diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyUtils.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyUtils.java index b921ef1428816..7e8232a9a11a3 100644 --- a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyUtils.java +++ b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyUtils.java @@ -49,29 +49,34 @@ public record PluginData(Path pluginPath, boolean isModular, boolean isExternalP private static final String POLICY_FILE_NAME = "entitlement-policy.yaml"; - public static Map createPluginPolicies(Collection pluginData, Map overrides, String version) - throws IOException { + public static Map createPluginPolicies( + Collection pluginData, + Map pluginPolicyPatches, + String version + ) throws IOException { Map pluginPolicies = new HashMap<>(pluginData.size()); for (var entry : pluginData) { Path pluginRoot = entry.pluginPath(); + Path policyFile = pluginRoot.resolve(POLICY_FILE_NAME); String pluginName = pluginRoot.getFileName().toString(); final Set moduleNames = getModuleNames(pluginRoot, entry.isModular()); - var overriddenPolicy = parseEncodedPolicyIfExists( - overrides.get(pluginName), + var pluginPolicyPatch = parseEncodedPolicyIfExists( + pluginPolicyPatches.get(pluginName), version, entry.isExternalPlugin(), pluginName, moduleNames ); - if (overriddenPolicy != null) { - pluginPolicies.put(pluginName, overriddenPolicy); - } else { - Path policyFile = pluginRoot.resolve(POLICY_FILE_NAME); - var policy = parsePolicyIfExists(pluginName, policyFile, entry.isExternalPlugin()); - validatePolicyScopes(pluginName, policy, moduleNames, policyFile.toString()); - pluginPolicies.put(pluginName, policy); - } + var pluginPolicy = parsePolicyIfExists(pluginName, policyFile, entry.isExternalPlugin()); + validatePolicyScopes(pluginName, pluginPolicy, moduleNames, policyFile.toString()); + + pluginPolicies.put( + pluginName, + pluginPolicyPatch == null + ? pluginPolicy + : new Policy(pluginPolicy.name(), PolicyUtils.mergeScopes(pluginPolicy.scopes(), pluginPolicyPatch.scopes())) + ); } return pluginPolicies; } diff --git a/server/src/main/java/org/elasticsearch/bootstrap/Elasticsearch.java b/server/src/main/java/org/elasticsearch/bootstrap/Elasticsearch.java index 7c037f03d00b9..d09ea4dadf19d 100644 --- a/server/src/main/java/org/elasticsearch/bootstrap/Elasticsearch.java +++ b/server/src/main/java/org/elasticsearch/bootstrap/Elasticsearch.java @@ -86,8 +86,8 @@ */ class Elasticsearch { - private static final String PLUGIN_POLICY_OVERRIDE_PREFIX = "es.entitlements.policy."; - private static final String SERVER_POLICY_OVERRIDE = "es.entitlements.server_policy"; + private static final String POLICY_PATCH_PREFIX = "es.entitlements.policy."; + private static final String SERVER_POLICY_PATCH_NAME = POLICY_PATCH_PREFIX + "server"; /** * Main entry point for starting elasticsearch. @@ -253,10 +253,10 @@ private static void initPhase2(Bootstrap bootstrap) throws IOException { .map(bundle -> new PolicyUtils.PluginData(bundle.getDir(), bundle.pluginDescriptor().isModular(), true)) ).toList(); - var pluginPolicyOverrides = collectPluginPolicyOverrides(modulesBundles, pluginsBundles, logger); - var pluginPolicies = PolicyUtils.createPluginPolicies(pluginData, pluginPolicyOverrides, Build.current().version()); + var pluginPolicyPatches = collectPluginPolicyPatches(modulesBundles, pluginsBundles, logger); + var pluginPolicies = PolicyUtils.createPluginPolicies(pluginData, pluginPolicyPatches, Build.current().version()); var serverPolicyPatch = PolicyUtils.parseEncodedPolicyIfExists( - System.getProperty(SERVER_POLICY_OVERRIDE), + System.getProperty(SERVER_POLICY_PATCH_NAME), Build.current().version(), false, "server", @@ -331,33 +331,36 @@ private static void logSystemInfo() { } } - private static Map collectPluginPolicyOverrides( + private static Map collectPluginPolicyPatches( Set modulesBundles, Set pluginsBundles, Logger logger ) { - var policyOverrides = new HashMap(); + var policyPatches = new HashMap(); var systemProperties = BootstrapInfo.getSystemProperties(); systemProperties.keys().asIterator().forEachRemaining(key -> { var value = systemProperties.get(key); - if (key instanceof String k && k.startsWith(PLUGIN_POLICY_OVERRIDE_PREFIX) && value instanceof String v) { - policyOverrides.put(k.substring(PLUGIN_POLICY_OVERRIDE_PREFIX.length()), v); + if (key instanceof String k + && value instanceof String v + && k.startsWith(POLICY_PATCH_PREFIX) + && k.equals(SERVER_POLICY_PATCH_NAME) == false) { + policyPatches.put(k.substring(POLICY_PATCH_PREFIX.length()), v); } }); var pluginNames = Stream.concat(modulesBundles.stream(), pluginsBundles.stream()) .map(bundle -> bundle.pluginDescriptor().getName()) .collect(Collectors.toUnmodifiableSet()); - for (var overriddenPluginName : policyOverrides.keySet()) { - if (pluginNames.contains(overriddenPluginName) == false) { + for (var patchedPluginName : policyPatches.keySet()) { + if (pluginNames.contains(patchedPluginName) == false) { logger.warn( - "Found command-line override for unknown plugin [{}] (available plugins: [{}])", - overriddenPluginName, + "Found command-line policy patch for unknown plugin [{}] (available plugins: [{}])", + patchedPluginName, String.join(", ", pluginNames) ); } } - return policyOverrides; + return policyPatches; } private static class EntitlementSelfTester {