From 7173cd72e50ed1476bd8f4c836bd4549aea0b095 Mon Sep 17 00:00:00 2001 From: Lorenzo Dematte Date: Fri, 18 Apr 2025 16:05:38 +0200 Subject: [PATCH 1/4] add entitlements known issues --- docs/release-notes/known-issues.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/docs/release-notes/known-issues.md b/docs/release-notes/known-issues.md index 7279c95eff6eb..71def64533cdd 100644 --- a/docs/release-notes/known-issues.md +++ b/docs/release-notes/known-issues.md @@ -7,3 +7,13 @@ mapped_pages: # Elasticsearch known issues [elasticsearch-known-issues] Known issues are significant defects or limitations that may impact your implementation. These issues are actively being worked on and will be addressed in a future release. Review the Elasticsearch known issues to help you make informed decisions, such as upgrading to a new version. +## 9.0.0 [elasticsearch-9.0.0-known-issues] +* Elasticsearch on Windows may fail to start, or it may forbid some file-related operations, when referencing paths with a case different from the one stored by the filesystem. Windows paths are treated in a case-sensitive way, but the filesystem stores them with case. _Entitlements_, the new security system used by Elasticsearch, treat all paths as case-sensitive, and can therefore prevent access to a path that should be accessible. An example: if Elasticsearch is installed in `C:\ELK\elasticsearch`, and you try to launch it as `c:\elk\elasticsearch\bin\elasticsearch.bat`, you will get a `NotEntitledException` while booting. We block access to `c:\elk\elasticsearch` as it does not match with `C:\ELK\elasticsearch`.\ +As a workaround, please ensure that all paths you specify (command line, config files, etc.) have the same casing as stored in the filesystem (i.e. the exact same files and directory names as showed in Windows Explorer on in `cmd`). +* Active Directory Authentication is blocked by default; _Entitlements_, the new security system used by Elasticsearch, has a policy for the `x-pack-core` module that is too restrictive, and does not allow the LDAP library used for AD authentication to perform outbound network connections. \ +The workaround is to patch the policy for `x-pack-core` to add a `outbound_network` entitlement to the LDAP library: + + unboundid.ldapsdk: + - set_https_connection_properties + - outbound_network + This can be done by adding `-Des.entitlements.policy.x-pack-core=dmVyc2lvbnM6CiAgLSA4LjE4LjAKICAtIDkuMC4wCnBvbGljeToKICB1bmJvdW5kaWQubGRhcHNkazoKICAgIC0gc2V0X2h0dHBzX2Nvbm5lY3Rpb25fcHJvcGVydGllcwogICAgLSBvdXRib3VuZF9uZXR3b3Jr`to the JVM options for Elasticsearch. See the [JVM settings](https://www.elastic.co/docs/reference/elasticsearch/jvm-settings) docs. From 3c6a37417d031be4da9208b47e18a617786d0a85 Mon Sep 17 00:00:00 2001 From: Lorenzo Dematte Date: Fri, 18 Apr 2025 16:59:26 +0200 Subject: [PATCH 2/4] fixes --- docs/release-notes/known-issues.md | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/docs/release-notes/known-issues.md b/docs/release-notes/known-issues.md index 71def64533cdd..4324e07a5759f 100644 --- a/docs/release-notes/known-issues.md +++ b/docs/release-notes/known-issues.md @@ -8,12 +8,8 @@ mapped_pages: Known issues are significant defects or limitations that may impact your implementation. These issues are actively being worked on and will be addressed in a future release. Review the Elasticsearch known issues to help you make informed decisions, such as upgrading to a new version. ## 9.0.0 [elasticsearch-9.0.0-known-issues] -* Elasticsearch on Windows may fail to start, or it may forbid some file-related operations, when referencing paths with a case different from the one stored by the filesystem. Windows paths are treated in a case-sensitive way, but the filesystem stores them with case. _Entitlements_, the new security system used by Elasticsearch, treat all paths as case-sensitive, and can therefore prevent access to a path that should be accessible. An example: if Elasticsearch is installed in `C:\ELK\elasticsearch`, and you try to launch it as `c:\elk\elasticsearch\bin\elasticsearch.bat`, you will get a `NotEntitledException` while booting. We block access to `c:\elk\elasticsearch` as it does not match with `C:\ELK\elasticsearch`.