Permanently switch from SecurityManager to Entitlements

build-tools/src/main/java/org/elasticsearch/gradle/testclusters/RunTask.java

@@ -42,7 +42,6 @@ public abstract class RunTask extends DefaultTestClustersTask {
 
     private Boolean debug = false;
     private Boolean cliDebug = false;
-    private Boolean entitlementsEnabled = false;
     private Boolean apmServerEnabled = false;
 
     private Boolean preserveData = false;
@@ -70,14 +69,6 @@ public void setCliDebug(boolean enabled) {
         this.cliDebug = enabled;
     }
 
-    @Option(
-        option = "entitlements",
-        description = "Use the Entitlements agent system in place of SecurityManager to enforce sandbox policies."
-    )
-    public void setEntitlementsEnabled(boolean enabled) {
-        this.entitlementsEnabled = enabled;
-    }
-
     @Input
     public Boolean getDebug() {
         return debug;
@@ -88,11 +79,6 @@ public Boolean getCliDebug() {
         return cliDebug;
     }
 
-    @Input
-    public Boolean getEntitlementsEnabled() {
-        return entitlementsEnabled;
-    }
-
     @Input
     public Boolean getApmServerEnabled() {
         return apmServerEnabled;
@@ -240,9 +226,6 @@ else if (node.getSettingKeys().contains("telemetry.metrics.enabled") == false) {
         if (cliDebug) {
             enableCliDebug();
         }
-        if (entitlementsEnabled) {
-            enableEntitlements();
-        }
     }
 
     @TaskAction

build-tools/src/main/java/org/elasticsearch/gradle/testclusters/TestClustersAware.java

@@ -88,12 +88,4 @@ default void enableCliDebug() {
             }
         }
     }
-
-    default void enableEntitlements() {
-        for (ElasticsearchCluster cluster : getClusters()) {
-            for (ElasticsearchNode node : cluster.getNodes()) {
-                node.cliJvmArgs("-Des.entitlements.enabled=true");
-            }
-        }
-    }
 }

distribution/tools/server-cli/src/main/java/org/elasticsearch/server/cli/SystemJvmOptions.java

@@ -11,8 +11,6 @@
 
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.util.concurrent.EsExecutors;
-import org.elasticsearch.core.Booleans;
-import org.elasticsearch.jdk.RuntimeVersionFeature;
 
 import java.io.IOException;
 import java.nio.file.Files;
@@ -27,9 +25,6 @@ final class SystemJvmOptions {
     static List<String> systemJvmOptions(Settings nodeSettings, final Map<String, String> sysprops) {
         String distroType = sysprops.get("es.distribution.type");
         boolean isHotspot = sysprops.getOrDefault("sun.management.compiler", "").contains("HotSpot");
-        boolean entitlementsExplicitlyEnabled = Booleans.parseBoolean(sysprops.getOrDefault("es.entitlements.enabled", "true"));
-        // java 24+ only supports entitlements, but it may be enabled on earlier versions explicitly
-        boolean useEntitlements = RuntimeVersionFeature.isSecurityManagerAvailable() == false || entitlementsExplicitlyEnabled;
         return Stream.of(
             Stream.of(
                 /*
@@ -71,13 +66,12 @@ static List<String> systemJvmOptions(Settings nodeSettings, final Map<String, St
                 // Pass through distribution type
                 "-Des.distribution.type=" + distroType
             ),
-            maybeEnableNativeAccess(useEntitlements),
+            maybeEnableNativeAccess(),
             maybeOverrideDockerCgroup(distroType),
             maybeSetActiveProcessorCount(nodeSettings),
             maybeSetReplayFile(distroType, isHotspot),
             maybeWorkaroundG1Bug(),
-            maybeAllowSecurityManager(useEntitlements),
-            maybeAttachEntitlementAgent(useEntitlements)
+            attachEntitlementAgent()
         ).flatMap(s -> s).toList();
     }
 
@@ -126,15 +120,13 @@ private static Stream<String> maybeSetActiveProcessorCount(Settings nodeSettings
         return Stream.empty();
     }
 
-    private static Stream<String> maybeEnableNativeAccess(boolean useEntitlements) {
+    private static Stream<String> maybeEnableNativeAccess() {
         var enableNativeAccessOptions = new ArrayList<String>();
         if (Runtime.version().feature() >= 21) {
             enableNativeAccessOptions.add("--enable-native-access=org.elasticsearch.nativeaccess,org.apache.lucene.core");
-            if (useEntitlements) {
-                enableNativeAccessOptions.add("--enable-native-access=ALL-UNNAMED");
-                if (Runtime.version().feature() >= 24) {
-                    enableNativeAccessOptions.add("--illegal-native-access=deny");
-                }
+            enableNativeAccessOptions.add("--enable-native-access=ALL-UNNAMED");
+            if (Runtime.version().feature() >= 24) {
+                enableNativeAccessOptions.add("--illegal-native-access=deny");
             }
         }
         return enableNativeAccessOptions.stream();
@@ -151,19 +143,7 @@ private static Stream<String> maybeWorkaroundG1Bug() {
         return Stream.of();
     }
 
-    private static Stream<String> maybeAllowSecurityManager(boolean useEntitlements) {
-        if (RuntimeVersionFeature.isSecurityManagerAvailable()) {
-            // Will become conditional on useEntitlements once entitlements can run without SM
-            return Stream.of("-Djava.security.manager=allow");
-        }
-        return Stream.of();
-    }
-
-    private static Stream<String> maybeAttachEntitlementAgent(boolean useEntitlements) {
-        if (useEntitlements == false) {
-            return Stream.empty();
-        }
-
+    private static Stream<String> attachEntitlementAgent() {
         Path dir = Path.of("lib", "entitlement-bridge");
         if (Files.exists(dir) == false) {
             throw new IllegalStateException("Directory for entitlement bridge jar does not exist: " + dir);
@@ -182,7 +162,6 @@ private static Stream<String> maybeAttachEntitlementAgent(boolean useEntitlement
         // into java.base, we must export the bridge from java.base to these modules, as a comma-separated list
         String modulesContainingEntitlementInstrumentation = "java.logging,java.net.http,java.naming,jdk.net";
         return Stream.of(
-            "-Des.entitlements.enabled=true",
             "-XX:+EnableDynamicAgentLoading",
             "-Djdk.attach.allowAttachSelf=true",
             "--patch-module=java.base=" + bridgeJar,

libs/entitlement/qa/src/javaRestTest/java/org/elasticsearch/entitlement/qa/EntitlementsTestRule.java

@@ -73,7 +73,6 @@ protected void before() throws Throwable {
         cluster = ElasticsearchCluster.local()
             .module("entitled", spec -> buildEntitlements(spec, "org.elasticsearch.entitlement.qa.entitled", ENTITLED_POLICY))
             .module("entitlement-test-plugin", spec -> setupEntitlements(spec, modular, policyBuilder))
-            .systemProperty("es.entitlements.enabled", "true")
             .systemProperty("es.entitlements.testdir", () -> testDir.getRoot().getAbsolutePath())
             .setting("xpack.security.enabled", "false")
             // Logs in libs/entitlement/qa/build/test-results/javaRestTest/TEST-org.elasticsearch.entitlement.qa.EntitlementsXXX.xml

modules/analysis-common/build.gradle

@@ -38,14 +38,11 @@ tasks.named("yamlRestCompatTestTransform").configure { task ->
 }
 
 tasks.named("yamlRestTest").configure {
-  if (buildParams.getRuntimeJavaVersion().map{ it.majorVersion.toInteger() }.get() >= 24 ||
-    "-Des.entitlements.enabled=true".equals(System.getProperty("tests.jvm.argline"))) {
-    systemProperty 'tests.rest.blacklist',
-      [
-        // AWAITSFIX: this test relies on security manager, which doesn't exist in JDK 24.
-        // and entitlements don't yet replace the functionality.
-        // see https://github.com/elastic/elasticsearch/issues/119130
-        'analysis-common/40_token_filters/stemmer_override file access',
-      ].join(',')
-  }
+  systemProperty 'tests.rest.blacklist',
+    [
+      // AWAITSFIX: this test relies on security manager, which doesn't exist in JDK 24.
+      // and entitlements don't yet replace the functionality.
+      // see https://github.com/elastic/elasticsearch/issues/119130
+      'analysis-common/40_token_filters/stemmer_override file access',
+    ].join(',')
 }

modules/apm/src/javaRestTest/java/org/elasticsearch/telemetry/apm/ApmAgentSettingsIT.java

