Skip to content

[Entitlelments] Server policy patching via system property #124904

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Mar 17, 2025
Merged

[Entitlelments] Server policy patching via system property #124904

merged 8 commits into from
Mar 17, 2025

Conversation

@ldematte
Copy link
Contributor

@ldematte ldematte commented Mar 14, 2025
edited
Loading

This PR adds a mechanism to patch the server layer policy by merging entitlements from a policy provided via a system property (merge, not replace).

Since this is in server, it's difficult to test this with IT tests, so I ended up adding unit tests + testing manually, via

./gradlew run --debug-jvm -Dtests.jvm.argline="-Des.entitlements.server_policy=<base64 policy>"
  1. add an entitlement to an existing scope:
versions:
  - 9.1.0
policy:
  java.desktop:
    - manage_threads

with base64

dmVyc2lvbnM6CiAgLSA5LjEuMApwb2xpY3k6CiAgamF2YS5kZXNrdG9wOgogICAgLSBtYW5hZ2VfdGhyZWFkcw==

Policy is parsed and patched

[2025-03-17T08:19:38,577][INFO ][o.e.e.r.p.PolicyUtils    ] [runTask-0] Using policy patch for layer [server]

Verified with the debugger that the entitlement is actually added to the scope.

  1. add an entitlement to a new scope:
versions:
  - 9.1.0
policy:
  org.jruby.jcodings:
    - manage_threads

with base64

dmVyc2lvbnM6CiAgLSA5LjEuMApwb2xpY3k6CiAgb3JnLmpydWJ5Lmpjb2RpbmdzOgogICAgLSBtYW5hZ2VfdGhyZWFkcw==

Policy is parsed and patched

[2025-03-17T08:19:38,577][INFO ][o.e.e.r.p.PolicyUtils    ] [runTask-0] Using policy patch for layer [server]

Verified with the debugger that the scope with the entitlement is actually added to the policy.

  1. try to add an invalid policy
versions:
  - 9.1.0
policy:
  java.xml:
    - manage_threads

with base64

dmVyc2lvbnM6CiAgLSA5LjEuMApwb2xpY3k6CiAgamF2YS54bWw6CiAgICAtIG1hbmFnZV90aHJlYWRz

Policy is parsed and discarded

[2025-03-17T08:24:20,930][WARN ][o.e.e.r.p.PolicyUtils    ] [runTask-0] Found a policy patch with invalid content. The patch will not be applied. Layer [server]
java.lang.IllegalStateException: Invalid module name in policy: layer [server] does not have module [java.xml]; available modules [org.elasticsearch.plugin.analysis, org.jruby.jcodings, org.apache.lucene.suggest, org.elasticsearch.cli, org.apache.lucene.core, org.elasticsearch.xcontent, org.elasticsearch.lz4, org.elasticsearch.geo, org.elasticsearch.simdvec, ecs.logging.core, org.apache.logging.log4j, org.apache.lucene.sandbox, org.apache.lucene.queryparser, org.lz4.java, org.apache.lucene.memory, org.elasticsearch.tdigest, log4j2.ecs.layout, org.jruby.joni, org.apache.lucene.queries, org.apache.logging.log4j.core, org.elasticsearch.nativeaccess, org.elasticsearch.grok, org.apache.lucene.grouping, jopt.simple, org.apache.lucene.analysis.common, org.apache.lucene.misc, org.apache.lucene.join, org.apache.lucene.backward_codecs, org.elasticsearch.securesm, HdrHistogram, java.desktop, org.apache.lucene.highlighter, org.elasticsearch.logging, org.apache.lucene.facet, org.elasticsearch.base, hppc, org.elasticsearch.server, org.elasticsearch.plugin]; policy path [<patch>]

Relates to ES-11009

@ldematte ldematte added the :Core/Infra/Entitlements Entitlements infrastructure label Mar 14, 2025
prdoyle
prdoyle reviewed Mar 14, 2025
View reviewed changes
@ldematte ldematte added >non-issue auto-backport Automatically create backport pull requests when merged v8.18.1 v8.19.0 v9.0.1 labels Mar 14, 2025
@ldematte ldematte marked this pull request as ready for review March 14, 2025 22:25
@ldematte ldematte requested a review from a team as a code owner March 14, 2025 22:25
@elasticsearchmachine elasticsearchmachine added the Team:Core/Infra Meta label for core/infra team label Mar 14, 2025
@elasticsearchmachine
Copy link
Collaborator

elasticsearchmachine commented Mar 14, 2025

Pinging @elastic/es-core-infra (Team:Core/Infra)

mosche
mosche approved these changes Mar 17, 2025
View reviewed changes
Copy link
Contributor

@mosche mosche left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

Might have missed this, but wondering why we're handling server and plugin overrides differently. Plugin overrides always require the full policy, for server we merge a patch with the existing policy. Considering we're supporting merges, should we do the same for plugins or do we want to be able to remove entitlements this way as well (e.g. to fix a security issue).

