From f88a004030d57ede9f38acef85229bc59741239c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lorenzo=20Dematt=C3=A9?= Date: Fri, 8 Nov 2024 16:08:54 +0100 Subject: [PATCH] Remove unused EntitlementInternals (#116473) --- libs/entitlement/README.md | 4 ++++ .../api/ElasticsearchEntitlementChecker.java | 14 ----------- .../internals/EntitlementInternals.java | 24 ------------------- 3 files changed, 4 insertions(+), 38 deletions(-) delete mode 100644 libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/internals/EntitlementInternals.java diff --git a/libs/entitlement/README.md b/libs/entitlement/README.md index 76e4db0505d38..2ab76cf1c2221 100644 --- a/libs/entitlement/README.md +++ b/libs/entitlement/README.md @@ -5,3 +5,7 @@ This module implements mechanisms to grant and check permissions under the _enti The entitlements system provides an alternative to the legacy `SecurityManager` system, which is deprecated for removal. The `entitlement-agent` instruments sensitive class library methods with calls to this module, in order to enforce the controls. +This feature is currently under development, and it is completely disabled by default (the agent is not loaded). To enable it, run Elasticsearch with +```shell +./gradlew run --entitlements +``` diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/api/ElasticsearchEntitlementChecker.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/api/ElasticsearchEntitlementChecker.java index 330205997d21c..6d5dbd4098aa9 100644 --- a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/api/ElasticsearchEntitlementChecker.java +++ b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/api/ElasticsearchEntitlementChecker.java @@ -15,8 +15,6 @@ import java.util.Optional; -import static org.elasticsearch.entitlement.runtime.internals.EntitlementInternals.isActive; - /** * Implementation of the {@link EntitlementChecker} interface, providing additional * API methods for managing the checks. @@ -25,13 +23,6 @@ public class ElasticsearchEntitlementChecker implements EntitlementChecker { private static final Logger logger = LogManager.getLogger(ElasticsearchEntitlementChecker.class); - /** - * Causes entitlements to be enforced. - */ - public void activate() { - isActive = true; - } - @Override public void checkSystemExit(Class callerClass, int status) { var requestingModule = requestingModule(callerClass); @@ -66,10 +57,6 @@ private static Module requestingModule(Class callerClass) { } private static boolean isTriviallyAllowed(Module requestingModule) { - if (isActive == false) { - logger.debug("Trivially allowed: entitlements are inactive"); - return true; - } if (requestingModule == null) { logger.debug("Trivially allowed: Entire call stack is in the boot module layer"); return true; @@ -81,5 +68,4 @@ private static boolean isTriviallyAllowed(Module requestingModule) { logger.trace("Not trivially allowed"); return false; } - } diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/internals/EntitlementInternals.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/internals/EntitlementInternals.java deleted file mode 100644 index ea83caf198b0a..0000000000000 --- a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/internals/EntitlementInternals.java +++ /dev/null @@ -1,24 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the "Elastic License - * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side - * Public License v 1"; you may not use this file except in compliance with, at - * your election, the "Elastic License 2.0", the "GNU Affero General Public - * License v3.0 only", or the "Server Side Public License, v 1". - */ - -package org.elasticsearch.entitlement.runtime.internals; - -/** - * Don't export this from the module. Just don't. - */ -public class EntitlementInternals { - /** - * When false, entitlement rules are not enforced; all operations are allowed. - */ - public static volatile boolean isActive = false; - - public static void reset() { - isActive = false; - } -}