diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java index d607a5e25b410..ede357f088be7 100644 --- a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java +++ b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java @@ -11,6 +11,7 @@ import org.elasticsearch.core.Strings; import org.elasticsearch.core.SuppressForbidden; +import org.elasticsearch.entitlement.bootstrap.EntitlementBootstrap; import org.elasticsearch.entitlement.instrumentation.InstrumentationService; import org.elasticsearch.entitlement.runtime.api.NotEntitledException; import org.elasticsearch.entitlement.runtime.policy.entitlements.CreateClassLoaderEntitlement; @@ -215,7 +216,8 @@ private void neverEntitled(Class callerClass, Supplier operationDescr requestingClass.getModule().getName(), requestingClass, operationDescription.get() - ) + ), + callerClass ); } @@ -274,7 +276,8 @@ public void checkFileRead(Class callerClass, Path path) { requestingClass.getModule().getName(), requestingClass, path - ) + ), + callerClass ); } } @@ -299,7 +302,8 @@ public void checkFileWrite(Class callerClass, Path path) { requestingClass.getModule().getName(), requestingClass, path - ) + ), + callerClass ); } } @@ -348,14 +352,15 @@ public void checkAllNetworkAccess(Class callerClass) { } var classEntitlements = getEntitlements(requestingClass); - checkFlagEntitlement(classEntitlements, InboundNetworkEntitlement.class, requestingClass); - checkFlagEntitlement(classEntitlements, OutboundNetworkEntitlement.class, requestingClass); + checkFlagEntitlement(classEntitlements, InboundNetworkEntitlement.class, requestingClass, callerClass); + checkFlagEntitlement(classEntitlements, OutboundNetworkEntitlement.class, requestingClass, callerClass); } private static void checkFlagEntitlement( ModuleEntitlements classEntitlements, Class entitlementClass, - Class requestingClass + Class requestingClass, + Class callerClass ) { if (classEntitlements.hasEntitlement(entitlementClass) == false) { notEntitled( @@ -365,7 +370,8 @@ private static void checkFlagEntitlement( requestingClass.getModule().getName(), requestingClass, PolicyParser.getEntitlementTypeName(entitlementClass) - ) + ), + callerClass ); } logger.debug( @@ -405,12 +411,18 @@ public void checkWriteProperty(Class callerClass, String property) { requestingClass.getModule().getName(), requestingClass, property - ) + ), + callerClass ); } - private static void notEntitled(String message) { - throw new NotEntitledException(message); + private static void notEntitled(String message, Class callerClass) { + var exception = new NotEntitledException(message); + // don't log self tests in EntitlementBootstrap + if (EntitlementBootstrap.class.equals(callerClass) == false) { + logger.warn(message, exception); + } + throw exception; } public void checkManageThreadsEntitlement(Class callerClass) { @@ -422,7 +434,7 @@ private void checkEntitlementPresent(Class callerClass, Class requestingClass) {