If handling plugins and server consistently, we might as well use es.entitlements.policy.server for the server patch.

@ldematte
Copy link
Contributor Author

ldematte commented Mar 17, 2025

but wondering why we're handling server and plugin overrides differently. Plugin overrides always require the full policy, for server we merge a patch with the existing policy. Considering we're supporting merges, should we do the same for plugins or do we want to be able to remove entitlements this way as well (e.g. to fix a security issue).

Yes, I have a follow-up PR for that, should be ready this morning.

@ldematte ldematte merged commit ef3b835 into elastic:main Mar 17, 2025
18 checks passed
@ldematte ldematte deleted the entitlements/policy-override-server branch March 17, 2025 11:00
@ldematte ldematte mentioned this pull request Mar 17, 2025
Merged
ldematte added a commit to ldematte/elasticsearch that referenced this pull request Mar 17, 2025
@ldematte
[Entitlelments] Server policy patching via system property (elastic#1…
a685d4c 
…24904)

This PR adds a mechanism to patch the server layer policy by merging entitlements from a policy provided via a system property (merge, not replace).
@ldematte ldematte mentioned this pull request Mar 17, 2025
Merged
ldematte added a commit to ldematte/elasticsearch that referenced this pull request Mar 17, 2025
@ldematte
[Entitlelments] Server policy patching via system property (elastic#1…
963c991 
…24904)

This PR adds a mechanism to patch the server layer policy by merging entitlements from a policy provided via a system property (merge, not replace).
@ldematte ldematte mentioned this pull request Mar 17, 2025
Merged
@elasticsearchmachine
Copy link
Collaborator

elasticsearchmachine commented Mar 17, 2025

💚 Backport successful

Status Branch Result
8.18
8.x
9.0

ldematte added a commit to ldematte/elasticsearch that referenced this pull request Mar 17, 2025
@ldematte
[Entitlelments] Server policy patching via system property (elastic#1…
8eba4f1 
…24904)

This PR adds a mechanism to patch the server layer policy by merging entitlements from a policy provided via a system property (merge, not replace).
@ldematte ldematte mentioned this pull request Mar 17, 2025
Merged
@ldematte
Copy link
Contributor Author

ldematte commented Mar 17, 2025

Follow-up here: #125011

elasticsearchmachine pushed a commit that referenced this pull request Mar 17, 2025
@ldematte
[Entitlelments] Server policy patching via system property (#124904) (#…
5a88761 
…125009)

This PR adds a mechanism to patch the server layer policy by merging entitlements from a policy provided via a system property (merge, not replace).
elasticsearchmachine pushed a commit that referenced this pull request Mar 17, 2025
@ldematte
[8.x] [Entitlelments] Server policy patching via system property (#12…
196338d 
…4904) (#125008)

* [Entitlelments] Server policy patching via system property (#124904)

This PR adds a mechanism to patch the server layer policy by merging entitlements from a policy provided via a system property (merge, not replace).

* change to support 8.x language level
elasticsearchmachine pushed a commit that referenced this pull request Mar 17, 2025
@ldematte
[8.18] [Entitlelments] Server policy patching via system property (#1…
4041eb1 
…24904) (#125007)

* [Entitlelments] Server policy patching via system property (#124904)

This PR adds a mechanism to patch the server layer policy by merging entitlements from a policy provided via a system property (merge, not replace).

* change to support 8.x language level
ldematte added a commit that referenced this pull request Mar 18, 2025
@ldematte
[Entitlements] Uniform server and plugins policy patching (#125011)
d20528b 
With #124904 we introduced server policy patching via system properties; now that we have the possibility to merge policies and scopes, it's worth applying the same mechanism to plugin policies too.

