Skip to content

Permanently switch from SecurityManager to Entitlements #124865

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Mar 18, 2025
Merged

Permanently switch from SecurityManager to Entitlements #124865

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
30d8a34
minimal changes to always use entitlements
ldematte Mar 14, 2025
c8f1444
Merge remote-tracking branch 'upstream/9.0' into entitlements/always-…
ldematte Mar 17, 2025
59dc3e8
Changelog
ldematte Mar 17, 2025
8c99cca
Changed wording
ldematte Mar 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 4 additions & 8 deletions build-tools/src/main/java/org/elasticsearch/gradle/testclusters/RunTask.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ public abstract class RunTask extends DefaultTestClustersTask {

private Boolean debug = false;
private Boolean cliDebug = false;
private Boolean entitlementsEnabled = false;

private Boolean apmServerEnabled = false;

private Boolean preserveData = false;
Expand Down Expand Up @@ -74,9 +74,7 @@ public void setCliDebug(boolean enabled) {
option = "entitlements",
description = "Use the Entitlements agent system in place of SecurityManager to enforce sandbox policies."
)
public void setEntitlementsEnabled(boolean enabled) {
this.entitlementsEnabled = enabled;
}
public void setEntitlementsEnabled(boolean enabled) {}

@Input
public Boolean getDebug() {
Expand All @@ -90,7 +88,7 @@ public Boolean getCliDebug() {

@Input
public Boolean getEntitlementsEnabled() {
return entitlementsEnabled;
return true;
}

@Input
Expand Down Expand Up @@ -240,9 +238,7 @@ else if (node.getSettingKeys().contains("telemetry.metrics.enabled") == false) {
if (cliDebug) {
enableCliDebug();
}
if (entitlementsEnabled) {
enableEntitlements();
}
enableEntitlements();
}

@TaskAction
Expand Down
6 changes: 2 additions & 4 deletions ...ibution/tools/server-cli/src/main/java/org/elasticsearch/server/cli/SystemJvmOptions.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,6 @@

import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.EsExecutors;
import org.elasticsearch.core.Booleans;
import org.elasticsearch.jdk.RuntimeVersionFeature;

import java.io.IOException;
Expand All @@ -28,9 +27,8 @@ static List<String> systemJvmOptions(Settings nodeSettings, final Map<String, St
String distroType = sysprops.get("es.distribution.type");
String javaType = sysprops.get("es.java.type");
boolean isHotspot = sysprops.getOrDefault("sun.management.compiler", "").contains("HotSpot");
boolean entitlementsExplicitlyEnabled = Booleans.parseBoolean(sysprops.getOrDefault("es.entitlements.enabled", "true"));
// java 24+ only supports entitlements, but it may be enabled on earlier versions explicitly
boolean useEntitlements = RuntimeVersionFeature.isSecurityManagerAvailable() == false || entitlementsExplicitlyEnabled;

boolean useEntitlements = true;
return Stream.of(
Stream.of(
/*
Expand Down
7 changes: 7 additions & 0 deletions docs/changelog/124865.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
pr: 124865
summary: "Permanently switch from Java SecurityManager to Entitlements.
With JDK24, the Java SecurityManager has been completely disabled. In order to retain an additional protection
mechanism, Elasticsearch is replacing SecurityManager with our own protection mechanism, Entitlements."
Copy link
Contributor

@mosche mosche Mar 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

optional nit

Suggested change
With JDK24, the Java SecurityManager has been completely disabled. In order to retain an additional protection
mechanism, Elasticsearch is replacing SecurityManager with our own protection mechanism, Entitlements."
With JDK24, the Java SecurityManager has been completely disabled. In order to retain a similar protection
mechanism, Elasticsearch is replacing SecurityManager with its own protection mechanism, Entitlements."

Copy link
Contributor

@mosche mosche Mar 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wondering, this makes it sound a bit like entitlements are just a JDK 24 thing. Should we explicitly mention that this is the case for all versions of ES supporting JDK 24 regardless of which JDK version used at runtime?

