[Entitlements] Uniform server and plugins policy patching (elastic#125011)

ldematte · ldematte · commit c713cdac4874 · 2025-03-18T12:13:44.000+01:00
With elastic#124904 we introduced server policy patching via system properties; now that we have the possibility to merge policies and scopes, it's worth applying the same mechanism to plugin policies too. This PR changes the behaviour of plugin policy overrides; now they are not replacing the policy entirely, but patch it by adding the entitlements and scopes specified in the "patch policy"
diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyUtils.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyUtils.java
@@ -49,29 +49,34 @@ public record PluginData(Path pluginPath, boolean isModular, boolean isExternalP
 
     private static final String POLICY_FILE_NAME = "entitlement-policy.yaml";
 
-    public static Map<String, Policy> createPluginPolicies(Collection<PluginData> pluginData, Map<String, String> overrides, String version)
-        throws IOException {
+    public static Map<String, Policy> createPluginPolicies(
+        Collection<PluginData> pluginData,
+        Map<String, String> pluginPolicyPatches,
+        String version
+    ) throws IOException {
         Map<String, Policy> pluginPolicies = new HashMap<>(pluginData.size());
         for (var entry : pluginData) {
             Path pluginRoot = entry.pluginPath();
+            Path policyFile = pluginRoot.resolve(POLICY_FILE_NAME);
             String pluginName = pluginRoot.getFileName().toString();
             final Set<String> moduleNames = getModuleNames(pluginRoot, entry.isModular());
 
-            var overriddenPolicy = parseEncodedPolicyIfExists(
-                overrides.get(pluginName),
+            var pluginPolicyPatch = parseEncodedPolicyIfExists(
+                pluginPolicyPatches.get(pluginName),
                 version,
                 entry.isExternalPlugin(),
                 pluginName,
                 moduleNames
             );
-            if (overriddenPolicy != null) {
-                pluginPolicies.put(pluginName, overriddenPolicy);
-            } else {
-                Path policyFile = pluginRoot.resolve(POLICY_FILE_NAME);
-                var policy = parsePolicyIfExists(pluginName, policyFile, entry.isExternalPlugin());
-                validatePolicyScopes(pluginName, policy, moduleNames, policyFile.toString());
-                pluginPolicies.put(pluginName, policy);
-            }
+            var pluginPolicy = parsePolicyIfExists(pluginName, policyFile, entry.isExternalPlugin());
+            validatePolicyScopes(pluginName, pluginPolicy, moduleNames, policyFile.toString());
+
+            pluginPolicies.put(
+                pluginName,
+                pluginPolicyPatch == null
+                    ? pluginPolicy
+                    : new Policy(pluginPolicy.name(), PolicyUtils.mergeScopes(pluginPolicy.scopes(), pluginPolicyPatch.scopes()))
+            );
         }
         return pluginPolicies;
     }
diff --git a/server/src/main/java/org/elasticsearch/bootstrap/Elasticsearch.java b/server/src/main/java/org/elasticsearch/bootstrap/Elasticsearch.java
@@ -81,8 +81,8 @@
  */
 class Elasticsearch {
 
-    private static final String PLUGIN_POLICY_OVERRIDE_PREFIX = "es.entitlements.policy.";
-    private static final String SERVER_POLICY_OVERRIDE = "es.entitlements.server_policy";
+    private static final String POLICY_PATCH_PREFIX = "es.entitlements.policy.";
+    private static final String SERVER_POLICY_PATCH_NAME = POLICY_PATCH_PREFIX + "server";
 
     /**
      * Main entry point for starting elasticsearch.
@@ -241,10 +241,10 @@ private static void initPhase2(Bootstrap bootstrap) throws IOException {
                     .map(bundle -> new PolicyUtils.PluginData(bundle.getDir(), bundle.pluginDescriptor().isModular(), true))
             ).toList();
 
-            var pluginPolicyOverrides = collectPluginPolicyOverrides(modulesBundles, pluginsBundles, logger);
-            var pluginPolicies = PolicyUtils.createPluginPolicies(pluginData, pluginPolicyOverrides, Build.current().version());
+            var pluginPolicyPatches = collectPluginPolicyPatches(modulesBundles, pluginsBundles, logger);
+            var pluginPolicies = PolicyUtils.createPluginPolicies(pluginData, pluginPolicyPatches, Build.current().version());
             var serverPolicyPatch = PolicyUtils.parseEncodedPolicyIfExists(
-                System.getProperty(SERVER_POLICY_OVERRIDE),
+                System.getProperty(SERVER_POLICY_PATCH_NAME),
                 Build.current().version(),
                 false,
                 "server",
@@ -290,33 +290,36 @@ private static void initPhase2(Bootstrap bootstrap) throws IOException {
         bootstrap.setPluginsLoader(pluginsLoader);
     }
 
-    private static Map<String, String> collectPluginPolicyOverrides(
+    private static Map<String, String> collectPluginPolicyPatches(
         Set<PluginBundle> modulesBundles,
         Set<PluginBundle> pluginsBundles,
         Logger logger
     ) {
-        var policyOverrides = new HashMap<String, String>();
+        var policyPatches = new HashMap<String, String>();
         var systemProperties = BootstrapInfo.getSystemProperties();
         systemProperties.keys().asIterator().forEachRemaining(key -> {
             var value = systemProperties.get(key);
-            if (key instanceof String k && k.startsWith(PLUGIN_POLICY_OVERRIDE_PREFIX) && value instanceof String v) {
-                policyOverrides.put(k.substring(PLUGIN_POLICY_OVERRIDE_PREFIX.length()), v);
+            if (key instanceof String k
+                && value instanceof String v
+                && k.startsWith(POLICY_PATCH_PREFIX)
+                && k.equals(SERVER_POLICY_PATCH_NAME) == false) {
+                policyPatches.put(k.substring(POLICY_PATCH_PREFIX.length()), v);
             }
         });
         var pluginNames = Stream.concat(modulesBundles.stream(), pluginsBundles.stream())
             .map(bundle -> bundle.pluginDescriptor().getName())
             .collect(Collectors.toUnmodifiableSet());
 
-        for (var overriddenPluginName : policyOverrides.keySet()) {
-            if (pluginNames.contains(overriddenPluginName) == false) {
+        for (var patchedPluginName : policyPatches.keySet()) {
+            if (pluginNames.contains(patchedPluginName) == false) {
                 logger.warn(
-                    "Found command-line override for unknown plugin [{}] (available plugins: [{}])",
-                    overriddenPluginName,
+                    "Found command-line policy patch for unknown plugin [{}] (available plugins: [{}])",
+                    patchedPluginName,
                     String.join(", ", pluginNames)
                 );
             }
         }
-        return policyOverrides;
+        return policyPatches;
     }
 
     private static class EntitlementSelfTester {
