Skip to content

Comments

[Entitlements] Fix "No SecurityManager when entitlements are enabled"#119742

Merged
ldematte merged 2 commits intoelastic:mainfrom
ldematte:entitlements/boostrap-disallow-sm-miss
Jan 8, 2025
Merged

[Entitlements] Fix "No SecurityManager when entitlements are enabled"#119742
ldematte merged 2 commits intoelastic:mainfrom
ldematte:entitlements/boostrap-disallow-sm-miss

Conversation

@ldematte
Copy link
Contributor

@ldematte ldematte commented Jan 8, 2025

Missing test still using SM even when disabled, plus revert change to SystemJvmOptions to keep allowing the SM. It seems that Hadoop needs that, as it does check if the SM is allowed via Subject#getSubject. This is a temp fix, as Subject#getSubject is effectively removed from JDK 24 (throws UnsupportedOperationException), but in the meantime allows our tests to run
(in the long run we should update Hadoop after apache/hadoop#7081 has been merged)

@ldematte ldematte changed the title [Entitlements] More no SecurityManager when entitlements are enabled [Entitlements] Fix "No SecurityManager when entitlements are enabled" Jan 8, 2025
@ldematte ldematte added >test Issues or PRs that are addressing/adding tests :Core/Infra/Core Core issues without another label auto-backport Automatically create backport pull requests when merged v8.18.0 labels Jan 8, 2025
@ldematte ldematte marked this pull request as ready for review January 8, 2025 11:06
@ldematte ldematte requested a review from a team as a code owner January 8, 2025 11:06
@elasticsearchmachine elasticsearchmachine added the Team:Core/Infra Meta label for core/infra team label Jan 8, 2025
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-core-infra (Team:Core/Infra)

@ldematte ldematte requested review from prdoyle and rjernst January 8, 2025 11:50
Copy link
Contributor

@prdoyle prdoyle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We still won't be setting up the SecurityManager thanks to this else if, but assuming that's not necessary, LGTM.

private static Stream<String> maybeAllowSecurityManager(boolean useEntitlements) {
if (useEntitlements == false && RuntimeVersionFeature.isSecurityManagerAvailable()) {
if (RuntimeVersionFeature.isSecurityManagerAvailable()) {
// Will become conditional on useEntitlements once entitlements can run without SM
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Heh, a prescient comment here.

Copy link
Contributor Author

@ldematte ldematte Jan 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ehehe! I can remove/reword the comment :)
EDIT: it actually still make sense!

static {
if (RuntimeVersionFeature.isSecurityManagerAvailable()) {
final boolean useEntitlements = Boolean.parseBoolean(System.getProperty("es.entitlements.enabled"));
if (useEntitlements == false && RuntimeVersionFeature.isSecurityManagerAvailable()) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we check for entitlements here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we don't, and run with test-entitlement/ with entitlement enabled, there will be no Security Manager -- will be null and throw an exception.

@ldematte
Copy link
Contributor Author

ldematte commented Jan 8, 2025

We still won't be setting up the SecurityManager thanks to this else if, but assuming that's not necessary

Exactly, we still have no SM effectively, but we need it to be allowed for Subject#getSubject to work (I know, pretty weird)

@ldematte ldematte merged commit 28ce53f into elastic:main Jan 8, 2025
@ldematte ldematte deleted the entitlements/boostrap-disallow-sm-miss branch January 8, 2025 14:17
@elasticsearchmachine
Copy link
Collaborator

💔 Backport failed

Status Branch Result
8.x Commit could not be cherrypicked due to conflicts

You can use sqren/backport to manually backport by running backport --upstream elastic/elasticsearch --pr 119742

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

auto-backport Automatically create backport pull requests when merged :Core/Infra/Core Core issues without another label Team:Core/Infra Meta label for core/infra team >test Issues or PRs that are addressing/adding tests v8.18.0 v9.0.0

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants