Skip to content

Remove Security manager bootstrap #127590

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
May 1, 2025
Merged

Remove Security manager bootstrap #127590

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
5e431e2
Remove Security manager bootstrap
rjernst Apr 30, 2025
81c81f1
[CI] Auto commit changes from spotless
elasticsearchmachine Apr 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
Remove Security manager bootstrap 
Furthing cleanup of the now unused security manager, this commit removes
the bootstrap Security class that setup SecurityManager.
  • Loading branch information
@rjernst
rjernst committed Apr 30, 2025
commit 5e431e2160bd40f88bfb9fb206cb685890de1db2
245 changes: 0 additions & 245 deletions qa/evil-tests/src/test/java/org/elasticsearch/bootstrap/EvilSecurityTests.java
View file
Open in desktop

This file was deleted.

109 changes: 41 additions & 68 deletions server/src/main/java/org/elasticsearch/bootstrap/Elasticsearch.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -134,20 +134,6 @@ private static Bootstrap initPhase1() {
final boolean useEntitlements = true;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As far as I can tell this is initialized to true and then never modified. Can we get rid of this?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I plan to do that in a followup, there are some other things using it.

try {
initSecurityProperties();

/*
* We want the JVM to think there is a security manager installed so that if internal policy decisions that would be based on
* the presence of a security manager or lack thereof act as if there is a security manager present (e.g., DNS cache policy).
* This forces such policies to take effect immediately.
*/
if (useEntitlements == false && RuntimeVersionFeature.isSecurityManagerAvailable()) {
org.elasticsearch.bootstrap.Security.setSecurityManager(new SecurityManager() {
@Override
public void checkPermission(Permission perm) {
// grant all permissions so that we can later set the security manager to the one that we want
}
});
}
LogConfigurator.registerErrorListener();

BootstrapInfo.init();
Expand Down Expand Up @@ -245,61 +231,48 @@ private static void initPhase2(Bootstrap bootstrap) throws IOException {

final PluginsLoader pluginsLoader;

if (bootstrap.useEntitlements()) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We also have a useEntitlements() check in initPhase3(), can that be removed as well? In fact, can we remove Bootstrap.useEntitlements() entirely now?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, I'll remove that in a followup as well.

LogManager.getLogger(Elasticsearch.class).info("Bootstrapping Entitlements");

var pluginData = Stream.concat(
modulesBundles.stream()
.map(bundle -> new PolicyUtils.PluginData(bundle.getDir(), bundle.pluginDescriptor().isModular(), false)),
pluginsBundles.stream()
.map(bundle -> new PolicyUtils.PluginData(bundle.getDir(), bundle.pluginDescriptor().isModular(), true))
).toList();

var pluginPolicyPatches = collectPluginPolicyPatches(modulesBundles, pluginsBundles, logger);
var pluginPolicies = PolicyUtils.createPluginPolicies(pluginData, pluginPolicyPatches, Build.current().version());
var serverPolicyPatch = PolicyUtils.parseEncodedPolicyIfExists(
System.getProperty(SERVER_POLICY_PATCH_NAME),
Build.current().version(),
false,
"server",
PolicyManager.SERVER_LAYER_MODULES.stream().map(Module::getName).collect(Collectors.toUnmodifiableSet())
);
LogManager.getLogger(Elasticsearch.class).info("Bootstrapping Entitlements");

var pluginData = Stream.concat(
modulesBundles.stream()
.map(bundle -> new PolicyUtils.PluginData(bundle.getDir(), bundle.pluginDescriptor().isModular(), false)),
pluginsBundles.stream()
.map(bundle -> new PolicyUtils.PluginData(bundle.getDir(), bundle.pluginDescriptor().isModular(), true))
).toList();

var pluginPolicyPatches = collectPluginPolicyPatches(modulesBundles, pluginsBundles, logger);
var pluginPolicies = PolicyUtils.createPluginPolicies(pluginData, pluginPolicyPatches, Build.current().version());
var serverPolicyPatch = PolicyUtils.parseEncodedPolicyIfExists(
System.getProperty(SERVER_POLICY_PATCH_NAME),
Build.current().version(),
false,
"server",
PolicyManager.SERVER_LAYER_MODULES.stream().map(Module::getName).collect(Collectors.toUnmodifiableSet())
);

pluginsLoader = PluginsLoader.createPluginsLoader(modulesBundles, pluginsBundles, findPluginsWithNativeAccess(pluginPolicies));

var scopeResolver = ScopeResolver.create(pluginsLoader.pluginLayers(), APM_AGENT_PACKAGE_NAME);
Map<String, Path> sourcePaths = Stream.concat(modulesBundles.stream(), pluginsBundles.stream())
.collect(Collectors.toUnmodifiableMap(bundle -> bundle.pluginDescriptor().getName(), PluginBundle::getDir));
EntitlementBootstrap.bootstrap(
serverPolicyPatch,
pluginPolicies,
scopeResolver::resolveClassToScope,
nodeEnv.settings()::getValues,
nodeEnv.dataDirs(),
nodeEnv.repoDirs(),
nodeEnv.configDir(),
nodeEnv.libDir(),
nodeEnv.modulesDir(),
nodeEnv.pluginsDir(),
sourcePaths,
nodeEnv.logsDir(),
nodeEnv.tmpDir(),
args.pidFile(),
Set.of(EntitlementSelfTester.class)
);
EntitlementSelfTester.entitlementSelfTest();
} else {
assert RuntimeVersionFeature.isSecurityManagerAvailable();
// no need to explicitly enable native access for legacy code
pluginsLoader = PluginsLoader.createPluginsLoader(modulesBundles, pluginsBundles, Map.of());
// install SM after natives, shutdown hooks, etc.
LogManager.getLogger(Elasticsearch.class).info("Bootstrapping java SecurityManager");
org.elasticsearch.bootstrap.Security.configure(
nodeEnv,
SECURITY_FILTER_BAD_DEFAULTS_SETTING.get(args.nodeSettings()),
args.pidFile()
);
}
pluginsLoader = PluginsLoader.createPluginsLoader(modulesBundles, pluginsBundles, findPluginsWithNativeAccess(pluginPolicies));

var scopeResolver = ScopeResolver.create(pluginsLoader.pluginLayers(), APM_AGENT_PACKAGE_NAME);
Map<String, Path> sourcePaths = Stream.concat(modulesBundles.stream(), pluginsBundles.stream())
.collect(Collectors.toUnmodifiableMap(bundle -> bundle.pluginDescriptor().getName(), PluginBundle::getDir));
EntitlementBootstrap.bootstrap(
serverPolicyPatch,
pluginPolicies,
scopeResolver::resolveClassToScope,
nodeEnv.settings()::getValues,
nodeEnv.dataDirs(),
nodeEnv.repoDirs(),
nodeEnv.configDir(),
nodeEnv.libDir(),
nodeEnv.modulesDir(),
nodeEnv.pluginsDir(),
sourcePaths,
nodeEnv.logsDir(),
nodeEnv.tmpDir(),
args.pidFile(),
Set.of(EntitlementSelfTester.class)
);
EntitlementSelfTester.entitlementSelfTest();

bootstrap.setPluginsLoader(pluginsLoader);
}
Expand Down
Loading