Bootstrap entitlements for testing #129268
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
prdoyle
added
>test
prdoyle
force-pushed
the
bootstrap-entitlements-for-testing
branch
4 times, most recently
from
e1166dc to
d331569
Compare
…source. Using getResource makes this sensitive to unrelated classpath entries, such as the entitlement bridge library, that get prepended to the classpath.
Using the root logger makes this sensitive to unrelated logging, such as from the entitlement library.
…titlements. Taking the actual module name from the class doesn't work in tests, where those classes are loaded from the classpath and so their module info is misleading.
prdoyle
force-pushed
the
bootstrap-entitlements-for-testing
branch
2 times, most recently
from
7bcefba to
ba15751
Compare
|
@prdoyle I pushed a fix to rename the entitlementBridge in some missed places |
|
🎉 tests are finally passing! @breskeby any further comments from your side? Is this good to be merged given we'll be following up supporting this for serverless? |
|
@mosche - if we're backporting to 9.0, should we also backport to 8.18? Edit - I'll add 8.18 and see what happens when the backport automation runs. |
breskeby
reviewed
Jul 2, 2025
...t/groovy/org/elasticsearch/gradle/internal/test/rest/LegacyYamlRestTestPluginFuncTest.groovy
Outdated
Show resolved
Hide resolved
|
@breskeby - I've pushed a fix to address your comment. Anything else standing in the way of approving? |
breskeby
approved these changes
Jul 2, 2025
prdoyle
added a commit
to prdoyle/elasticsearch
that referenced
this pull request
Jul 2, 2025
* Fix ExceptionSerializationTests to use getCodeSource instead of getResource.
Using getResource makes this sensitive to unrelated classpath entries,
such as the entitlement bridge library, that get prepended to the classpath.
* FIx logging tests to use org.elasticsearch.index instead of root logger.
Using the root logger makes this sensitive to unrelated
logging, such as from the entitlement library.
* Fix entitlement error message by stashing the module name in ModuleEntitlements.
Taking the actual module name from the class doesn't work in tests,
where those classes are loaded from the classpath and so their module
info is misleading.
* Ignore server locations whose representative class isn't loaded
* Partial initial implementation
* System properties: testOnlyClasspath and enableForTests
* Trivially allow some packages
* DEBUG: use TreeMap in TestScopeResolver for readability
* Special case bouncycastle for security plugin
* Add CONFIG to TestPathLookup
* Add the classpath to the source path list for every plugin
* Add @WithoutEntitlements to tests that run ES nodes
* Set es.entitlement.enableForTests for all libs
* Use @WithoutEntitlements on ingest plugin tests
* Substitute ALL-UNNAMED for module name in non-modular plugins
* Add missing entitlements found by unit tests
* Comment in TestScopeResolver
* Properly compute bridge jar location for patch-module
* Call out nonServerLibs
* Don't build two TestPathLookups
* More comments for meta-tests
* Remove redundant dependencies for bridgeJarConfig.
These are alread set in ElasticsearchJavaBasePlugin.
* Add bridge+agent dependencies only if those exist.
For serverless, those project dependencies don't exist, and we'll need
to add the dependencies differently, using Maven coordinates.
* [CI] Auto commit changes from spotless
* Pass testOnlyPath in environment instead of command line.
It's typically a very very long string, which made Windows angry.
* [CI] Auto commit changes from spotless
* Split testOnlyPathString at File.pathSeparator
* Use doFirst to delay setting testOnlyPath env var
* Trivially allow jimfs (??)
* Don't enforce entitlements on internalClusterTest for now
* Replace forbidden APIs
* Match testOnlyClasspath using URI instead of String.
We already get the "needle" in the form of a URI, so this skips
a step, and has the benefit of also working on Windows.
* [CI] Auto commit changes from spotless
* More forbidden APIs
* Disable configuration cache for LegacyYamlRestTestPluginFuncTest
* Strip carriage-return characters in expected output for ReleaseNotesGeneratorTest.