\ +* Elasticsearch on Windows may fail to start, or it may forbid some file-related operations, when referencing paths with a case different from the one stored by the filesystem. Windows treats paths in a case-insensitive way, but the filesystem stores them with case. _Entitlements_, the new security system used by Elasticsearch, treat all paths as case-sensitive, and can therefore prevent access to a path that should be accessible. An example: if Elasticsearch is installed in `C:\ELK\elasticsearch`, and you try to launch it as `c:\elk\elasticsearch\bin\elasticsearch.bat`, you will get a `NotEntitledException` while booting. We block access to `c:\elk\elasticsearch` as it does not match with `C:\ELK\elasticsearch`.\ As a workaround, please ensure that all paths you specify (command line, config files, etc.) have the same casing as stored in the filesystem (i.e. the exact same files and directory names as showed in Windows Explorer on in `cmd`). * Active Directory Authentication is blocked by default; _Entitlements_, the new security system used by Elasticsearch, has a policy for the `x-pack-core` module that is too restrictive, and does not allow the LDAP library used for AD authentication to perform outbound network connections. \ -The workaround is to patch the policy for `x-pack-core` to add a `outbound_network` entitlement to the LDAP library: - - unboundid.ldapsdk: - - set_https_connection_properties - - outbound_network - This can be done by adding `-Des.entitlements.policy.x-pack-core=dmVyc2lvbnM6CiAgLSA4LjE4LjAKICAtIDkuMC4wCnBvbGljeToKICB1bmJvdW5kaWQubGRhcHNkazoKICAgIC0gc2V0X2h0dHBzX2Nvbm5lY3Rpb25fcHJvcGVydGllcwogICAgLSBvdXRib3VuZF9uZXR3b3Jr`to the JVM options for Elasticsearch. See the [JVM settings](https://www.elastic.co/docs/reference/elasticsearch/jvm-settings) docs. +This is fixed by patching the policy for `x-pack-core` to add a `outbound_network` entitlement for the LDAP library to include the correct entitlements (see [PR #126992](https://github.com/elastic/elasticsearch/pull/126992)).\ + As a workaround, the policy can be temporarily patched via a JVM option: create a file called `${ES_CONF_PATH}/jvm_options/workaround-127061.options` and add this line `-Des.entitlements.policy.x-pack-core=dmVyc2lvbnM6CiAgLSA4LjE4LjAKICAtIDkuMC4wCnBvbGljeToKICB1bmJvdW5kaWQubGRhcHNkazoKICAgIC0gc2V0X2h0dHBzX2Nvbm5lY3Rpb25fcHJvcGVydGllcwogICAgLSBvdXRib3VuZF9uZXR3b3Jr` to the file. See the [JVM settings](https://www.elastic.co/docs/reference/elasticsearch/jvm-settings) docs for more details. From 1c935aa24a2817e246337cba5f9b3531cad18b68 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lorenzo=20Dematt=C3=A9?= Date: Tue, 22 Apr 2025 09:14:26 +0200 Subject: [PATCH 3/4] Apply suggestions from code review Co-authored-by: shainaraskas <58563081+shainaraskas@users.noreply.github.com> --- docs/release-notes/known-issues.md | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/docs/release-notes/known-issues.md b/docs/release-notes/known-issues.md index 4324e07a5759f..ad832a1dc2b65 100644 --- a/docs/release-notes/known-issues.md +++ b/docs/release-notes/known-issues.md @@ -8,8 +8,20 @@ mapped_pages: Known issues are significant defects or limitations that may impact your implementation. These issues are actively being worked on and will be addressed in a future release. Review the Elasticsearch known issues to help you make informed decisions, such as upgrading to a new version. ## 9.0.0 [elasticsearch-9.0.0-known-issues] -* Elasticsearch on Windows may fail to start, or it may forbid some file-related operations, when referencing paths with a case different from the one stored by the filesystem. Windows treats paths in a case-insensitive way, but the filesystem stores them with case. _Entitlements_, the new security system used by Elasticsearch, treat all paths as case-sensitive, and can therefore prevent access to a path that should be accessible. An example: if Elasticsearch is installed in `C:\ELK\elasticsearch`, and you try to launch it as `c:\elk\elasticsearch\bin\elasticsearch.bat`, you will get a `NotEntitledException` while booting. We block access to `c:\elk\elasticsearch` as it does not match with `C:\ELK\elasticsearch`.