Remove entitlements flag from startup (elastic#127652) (elastic#128869)

* Remove entitlements flag from startup (elastic#127652)

Entitlements are now always enabled, so we no longer need a flag. This
commit also removes the now defunct bootstrap check that ensured
AllPermission was never granted in the SM policy.

* [CI] Auto commit changes from spotless

---------

Co-authored-by: elasticsearchmachine <[email protected]>
Co-authored-by: Elastic Machine <[email protected]>

Author: 3 people

server/src/main/java/org/elasticsearch/bootstrap/Bootstrap.java

@@ -33,7 +33,6 @@ class Bootstrap {
 
     // arguments from the CLI process
     private final ServerArgs args;
-    private final boolean useEntitlements;
 
     // controller for spawning component subprocesses
     private final Spawner spawner = new Spawner();
@@ -47,11 +46,10 @@ class Bootstrap {
     // loads information about plugins required for entitlements in phase 2, used by plugins service in phase 3
     private final SetOnce<PluginsLoader> pluginsLoader = new SetOnce<>();
 
-    Bootstrap(PrintStream out, PrintStream err, ServerArgs args, boolean useEntitlements) {
+    Bootstrap(PrintStream out, PrintStream err, ServerArgs args) {
         this.out = out;
         this.err = err;
         this.args = args;
-        this.useEntitlements = useEntitlements;
     }
 
     ServerArgs args() {
@@ -62,10 +60,6 @@ Spawner spawner() {
         return spawner;
     }
 
-    public boolean useEntitlements() {
-        return useEntitlements;
-    }
-
     void setSecureSettings(SecureSettings secureSettings) {
         this.secureSettings.set(secureSettings);
     }

server/src/main/java/org/elasticsearch/bootstrap/BootstrapChecks.java

@@ -22,7 +22,6 @@
 import org.elasticsearch.core.SuppressForbidden;
 import org.elasticsearch.discovery.DiscoveryModule;
 import org.elasticsearch.index.IndexModule;
-import org.elasticsearch.jdk.RuntimeVersionFeature;
 import org.elasticsearch.monitor.jvm.JvmInfo;
 import org.elasticsearch.monitor.process.ProcessProbe;
 import org.elasticsearch.nativeaccess.NativeAccess;
@@ -34,7 +33,6 @@
 import java.nio.ByteOrder;
 import java.nio.file.Files;
 import java.nio.file.Path;
-import java.security.AllPermission;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
@@ -723,36 +721,6 @@ public ReferenceDocs referenceDocs() {
 
     }
 
-    static class AllPermissionCheck implements BootstrapCheck {
-
-        @Override
-        public final BootstrapCheckResult check(BootstrapContext context) {
-            if (isAllPermissionGranted()) {
-                return BootstrapCheck.BootstrapCheckResult.failure("granting the all permission effectively disables security");
-            }
-            return BootstrapCheckResult.success();
-        }
-
-        boolean isAllPermissionGranted() {
-            if (RuntimeVersionFeature.isSecurityManagerAvailable() == false) {
-                return false;
-            }
-            final SecurityManager sm = System.getSecurityManager();
-            assert sm != null;
-            try {
-                sm.checkPermission(new AllPermission());
-            } catch (final SecurityException e) {
-                return false;
-            }
-            return true;
-        }
-
-        @Override
-        public ReferenceDocs referenceDocs() {
-            return ReferenceDocs.BOOTSTRAP_CHECK_ALL_PERMISSION;
-        }
-    }
-
     static class DiscoveryConfiguredCheck implements BootstrapCheck {
         @Override
         public BootstrapCheckResult check(BootstrapContext context) {

server/src/main/java/org/elasticsearch/bootstrap/Elasticsearch.java

@@ -58,7 +58,6 @@
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.security.Security;
-import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
@@ -122,7 +121,6 @@ private static Bootstrap initPhase1() {
         final PrintStream err = getStderr();
         final ServerArgs args;
 
-        final boolean useEntitlements = true;
         try {
             initSecurityProperties();
             LogConfigurator.registerErrorListener();
@@ -150,7 +148,7 @@ private static Bootstrap initPhase1() {
             return null; // unreachable, to satisfy compiler
         }
 
-        return new Bootstrap(out, err, args, useEntitlements);
+        return new Bootstrap(out, err, args);
     }
 
     /**
@@ -358,11 +356,7 @@ protected void validateNodeBeforeAcceptingRequests(
                 final BoundTransportAddress boundTransportAddress,
                 List<BootstrapCheck> checks
             ) throws NodeValidationException {
-                var additionalChecks = new ArrayList<>(checks);
-                if (bootstrap.useEntitlements() == false) {
-                    additionalChecks.add(new BootstrapChecks.AllPermissionCheck());
-                }
-                BootstrapChecks.check(context, boundTransportAddress, additionalChecks);
+                BootstrapChecks.check(context, boundTransportAddress, checks);
             }
         };
         INSTANCE = new Elasticsearch(bootstrap.spawner(), node);

server/src/test/java/org/elasticsearch/bootstrap/BootstrapChecksTests.java

@@ -688,28 +688,6 @@ String javaVersion() {
 
     }
 
-    public void testAllPermissionCheck() throws NodeValidationException {
-        final AtomicBoolean isAllPermissionGranted = new AtomicBoolean(true);
-        final BootstrapChecks.AllPermissionCheck allPermissionCheck = new BootstrapChecks.AllPermissionCheck() {
-            @Override
-            boolean isAllPermissionGranted() {
-                return isAllPermissionGranted.get();
-            }
-        };
-
-        final List<BootstrapCheck> checks = Collections.singletonList(allPermissionCheck);
-        final NodeValidationException e = expectThrows(
-            NodeValidationException.class,
-            () -> BootstrapChecks.check(emptyContext, true, checks)
-        );
-        assertThat(e, hasToString(containsString("granting the all permission effectively disables security")));
-        assertThat(e.getMessage(), containsString("; for more information see [https://www.elastic.co/guide/en/elasticsearch/reference/"));
-
-        // if all permissions are not granted, nothing should happen
-        isAllPermissionGranted.set(false);
-        BootstrapChecks.check(emptyContext, true, checks);
-    }
-
     public void testAlwaysEnforcedChecks() {
         final BootstrapCheck check = new BootstrapCheck() {
             @Override