From 2836cee4f98e53b6a90d94236ffeb7368e2bb4a5 Mon Sep 17 00:00:00 2001
From: Lorenzo Dematte <lorenzo.dematte@elastic.co>
Date: Thu, 27 Feb 2025 12:54:22 +0100
Subject: [PATCH 1/2] Fixing reindex policy

---
 .../main/plugin-metadata/entitlement-policy.yaml  | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/modules/reindex/src/main/plugin-metadata/entitlement-policy.yaml b/modules/reindex/src/main/plugin-metadata/entitlement-policy.yaml
index d1e8d1aca74dd..7dd81896f7f16 100644
--- a/modules/reindex/src/main/plugin-metadata/entitlement-policy.yaml
+++ b/modules/reindex/src/main/plugin-metadata/entitlement-policy.yaml
@@ -1,7 +1,20 @@
 ALL-UNNAMED:
   - manage_threads
   - outbound_network
+  - create_class_loader # needed for Painless to generate runtime classes
   - files:
-      - relative_path: ""
+      - relative_path_setting: "reindex.ssl.certificate"
+        relative_to: config
+        mode: read
+      - relative_path_setting: "reindex.ssl.key"
+        relative_to: config
+        mode: read
+      - relative_path_setting: "reindex.ssl.keystore.path"
+        relative_to: config
+        mode: read
+      - relative_path_setting: "reindex.ssl.certificate_authorities"
+        relative_to: config
+        mode: read
+      - relative_path_setting: "reindex.ssl.truststore.path"
         relative_to: config
         mode: read

From d324cddb311504a972f63567febf30ce9dcea7f8 Mon Sep 17 00:00:00 2001
From: Lorenzo Dematte <lorenzo.dematte@elastic.co>
Date: Mon, 3 Mar 2025 15:06:26 +0100
Subject: [PATCH 2/2] update to the new path settings keywords

---
 .../plugin-metadata/entitlement-policy.yaml   | 22 +++++++++++--------
 1 file changed, 13 insertions(+), 9 deletions(-)

diff --git a/modules/reindex/src/main/plugin-metadata/entitlement-policy.yaml b/modules/reindex/src/main/plugin-metadata/entitlement-policy.yaml
index 7dd81896f7f16..64352bc2476fe 100644
--- a/modules/reindex/src/main/plugin-metadata/entitlement-policy.yaml
+++ b/modules/reindex/src/main/plugin-metadata/entitlement-policy.yaml
@@ -3,18 +3,22 @@ ALL-UNNAMED:
   - outbound_network
   - create_class_loader # needed for Painless to generate runtime classes
   - files:
-      - relative_path_setting: "reindex.ssl.certificate"
+      # TODO: review and possibly remove this general permission
+      - relative_path: ""
         relative_to: config
         mode: read
-      - relative_path_setting: "reindex.ssl.key"
-        relative_to: config
+      - path_setting: "reindex.ssl.certificate"
+        basedir_if_relative: config
         mode: read
-      - relative_path_setting: "reindex.ssl.keystore.path"
-        relative_to: config
+      - path_setting: "reindex.ssl.key"
+        basedir_if_relative: config
         mode: read
-      - relative_path_setting: "reindex.ssl.certificate_authorities"
-        relative_to: config
+      - path_setting: "reindex.ssl.keystore.path"
+        basedir_if_relative: config
         mode: read
-      - relative_path_setting: "reindex.ssl.truststore.path"
-        relative_to: config
+      - path_setting: "reindex.ssl.certificate_authorities"
+        basedir_if_relative: config
+        mode: read
+      - path_setting: "reindex.ssl.truststore.path"
+        basedir_if_relative: config
         mode: read