Copy link
Contributor

@mosche mosche Mar 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe like this?

Suggested change
With JDK24, the Java SecurityManager has been completely disabled. In order to retain an additional protection
mechanism, Elasticsearch is replacing SecurityManager with our own protection mechanism, Entitlements."
With JDK24, the Java SecurityManager has been completely disabled. In order to retain a similar protection
mechanism, Elasticsearch is replacing SecurityManager with its own protection mechanism, Entitlements.
This is the case for all versions of Elasticsearch supporting JDK24 regardless of the JDK version used at runtime."

Copy link
Contributor Author

@ldematte ldematte Mar 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I rephrased it so the focus in not on JDK 24 anymore, and stating we are making the switch permanently. But let me know if you think I should still add "This is the case for all versions of Elasticsearch supporting JDK24 regardless of the JDK version used at runtime."

Copy link
Contributor

@mosche mosche Mar 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

that's great 👍

area: Infra/Core
type: upgrade
issues: []
6 changes: 1 addition & 5 deletions modules/ingest-attachment/src/main/java/org/elasticsearch/ingest/attachment/TikaImpl.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,11 +18,9 @@
import org.apache.tika.parser.ParserDecorator;
import org.elasticsearch.SpecialPermission;
import org.elasticsearch.bootstrap.FilePermissionUtils;
import org.elasticsearch.core.Booleans;
import org.elasticsearch.core.PathUtils;
import org.elasticsearch.core.SuppressForbidden;
import org.elasticsearch.jdk.JarHell;
import org.elasticsearch.jdk.RuntimeVersionFeature;

import java.io.ByteArrayInputStream;
import java.io.IOException;
Expand Down Expand Up @@ -129,9 +127,7 @@ static String parse(final byte content[], final Metadata metadata, final int lim
: null;

private static boolean isUsingSecurityManager() {
boolean entitlementsEnabled = Booleans.parseBoolean(System.getProperty("es.entitlements.enabled"), false)
|| RuntimeVersionFeature.isSecurityManagerAvailable() == false;
return entitlementsEnabled == false;
return false;
}

// compute some minimal permissions for parsers. they only get r/w access to the java temp directory,
Expand Down
6 changes: 2 additions & 4 deletions server/src/main/java/org/elasticsearch/bootstrap/Elasticsearch.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,6 @@
import org.elasticsearch.common.transport.BoundTransportAddress;
import org.elasticsearch.common.util.concurrent.RunOnce;
import org.elasticsearch.core.AbstractRefCounted;
import org.elasticsearch.core.Booleans;
import org.elasticsearch.core.CheckedConsumer;
import org.elasticsearch.core.IOUtils;
import org.elasticsearch.core.SuppressForbidden;
Expand Down Expand Up @@ -126,9 +125,8 @@ private static Bootstrap initPhase1() {
final PrintStream out = getStdout();
final PrintStream err = getStderr();
final ServerArgs args;
final boolean entitlementsEnabled = Booleans.parseBoolean(System.getProperty("es.entitlements.enabled", "true"));
// java 24+ only supports entitlements, but it may be enabled on earlier versions explicitly
final boolean useEntitlements = RuntimeVersionFeature.isSecurityManagerAvailable() == false || entitlementsEnabled;

final boolean useEntitlements = true;
try {
initSecurityProperties();

Expand Down
2 changes: 1 addition & 1 deletion ...ample-spi-extension/src/main/java/org/elasticsearch/example/ExampleSecurityExtension.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@
public class ExampleSecurityExtension implements SecurityExtension {

static {
final boolean useEntitlements = Boolean.parseBoolean(System.getProperty("es.entitlements.enabled"));
final boolean useEntitlements = true;
if (useEntitlements == false && RuntimeVersionFeature.isSecurityManagerAvailable()) {
// check that the extension's policy works.
AccessController.doPrivileged((PrivilegedAction<Void>) () -> {
Expand Down