@@ -18,10 +18,7 @@
 public class ApmAgentSettingsIT extends ESRestTestCase {
 
     @ClassRule
-    public static ElasticsearchCluster cluster = ElasticsearchCluster.local()
-        .module("apm")
-        .systemProperty("es.entitlements.enabled", "true")
-        .build();
+    public static ElasticsearchCluster cluster = ElasticsearchCluster.local().module("apm").build();
 
     @Override
     protected String getTestRestCluster() {

modules/ingest-attachment/src/main/java/org/elasticsearch/ingest/attachment/TikaImpl.java

@@ -18,11 +18,9 @@
 import org.apache.tika.parser.ParserDecorator;
 import org.elasticsearch.SpecialPermission;
 import org.elasticsearch.bootstrap.FilePermissionUtils;
-import org.elasticsearch.core.Booleans;
 import org.elasticsearch.core.PathUtils;
 import org.elasticsearch.core.SuppressForbidden;
 import org.elasticsearch.jdk.JarHell;
-import org.elasticsearch.jdk.RuntimeVersionFeature;
 
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
@@ -39,7 +37,6 @@
 import java.security.Permissions;
 import java.security.PrivilegedActionException;
 import java.security.PrivilegedExceptionAction;
-import java.security.ProtectionDomain;
 import java.security.SecurityPermission;
 import java.util.Arrays;
 import java.util.HashSet;
@@ -124,15 +121,7 @@ static String parse(final byte content[], final Metadata metadata, final int lim
 
     // apply additional containment for parsers, this is intersected with the current permissions
     // its hairy, but worth it so we don't have some XML flaw reading random crap from the FS
-    private static final AccessControlContext RESTRICTED_CONTEXT = isUsingSecurityManager()
-        ? new AccessControlContext(new ProtectionDomain[] { new ProtectionDomain(null, getRestrictedPermissions()) })
-        : null;
-
-    private static boolean isUsingSecurityManager() {
-        boolean entitlementsEnabled = Booleans.parseBoolean(System.getProperty("es.entitlements.enabled"), false)
-            || RuntimeVersionFeature.isSecurityManagerAvailable() == false;
-        return entitlementsEnabled == false;
-    }
+    private static final AccessControlContext RESTRICTED_CONTEXT = null;
 
     // compute some minimal permissions for parsers. they only get r/w access to the java temp directory,
     // the ability to load some resources from JARs, and read sysprops

server/src/main/java/org/elasticsearch/bootstrap/Bootstrap.java

@@ -33,7 +33,6 @@ class Bootstrap {
 
     // arguments from the CLI process
     private final ServerArgs args;
-    private final boolean useEntitlements;
 
     // controller for spawning component subprocesses
     private final Spawner spawner = new Spawner();
@@ -47,11 +46,10 @@ class Bootstrap {
     // loads information about plugins required for entitlements in phase 2, used by plugins service in phase 3
     private final SetOnce<PluginsLoader> pluginsLoader = new SetOnce<>();
 
-    Bootstrap(PrintStream out, PrintStream err, ServerArgs args, boolean useEntitlements) {
+    Bootstrap(PrintStream out, PrintStream err, ServerArgs args) {
         this.out = out;
         this.err = err;
         this.args = args;
-        this.useEntitlements = useEntitlements;
     }
 
     ServerArgs args() {
@@ -62,10 +60,6 @@ Spawner spawner() {
         return spawner;
     }
 
-    public boolean useEntitlements() {
-        return useEntitlements;
-    }
-
     void setSecureSettings(SecureSettings secureSettings) {
         this.secureSettings.set(secureSettings);
     }