This PR changes the behaviour of plugin policy overrides; now they are not replacing the policy entirely, but patch it by adding the entitlements and scopes specified in the "patch policy"
ldematte added a commit to ldematte/elasticsearch that referenced this pull request Mar 18, 2025
@ldematte
[Entitlements] Uniform server and plugins policy patching (elastic#12…
d2f57f6 
…5011)

With elastic#124904 we introduced server policy patching via system properties; now that we have the possibility to merge policies and scopes, it's worth applying the same mechanism to plugin policies too.

This PR changes the behaviour of plugin policy overrides; now they are not replacing the policy entirely, but patch it by adding the entitlements and scopes specified in the "patch policy"
ldematte added a commit to ldematte/elasticsearch that referenced this pull request Mar 18, 2025
@ldematte
[Entitlements] Uniform server and plugins policy patching (elastic#12…
c713cda 
…5011)

With elastic#124904 we introduced server policy patching via system properties; now that we have the possibility to merge policies and scopes, it's worth applying the same mechanism to plugin policies too.

This PR changes the behaviour of plugin policy overrides; now they are not replacing the policy entirely, but patch it by adding the entitlements and scopes specified in the "patch policy"
ldematte added a commit to ldematte/elasticsearch that referenced this pull request Mar 18, 2025
@ldematte
[Entitlements] Uniform server and plugins policy patching (elastic#12…
abdc5e3 
…5011)

With elastic#124904 we introduced server policy patching via system properties; now that we have the possibility to merge policies and scopes, it's worth applying the same mechanism to plugin policies too.

This PR changes the behaviour of plugin policy overrides; now they are not replacing the policy entirely, but patch it by adding the entitlements and scopes specified in the "patch policy"
elasticsearchmachine pushed a commit that referenced this pull request Mar 18, 2025
@ldematte
[Entitlements] Uniform server and plugins policy patching (#125011) (#…
4338981 
…125086)

With #124904 we introduced server policy patching via system properties; now that we have the possibility to merge policies and scopes, it's worth applying the same mechanism to plugin policies too.

This PR changes the behaviour of plugin policy overrides; now they are not replacing the policy entirely, but patch it by adding the entitlements and scopes specified in the "patch policy"
elasticsearchmachine pushed a commit that referenced this pull request Mar 18, 2025
@ldematte
[Entitlements] Uniform server and plugins policy patching (#125011) (#…
98607b1 
…125087)

With #124904 we introduced server policy patching via system properties; now that we have the possibility to merge policies and scopes, it's worth applying the same mechanism to plugin policies too.

This PR changes the behaviour of plugin policy overrides; now they are not replacing the policy entirely, but patch it by adding the entitlements and scopes specified in the "patch policy"
ldematte added a commit that referenced this pull request Mar 18, 2025
@ldematte
[Entitlements] Uniform server and plugins policy patching (#125011) (#…
f38ae11 
…125078)

With #124904 we introduced server policy patching via system properties; now that we have the possibility to merge policies and scopes, it's worth applying the same mechanism to plugin policies too.

This PR changes the behaviour of plugin policy overrides; now they are not replacing the policy entirely, but patch it by adding the entitlements and scopes specified in the "patch policy"
omricohenn pushed a commit to omricohenn/elasticsearch that referenced this pull request Mar 28, 2025
@ldematte @omricohenn
[Entitlelments] Server policy patching via system property (elastic#1…
7051029 
…24904)

This PR adds a mechanism to patch the server layer policy by merging entitlements from a policy provided via a system property (merge, not replace).
omricohenn pushed a commit to omricohenn/elasticsearch that referenced this pull request Mar 28, 2025
@ldematte @omricohenn
[Entitlements] Uniform server and plugins policy patching (elastic#12…
4d95210 
…5011)

With elastic#124904 we introduced server policy patching via system properties; now that we have the possibility to merge policies and scopes, it's worth applying the same mechanism to plugin policies too.

This PR changes the behaviour of plugin policy overrides; now they are not replacing the policy entirely, but patch it by adding the entitlements and scopes specified in the "patch policy"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@prdoyle prdoyle prdoyle left review comments

@mosche mosche mosche approved these changes

Assignees

No one assigned

Labels

auto-backport Automatically create backport pull requests when merged :Core/Infra/Entitlements Entitlements infrastructure >non-issue Team:Core/Infra Meta label for core/infra team v8.18.1 v8.19.0 v9.0.1 v9.1.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ldematte @elasticsearchmachine @prdoyle @mosche