$$$
 
-`xpack.security.audit.logfile.events.ignore_filters.<policy_name>.roles`
+`xpack.security.audit.logfile.events.ignore_filters.<policy_name>.roles` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on Elastic Cloud Hosted")
 :   ([Dynamic](docs-content://deploy-manage/deploy/self-managed/configure-elasticsearch.md#dynamic-cluster-setting)) A list of role names or wildcards. The specified policy will not print audit events for users that have these roles. If the user has several roles, some of which are **not** covered by the policy, the policy will **not** cover this event.
 
 $$$xpack-sa-lf-events-ignore-indices$$$
 
-`xpack.security.audit.logfile.events.ignore_filters.<policy_name>.indices`
+`xpack.security.audit.logfile.events.ignore_filters.<policy_name>.indices` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on Elastic Cloud Hosted")
 :   ([Dynamic](docs-content://deploy-manage/deploy/self-managed/configure-elasticsearch.md#dynamic-cluster-setting)) A list of index names or wildcards. The specified policy will not print audit events when all the indices in the event match these values. If the event concerns several indices, some of which are **not** covered by the policy, the policy will **not** cover this event.
 
 

docs/reference/elasticsearch/configuration-reference/circuit-breaker-settings.md

@@ -1,6 +1,10 @@
 ---
 mapped_pages:
   - https://www.elastic.co/guide/en/elasticsearch/reference/current/circuit-breaker.html
+applies_to:
+  deployment:
+    ess:
+    self:
 ---
 
 # Circuit breaker settings [circuit-breaker]
@@ -26,7 +30,7 @@ The parent-level breaker can be configured with the following settings:
 
 $$$indices-breaker-total-limit$$$
 
-`indices.breaker.total.limit` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on {{ess}}")
+`indices.breaker.total.limit` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on Elastic Cloud Hosted")
 :   ([Dynamic](docs-content://deploy-manage/deploy/self-managed/configure-elasticsearch.md#dynamic-cluster-setting)) Starting limit for overall parent breaker. Defaults to 70% of JVM heap if `indices.breaker.total.use_real_memory` is `false`. If `indices.breaker.total.use_real_memory` is `true`, defaults to 95% of the JVM heap.
 
 
@@ -36,12 +40,12 @@ The field data circuit breaker estimates the heap memory required to load a fiel
 
 $$$fielddata-circuit-breaker-limit$$$
 
-`indices.breaker.fielddata.limit` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on {{ess}}")
+`indices.breaker.fielddata.limit` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on Elastic Cloud Hosted")
 :   ([Dynamic](docs-content://deploy-manage/deploy/self-managed/configure-elasticsearch.md#dynamic-cluster-setting)) Limit for fielddata breaker. Defaults to 40% of JVM heap.
 
 $$$fielddata-circuit-breaker-overhead$$$
 
-`indices.breaker.fielddata.overhead` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on {{ess}}")
+`indices.breaker.fielddata.overhead` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on Elastic Cloud Hosted")
 :   ([Dynamic](docs-content://deploy-manage/deploy/self-managed/configure-elasticsearch.md#dynamic-cluster-setting)) A constant that all field data estimations are multiplied with to determine a final estimation. Defaults to `1.03`.
 
 
@@ -51,12 +55,12 @@ The request circuit breaker allows Elasticsearch to prevent per-request data str
 
 $$$request-breaker-limit$$$
 
-`indices.breaker.request.limit` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on {{ess}}")
+`indices.breaker.request.limit` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on Elastic Cloud Hosted")
 :   ([Dynamic](docs-content://deploy-manage/deploy/self-managed/configure-elasticsearch.md#dynamic-cluster-setting)) Limit for request breaker, defaults to 60% of JVM heap.
 
 $$$request-breaker-overhead$$$
 
-`indices.breaker.request.overhead` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on {{ess}}")
+`indices.breaker.request.overhead` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on Elastic Cloud Hosted")
 :   ([Dynamic](docs-content://deploy-manage/deploy/self-managed/configure-elasticsearch.md#dynamic-cluster-setting)) A constant that all request estimations are multiplied with to determine a final estimation. Defaults to `1`.
 
 
@@ -89,7 +93,7 @@ Poorly written regular expressions can degrade cluster stability and performance
 
 $$$script-painless-regex-enabled$$$
 
-`script.painless.regex.enabled`
+`script.painless.regex.enabled` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on Elastic Cloud Hosted")
 :   ([Static](docs-content://deploy-manage/deploy/self-managed/configure-elasticsearch.md#static-cluster-setting)) Enables regex in Painless scripts. Accepts:
 
     `limited` (Default)