Skip to content

Add exclusive file entitlement for settings #125272

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 14 commits into from
Mar 31, 2025
Merged

Add exclusive file entitlement for settings #125272

merged 14 commits into from
Mar 31, 2025

Conversation

@jdconrad
Copy link
Contributor

@jdconrad jdconrad commented Mar 19, 2025

Adds changes to ensure the correct caller's module is checked for exclusive file settings.

ES-11136

@jdconrad jdconrad requested a review from a team as a code owner March 19, 2025 22:58
@elasticsearchmachine elasticsearchmachine added the Team:Core/Infra Meta label for core/infra team label Mar 19, 2025
@elasticsearchmachine
Copy link
Collaborator

elasticsearchmachine commented Mar 19, 2025

Pinging @elastic/es-core-infra (Team:Core/Infra)

rjernst
rjernst approved these changes Mar 20, 2025
View reviewed changes
Copy link
Member

@rjernst rjernst left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

server/src/main/java/org/elasticsearch/reservedstate/service/FileSettingsService.java

@Override
protected Path filesSetLastModifiedTime(Path path, FileTime time) throws IOException {
return Files.setLastModifiedTime(path, time);
Copy link
Member

@rjernst rjernst Mar 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure how this one is working right now since we only have read access. IIRC this is an edge case for when we restore from a snapshot. We should (as a followup) re-consider how restoring from snapshots should interact with file settings because this breaks the rule that we want to use, only allowing read access to the config directory.

Copy link
Contributor Author

@jdconrad jdconrad Mar 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed.

...nt/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java Outdated
FileData.ofRelativePath(Path.of(""), SHARED_REPO, READ_WRITE),

// exclusive settings file
FileData.ofRelativePath(Path.of("operator/settings.json"), CONFIG, READ).withExclusive(true),
Copy link
Member

@rjernst rjernst Mar 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unfortunately I think this needs to be READ_WRITE, see my other comment.

Copy link
Contributor Author

@jdconrad jdconrad Mar 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed.

@jdconrad
Copy link
Contributor Author

jdconrad commented Mar 20, 2025

@elasticmachine run elasticsearch-ci/part-3

@elasticsearchmachine elasticsearchmachine added the serverless-linked Added by automation, don't add manually label Mar 21, 2025
@jdconrad
Copy link
Contributor Author

jdconrad commented Mar 24, 2025

@elasticmachine run elasticsearch-ci/part-3

@jdconrad jdconrad merged commit 0e5bd3c into elastic:main Mar 31, 2025
22 checks passed
jdconrad added a commit to jdconrad/elasticsearch that referenced this pull request Mar 31, 2025
@jdconrad
Backport: Add exclusive file entitlement for settings (elastic#125272)
f2cdba1
@jdconrad jdconrad mentioned this pull request Mar 31, 2025
Merged
elasticsearchmachine pushed a commit that referenced this pull request Apr 1, 2025
@jdconrad
Backport: Add exclusive file entitlement for settings (#125272) (#126006
3b303f6 
)
afoucret pushed a commit to afoucret/elasticsearch that referenced this pull request Apr 1, 2025
@jdconrad @afoucret
Add exclusive file entitlement for settings (elastic#125272)
913b79f 
Adds changes to ensure the correct caller's module is checked for exclusive file settings.
jdconrad added a commit to jdconrad/elasticsearch that referenced this pull request Apr 1, 2025
@jdconrad
Backport: Add exclusive file entitlement for settings (elastic#125272) (
4d86e3c 
elastic#126006)
@jdconrad jdconrad mentioned this pull request Apr 1, 2025
Merged
elasticsearchmachine pushed a commit that referenced this pull request Apr 1, 2025
@jdconrad
Backport: Add exclusive file entitlement for settings (#125272) (#126006
1c234ff 
) (#126059)
@jdconrad jdconrad mentioned this pull request Apr 1, 2025
Merged
jdconrad added a commit to jdconrad/elasticsearch that referenced this pull request Apr 1, 2025
@jdconrad
Backport: Add exclusive file entitlement for settings (elastic#125272) (
8a5b234 
elastic#126006) (elastic#126059)
elasticsearchmachine pushed a commit that referenced this pull request Apr 1, 2025
@jdconrad
Backport: Add exclusive file entitlement for settings (#125272) (#126006
e82f589 
) (#126059) (#126067)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rjernst rjernst rjernst approved these changes

Assignees

No one assigned

Labels

:Core/Infra/Entitlements Entitlements infrastructure >non-issue serverless-linked Added by automation, don't add manually Team:Core/Infra Meta label for core/infra team v8.18.1 v8.19.0 v9.0.1 v9.1.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jdconrad @elasticsearchmachine @rjernst