Entitlements from CI

Author: prdoyle

libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java

@@ -131,12 +131,13 @@ private static PolicyManager createPolicyManager() {
                 new Scope("org.apache.httpcomponents.httpclient", List.of(new OutboundNetworkEntitlement())),
                 new Scope("io.netty.transport", List.of(new InboundNetworkEntitlement(), new OutboundNetworkEntitlement())),
                 new Scope("org.apache.lucene.core", List.of(new LoadNativeLibrariesEntitlement(), new ManageThreadsEntitlement())),
+                new Scope("org.apache.logging.log4j.core", List.of(new ManageThreadsEntitlement())),
                 new Scope("org.elasticsearch.nativeaccess", List.of(new LoadNativeLibrariesEntitlement()))
             )
         );
         // agents run without a module, so this is a special hack for the apm agent
         // this should be removed once https://github.com/elastic/elasticsearch/issues/109335 is completed
-        List<Entitlement> agentEntitlements = List.of(new CreateClassLoaderEntitlement());
+        List<Entitlement> agentEntitlements = List.of(new CreateClassLoaderEntitlement(), new ManageThreadsEntitlement());
         var resolver = EntitlementBootstrap.bootstrapArgs().pluginResolver();
         return new PolicyManager(serverPolicy, agentEntitlements, pluginPolicies, resolver, AGENTS_PACKAGE_NAME, ENTITLEMENTS_MODULE);
     }

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java

@@ -256,7 +256,7 @@ public void checkFileRead(Class<?> callerClass, Path path) {
                 Strings.format(
                     "Not entitled: component [%s], module [%s], class [%s], entitlement [file], operation [read], path [%s]",
                     entitlements.componentName(),
-                    requestingClass.getModule(),
+                    requestingClass.getModule().getName(),
                     requestingClass,
                     path
                 )
@@ -281,7 +281,7 @@ public void checkFileWrite(Class<?> callerClass, Path path) {
                 Strings.format(
                     "Not entitled: component [%s], module [%s], class [%s], entitlement [file], operation [write], path [%s]",
                     entitlements.componentName(),
-                    requestingClass.getModule(),
+                    requestingClass.getModule().getName(),
                     requestingClass,
                     path
                 )

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/entitlements/ManageThreadsEntitlement.java

@@ -12,6 +12,6 @@
 import org.elasticsearch.entitlement.runtime.policy.ExternalEntitlement;
 
 public record ManageThreadsEntitlement() implements Entitlement {
-    @ExternalEntitlement
+    @ExternalEntitlement(esModulesOnly = false)
     public ManageThreadsEntitlement {}
 }

modules/repository-azure/src/main/plugin-metadata/entitlement-policy.yaml

@@ -1,2 +1,3 @@
 io.netty.common:
   - outbound_network
+  - manage_threads

plugins/discovery-ec2/src/main/plugin-metadata/entitlement-policy.yaml

@@ -1,2 +1,3 @@
 ALL-UNNAMED:
+  - manage_threads
   - outbound_network

plugins/repository-hdfs/src/main/plugin-metadata/entitlement-policy.yaml

@@ -1,6 +1,7 @@
 ALL-UNNAMED:
   - manage_threads
   - outbound_network
+  - load_native_libraries
   - write_system_properties:
       properties:
         - hadoop.home.dir

x-pack/plugin/core/src/main/plugin-metadata/entitlement-policy.yaml

@@ -7,6 +7,7 @@ org.apache.httpcomponents.httpcore.nio:
 org.apache.httpcomponents.httpasyncclient:
   - manage_threads
 unboundid.ldapsdk:
+  - manage_threads
   - write_system_properties:
       properties:
         - java.security.auth.login.config