The template generator also strips these, so we need to do so to make this pass
on Windows.
Note that we use replace("\r", "") where the template generator uses
replace("\\r", ""). The latter didn't work for me when I tried it on Windows,
for reasons I'm not aware of.
* Move configureEntitlements to ElasticsearchTestBasePlugin as-is
* Use matching instead of if
* Remove requireNonNull
* Remove default configuration
* Set inputs instead of dependencies
* Use test.systemProperty
* Respond to PR comments
* Disable entitlement enforcement for ScopedSettingsTests.
This test works by altering the logging on the root logger.
With entitlements enabled, that will cause additional log statements to appear,
which interferes with the test.
* Address PR comments
* Moritz's configureJavaBaseModuleOptions
* Allow for entitlements not yet enforced in serverless
* fix entitlementBridge config after rename
* drop empty file collections
* Remove workaround in LegacyYamlRestTestPluginFuncTest
---------
Co-authored-by: elasticsearchmachine <[email protected]>
Co-authored-by: Lorenzo Dematté <[email protected]>
Co-authored-by: Moritz Mack <[email protected]>
💔 Backport failed
You can use sqren/backport to manually backport by running |
prdoyle
added a commit
to prdoyle/elasticsearch
that referenced
this pull request
Jul 2, 2025
* Fix ExceptionSerializationTests to use getCodeSource instead of getResource.
Using getResource makes this sensitive to unrelated classpath entries,
such as the entitlement bridge library, that get prepended to the classpath.
* FIx logging tests to use org.elasticsearch.index instead of root logger.
Using the root logger makes this sensitive to unrelated
logging, such as from the entitlement library.
* Fix entitlement error message by stashing the module name in ModuleEntitlements.
Taking the actual module name from the class doesn't work in tests,
where those classes are loaded from the classpath and so their module
info is misleading.
* Ignore server locations whose representative class isn't loaded
* Partial initial implementation
* System properties: testOnlyClasspath and enableForTests
* Trivially allow some packages
* DEBUG: use TreeMap in TestScopeResolver for readability
* Special case bouncycastle for security plugin
* Add CONFIG to TestPathLookup
* Add the classpath to the source path list for every plugin
* Add @WithoutEntitlements to tests that run ES nodes
* Set es.entitlement.enableForTests for all libs
* Use @WithoutEntitlements on ingest plugin tests
* Substitute ALL-UNNAMED for module name in non-modular plugins
* Add missing entitlements found by unit tests
* Comment in TestScopeResolver
* Properly compute bridge jar location for patch-module
* Call out nonServerLibs
* Don't build two TestPathLookups
* More comments for meta-tests
* Remove redundant dependencies for bridgeJarConfig.
These are alread set in ElasticsearchJavaBasePlugin.
* Add bridge+agent dependencies only if those exist.
For serverless, those project dependencies don't exist, and we'll need
to add the dependencies differently, using Maven coordinates.
* [CI] Auto commit changes from spotless
* Pass testOnlyPath in environment instead of command line.
It's typically a very very long string, which made Windows angry.
* [CI] Auto commit changes from spotless
* Split testOnlyPathString at File.pathSeparator
* Use doFirst to delay setting testOnlyPath env var
* Trivially allow jimfs (??)
* Don't enforce entitlements on internalClusterTest for now
* Replace forbidden APIs
* Match testOnlyClasspath using URI instead of String.
We already get the "needle" in the form of a URI, so this skips
a step, and has the benefit of also working on Windows.
* [CI] Auto commit changes from spotless
* More forbidden APIs
* Disable configuration cache for LegacyYamlRestTestPluginFuncTest
* Strip carriage-return characters in expected output for ReleaseNotesGeneratorTest.
The template generator also strips these, so we need to do so to make this pass
on Windows.
Note that we use replace("\r", "") where the template generator uses
replace("\\r", ""). The latter didn't work for me when I tried it on Windows,
for reasons I'm not aware of.
* Move configureEntitlements to ElasticsearchTestBasePlugin as-is
* Use matching instead of if
* Remove requireNonNull
* Remove default configuration
* Set inputs instead of dependencies
* Use test.systemProperty
* Respond to PR comments
* Disable entitlement enforcement for ScopedSettingsTests.
This test works by altering the logging on the root logger.
With entitlements enabled, that will cause additional log statements to appear,
which interferes with the test.
* Address PR comments
* Moritz's configureJavaBaseModuleOptions
* Allow for entitlements not yet enforced in serverless
* fix entitlementBridge config after rename
* drop empty file collections
* Remove workaround in LegacyYamlRestTestPluginFuncTest
---------
Co-authored-by: elasticsearchmachine <[email protected]>
Co-authored-by: Lorenzo Dematté <[email protected]>
Co-authored-by: Moritz Mack <[email protected]>
elasticsearchmachine
added a commit
that referenced
this pull request
Jul 2, 2025
* Fix ExceptionSerializationTests to use getCodeSource instead of getResource.
Using getResource makes this sensitive to unrelated classpath entries,
such as the entitlement bridge library, that get prepended to the classpath.
* FIx logging tests to use org.elasticsearch.index instead of root logger.
Using the root logger makes this sensitive to unrelated
logging, such as from the entitlement library.
* Fix entitlement error message by stashing the module name in ModuleEntitlements.
Taking the actual module name from the class doesn't work in tests,
where those classes are loaded from the classpath and so their module
info is misleading.
* Ignore server locations whose representative class isn't loaded
* Partial initial implementation
* System properties: testOnlyClasspath and enableForTests
* Trivially allow some packages
* DEBUG: use TreeMap in TestScopeResolver for readability
* Special case bouncycastle for security plugin
* Add CONFIG to TestPathLookup
* Add the classpath to the source path list for every plugin
* Add @WithoutEntitlements to tests that run ES nodes
* Set es.entitlement.enableForTests for all libs
* Use @WithoutEntitlements on ingest plugin tests
* Substitute ALL-UNNAMED for module name in non-modular plugins
* Add missing entitlements found by unit tests
* Comment in TestScopeResolver
* Properly compute bridge jar location for patch-module
* Call out nonServerLibs
* Don't build two TestPathLookups
* More comments for meta-tests
* Remove redundant dependencies for bridgeJarConfig.
These are alread set in ElasticsearchJavaBasePlugin.
* Add bridge+agent dependencies only if those exist.
For serverless, those project dependencies don't exist, and we'll need
to add the dependencies differently, using Maven coordinates.
* [CI] Auto commit changes from spotless
* Pass testOnlyPath in environment instead of command line.
It's typically a very very long string, which made Windows angry.
* [CI] Auto commit changes from spotless
* Split testOnlyPathString at File.pathSeparator
* Use doFirst to delay setting testOnlyPath env var
* Trivially allow jimfs (??)
* Don't enforce entitlements on internalClusterTest for now
* Replace forbidden APIs
* Match testOnlyClasspath using URI instead of String.
We already get the "needle" in the form of a URI, so this skips
a step, and has the benefit of also working on Windows.
* [CI] Auto commit changes from spotless
* More forbidden APIs
* Disable configuration cache for LegacyYamlRestTestPluginFuncTest
* Strip carriage-return characters in expected output for ReleaseNotesGeneratorTest.
The template generator also strips these, so we need to do so to make this pass
on Windows.
Note that we use replace("\r", "") where the template generator uses
replace("\\r", ""). The latter didn't work for me when I tried it on Windows,
for reasons I'm not aware of.
* Move configureEntitlements to ElasticsearchTestBasePlugin as-is
* Use matching instead of if
* Remove requireNonNull
* Remove default configuration
* Set inputs instead of dependencies
* Use test.systemProperty
* Respond to PR comments
* Disable entitlement enforcement for ScopedSettingsTests.
This test works by altering the logging on the root logger.
With entitlements enabled, that will cause additional log statements to appear,
which interferes with the test.
* Address PR comments
* Moritz's configureJavaBaseModuleOptions
* Allow for entitlements not yet enforced in serverless
* fix entitlementBridge config after rename
* drop empty file collections
* Remove workaround in LegacyYamlRestTestPluginFuncTest
---------
Co-authored-by: elasticsearchmachine <[email protected]>
Co-authored-by: Lorenzo Dematté <[email protected]>
Co-authored-by: Moritz Mack <[email protected]>
elasticsearchmachine
added a commit
that referenced
this pull request
Jul 2, 2025
* Fix ExceptionSerializationTests to use getCodeSource instead of getResource.
Using getResource makes this sensitive to unrelated classpath entries,
such as the entitlement bridge library, that get prepended to the classpath.
* FIx logging tests to use org.elasticsearch.index instead of root logger.
Using the root logger makes this sensitive to unrelated
logging, such as from the entitlement library.
* Fix entitlement error message by stashing the module name in ModuleEntitlements.
Taking the actual module name from the class doesn't work in tests,
where those classes are loaded from the classpath and so their module
info is misleading.
* Ignore server locations whose representative class isn't loaded
* Partial initial implementation
* System properties: testOnlyClasspath and enableForTests
* Trivially allow some packages
* DEBUG: use TreeMap in TestScopeResolver for readability
* Special case bouncycastle for security plugin
* Add CONFIG to TestPathLookup
* Add the classpath to the source path list for every plugin
* Add @WithoutEntitlements to tests that run ES nodes
* Set es.entitlement.enableForTests for all libs
* Use @WithoutEntitlements on ingest plugin tests
* Substitute ALL-UNNAMED for module name in non-modular plugins
* Add missing entitlements found by unit tests
* Comment in TestScopeResolver
* Properly compute bridge jar location for patch-module
* Call out nonServerLibs
* Don't build two TestPathLookups
* More comments for meta-tests
* Remove redundant dependencies for bridgeJarConfig.
These are alread set in ElasticsearchJavaBasePlugin.
* Add bridge+agent dependencies only if those exist.
For serverless, those project dependencies don't exist, and we'll need
to add the dependencies differently, using Maven coordinates.
* [CI] Auto commit changes from spotless
* Pass testOnlyPath in environment instead of command line.
It's typically a very very long string, which made Windows angry.
* [CI] Auto commit changes from spotless
* Split testOnlyPathString at File.pathSeparator
* Use doFirst to delay setting testOnlyPath env var
* Trivially allow jimfs (??)
* Don't enforce entitlements on internalClusterTest for now
* Replace forbidden APIs
* Match testOnlyClasspath using URI instead of String.
We already get the "needle" in the form of a URI, so this skips
a step, and has the benefit of also working on Windows.
* [CI] Auto commit changes from spotless
* More forbidden APIs
* Disable configuration cache for LegacyYamlRestTestPluginFuncTest
* Strip carriage-return characters in expected output for ReleaseNotesGeneratorTest.
The template generator also strips these, so we need to do so to make this pass
on Windows.
Note that we use replace("\r", "") where the template generator uses
replace("\\r", ""). The latter didn't work for me when I tried it on Windows,
for reasons I'm not aware of.
* Move configureEntitlements to ElasticsearchTestBasePlugin as-is
* Use matching instead of if
* Remove requireNonNull
* Remove default configuration
* Set inputs instead of dependencies
* Use test.systemProperty
* Respond to PR comments
* Disable entitlement enforcement for ScopedSettingsTests.
This test works by altering the logging on the root logger.
With entitlements enabled, that will cause additional log statements to appear,
which interferes with the test.