\ -As a workaround, please ensure that all paths you specify (command line, config files, etc.) have the same casing as stored in the filesystem (i.e. the exact same files and directory names as showed in Windows Explorer on in `cmd`). -* Active Directory Authentication is blocked by default; _Entitlements_, the new security system used by Elasticsearch, has a policy for the `x-pack-core` module that is too restrictive, and does not allow the LDAP library used for AD authentication to perform outbound network connections. \ -This is fixed by patching the policy for `x-pack-core` to add a `outbound_network` entitlement for the LDAP library to include the correct entitlements (see [PR #126992](https://github.com/elastic/elasticsearch/pull/126992)).\ - As a workaround, the policy can be temporarily patched via a JVM option: create a file called `${ES_CONF_PATH}/jvm_options/workaround-127061.options` and add this line `-Des.entitlements.policy.x-pack-core=dmVyc2lvbnM6CiAgLSA4LjE4LjAKICAtIDkuMC4wCnBvbGljeToKICB1bmJvdW5kaWQubGRhcHNkazoKICAgIC0gc2V0X2h0dHBzX2Nvbm5lY3Rpb25fcHJvcGVydGllcwogICAgLSBvdXRib3VuZF9uZXR3b3Jr` to the file. See the [JVM settings](https://www.elastic.co/docs/reference/elasticsearch/jvm-settings) docs for more details. +* Elasticsearch on Windows might fail to start, or might forbid some file-related operations, when referencing paths with a case different from the one stored by the filesystem. Windows treats paths as case-insensitive, but the filesystem stores them with case. Entitlements, the new security system used by Elasticsearch, treat all paths as case-sensitive, and can therefore prevent access to a path that should be accessible. + + For example: If Elasticsearch is installed in `C:\ELK\elasticsearch`, and you try to launch it as `c:\elk\elasticsearch\bin\elasticsearch.bat`, you will get a `NotEntitledException` while booting. This is because Elasticsearch blocks access to `c:\elk\elasticsearch`, because does not match `C:\ELK\elasticsearch`. + + As a workaround, make sure that all paths you specify have the same casing as the paths stored in the filesystem. Files and directory names should be entered as they appear in Windows Explorer or in a command prompt. This applies to paths specified in the command line, config files, and other locations. +* Active Directory authentication is blocked by default. Entitlements, the new security system used by Elasticsearch, has a policy for the `x-pack-core` module that is too restrictive, and does not allow the LDAP library used for AD authentication to perform outbound network connections. This issue will be fixed in a future patch release (see [PR #126992](https://github.com/elastic/elasticsearch/pull/126992)). + + As a workaround, you can temporarily patch the policy using a JVM option: + + 1. Create a file called `${ES_CONF_PATH}/jvm_options/workaround-127061.options`. + 2. Add the following line to the new file: + + ``` + -Des.entitlements.policy.x-pack-core=dmVyc2lvbnM6CiAgLSA4LjE4LjAKICAtIDkuMC4wCnBvbGljeToKICB1bmJvdW5kaWQubGRhcHNkazoKICAgIC0gc2V0X2h0dHBzX2Nvbm5lY3Rpb25fcHJvcGVydGllcwogICAgLSBvdXRib3VuZF9uZXR3b3Jr + ``` + + For information about editing your JVM settings, refer to [JVM settings](https://www.elastic.co/docs/reference/elasticsearch/jvm-settings). From b8f02144acd1fd7cc3b991a07ad10add80467917 Mon Sep 17 00:00:00 2001 From: Lorenzo Dematte Date: Tue, 22 Apr 2025 09:22:56 +0200 Subject: [PATCH 4/4] PR comments --- docs/release-notes/known-issues.md | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/docs/release-notes/known-issues.md b/docs/release-notes/known-issues.md index ad832a1dc2b65..56b135ea9ff69 100644 --- a/docs/release-notes/known-issues.md +++ b/docs/release-notes/known-issues.md @@ -8,18 +8,20 @@ mapped_pages: Known issues are significant defects or limitations that may impact your implementation. These issues are actively being worked on and will be addressed in a future release. Review the Elasticsearch known issues to help you make informed decisions, such as upgrading to a new version. ## 9.0.0 [elasticsearch-9.0.0-known-issues] -* Elasticsearch on Windows might fail to start, or might forbid some file-related operations, when referencing paths with a case different from the one stored by the filesystem. Windows treats paths as case-insensitive, but the filesystem stores them with case. Entitlements, the new security system used by Elasticsearch, treat all paths as case-sensitive, and can therefore prevent access to a path that should be accessible. +* Elasticsearch on Windows might fail to start, or might forbid some file-related operations, when referencing paths with a case different from the one stored by the filesystem. Windows treats paths as case-insensitive, but the filesystem stores them with case. Entitlements, the new security system used by Elasticsearch, treat all paths as case-sensitive, and can therefore prevent access to a path that should be accessible. + + For example: If Elasticsearch is installed in `C:\ELK\elasticsearch`, and you try to launch it as `c:\elk\elasticsearch\bin\elasticsearch.bat`, you will get a `NotEntitledException` while booting. This is because Elasticsearch blocks access to `c:\elk\elasticsearch`, because does not match `C:\ELK\elasticsearch`. \ +This issue will be fixed in a future patch release (see [PR #126990](https://github.com/elastic/elasticsearch/pull/126990)). + + As a workaround, make sure that all paths you specify have the same casing as the paths stored in the filesystem. Files and directory names should be entered as they appear in Windows Explorer or in a command prompt. This applies to paths specified in the command line, config files, environment variables and secure settings. - For example: If Elasticsearch is installed in `C:\ELK\elasticsearch`, and you try to launch it as `c:\elk\elasticsearch\bin\elasticsearch.bat`, you will get a `NotEntitledException` while booting. This is because Elasticsearch blocks access to `c:\elk\elasticsearch`, because does not match `C:\ELK\elasticsearch`. - - As a workaround, make sure that all paths you specify have the same casing as the paths stored in the filesystem. Files and directory names should be entered as they appear in Windows Explorer or in a command prompt. This applies to paths specified in the command line, config files, and other locations. * Active Directory authentication is blocked by default. Entitlements, the new security system used by Elasticsearch, has a policy for the `x-pack-core` module that is too restrictive, and does not allow the LDAP library used for AD authentication to perform outbound network connections. This issue will be fixed in a future patch release (see [PR #126992](https://github.com/elastic/elasticsearch/pull/126992)). - As a workaround, you can temporarily patch the policy using a JVM option: - + As a workaround, you can temporarily patch the policy using a JVM option: + 1. Create a file called `${ES_CONF_PATH}/jvm_options/workaround-127061.options`. 2. Add the following line to the new file: - + ``` -Des.entitlements.policy.x-pack-core=dmVyc2lvbnM6CiAgLSA4LjE4LjAKICAtIDkuMC4wCnBvbGljeToKICB1bmJvdW5kaWQubGRhcHNkazoKICAgIC0gc2V0X2h0dHBzX2Nvbm5lY3Rpb25fcHJvcGVydGllcwogICAgLSBvdXRib3VuZF9uZXR3b3Jr ```