* Address PR comments
* Moritz's configureJavaBaseModuleOptions
* Allow for entitlements not yet enforced in serverless
* fix entitlementBridge config after rename
* drop empty file collections
* Remove workaround in LegacyYamlRestTestPluginFuncTest
---------
Co-authored-by: elasticsearchmachine <[email protected]>
Co-authored-by: Lorenzo Dematté <[email protected]>
Co-authored-by: Moritz Mack <[email protected]>
mridula-s109
pushed a commit
to mridula-s109/elasticsearch
that referenced
this pull request
Jul 3, 2025
* Fix ExceptionSerializationTests to use getCodeSource instead of getResource.
Using getResource makes this sensitive to unrelated classpath entries,
such as the entitlement bridge library, that get prepended to the classpath.
* FIx logging tests to use org.elasticsearch.index instead of root logger.
Using the root logger makes this sensitive to unrelated
logging, such as from the entitlement library.
* Fix entitlement error message by stashing the module name in ModuleEntitlements.
Taking the actual module name from the class doesn't work in tests,
where those classes are loaded from the classpath and so their module
info is misleading.
* Ignore server locations whose representative class isn't loaded
* Partial initial implementation
* System properties: testOnlyClasspath and enableForTests
* Trivially allow some packages
* DEBUG: use TreeMap in TestScopeResolver for readability
* Special case bouncycastle for security plugin
* Add CONFIG to TestPathLookup
* Add the classpath to the source path list for every plugin
* Add @WithoutEntitlements to tests that run ES nodes
* Set es.entitlement.enableForTests for all libs
* Use @WithoutEntitlements on ingest plugin tests
* Substitute ALL-UNNAMED for module name in non-modular plugins
* Add missing entitlements found by unit tests
* Comment in TestScopeResolver
* Properly compute bridge jar location for patch-module
* Call out nonServerLibs
* Don't build two TestPathLookups
* More comments for meta-tests
* Remove redundant dependencies for bridgeJarConfig.
These are alread set in ElasticsearchJavaBasePlugin.
* Add bridge+agent dependencies only if those exist.
For serverless, those project dependencies don't exist, and we'll need
to add the dependencies differently, using Maven coordinates.
* [CI] Auto commit changes from spotless
* Pass testOnlyPath in environment instead of command line.
It's typically a very very long string, which made Windows angry.
* [CI] Auto commit changes from spotless
* Split testOnlyPathString at File.pathSeparator
* Use doFirst to delay setting testOnlyPath env var
* Trivially allow jimfs (??)
* Don't enforce entitlements on internalClusterTest for now
* Replace forbidden APIs
* Match testOnlyClasspath using URI instead of String.
We already get the "needle" in the form of a URI, so this skips
a step, and has the benefit of also working on Windows.
* [CI] Auto commit changes from spotless
* More forbidden APIs
* Disable configuration cache for LegacyYamlRestTestPluginFuncTest
* Strip carriage-return characters in expected output for ReleaseNotesGeneratorTest.
The template generator also strips these, so we need to do so to make this pass
on Windows.
Note that we use replace("\r", "") where the template generator uses
replace("\\r", ""). The latter didn't work for me when I tried it on Windows,
for reasons I'm not aware of.
* Move configureEntitlements to ElasticsearchTestBasePlugin as-is
* Use matching instead of if
* Remove requireNonNull
* Remove default configuration
* Set inputs instead of dependencies
* Use test.systemProperty
* Respond to PR comments
* Disable entitlement enforcement for ScopedSettingsTests.
This test works by altering the logging on the root logger.
With entitlements enabled, that will cause additional log statements to appear,
which interferes with the test.
* Address PR comments
* Moritz's configureJavaBaseModuleOptions
* Allow for entitlements not yet enforced in serverless
* fix entitlementBridge config after rename
* drop empty file collections
* Remove workaround in LegacyYamlRestTestPluginFuncTest
---------
Co-authored-by: elasticsearchmachine <[email protected]>
Co-authored-by: Lorenzo Dematté <[email protected]>
Co-authored-by: Moritz Mack <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add entitlement enforcement during ordinary unit tests.
This does not yet cover tests that run ES nodes; only ordinary unit tests.
See ES-11597.