Remove old entitlements legacy code (#131224)

2025-07-15 08:03:09 +02:00 · 2025-07-15 08:03:09 +02:00 · 4e81b75e2a
parent 30d3877719
commit 4e81b75e2a
8 changed files with 1 additions and 58 deletions
--- a/build-tools/src/main/java/org/elasticsearch/gradle/testclusters/RunTask.java
+++ b/build-tools/src/main/java/org/elasticsearch/gradle/testclusters/RunTask.java
@ -303,7 +303,6 @@ public abstract class RunTask extends DefaultTestClustersTask {
        if (cliDebug) {
            enableCliDebug();
        }
-        enableEntitlements();
    }

    @TaskAction
--- a/build-tools/src/main/java/org/elasticsearch/gradle/testclusters/TestClustersAware.java
+++ b/build-tools/src/main/java/org/elasticsearch/gradle/testclusters/TestClustersAware.java
@ -88,12 +88,4 @@ public interface TestClustersAware extends Task {
            }
        }
    }
-
-    default void enableEntitlements() {
-        for (ElasticsearchCluster cluster : getClusters()) {
-            for (ElasticsearchNode node : cluster.getNodes()) {
-                node.cliJvmArgs("-Des.entitlements.enabled=true");
-            }
-        }
-    }
 }
--- a/distribution/tools/server-cli/src/main/java/org/elasticsearch/server/cli/SystemJvmOptions.java
+++ b/distribution/tools/server-cli/src/main/java/org/elasticsearch/server/cli/SystemJvmOptions.java
@ -11,7 +11,6 @@ package org.elasticsearch.server.cli;

 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.util.concurrent.EsExecutors;
-import org.elasticsearch.jdk.RuntimeVersionFeature;

 import java.io.IOException;
 import java.nio.file.Files;
@ -85,7 +84,6 @@ final class SystemJvmOptions {
            maybeSetActiveProcessorCount(nodeSettings),
            maybeSetReplayFile(distroType, isHotspot),
            maybeWorkaroundG1Bug(),
-            maybeAllowSecurityManager(useEntitlements),
            maybeAttachEntitlementAgent(esHome, useEntitlements)
        ).flatMap(s -> s).toList();
    }
@ -160,14 +158,6 @@ final class SystemJvmOptions {
        return Stream.of();
    }

-    private static Stream<String> maybeAllowSecurityManager(boolean useEntitlements) {
-        if (RuntimeVersionFeature.isSecurityManagerAvailable()) {
-            // Will become conditional on useEntitlements once entitlements can run without SM
-            return Stream.of("-Djava.security.manager=allow");
-        }
-        return Stream.of();
-    }
-
    private static Stream<String> maybeAttachEntitlementAgent(Path esHome, boolean useEntitlements) {
        if (useEntitlements == false) {
            return Stream.empty();
@ -191,7 +181,6 @@ final class SystemJvmOptions {
        // into java.base, we must export the bridge from java.base to these modules, as a comma-separated list
        String modulesContainingEntitlementInstrumentation = "java.logging,java.net.http,java.naming,jdk.net";
        return Stream.of(
-            "-Des.entitlements.enabled=true",
            "-XX:+EnableDynamicAgentLoading",
            "-Djdk.attach.allowAttachSelf=true",
            "--patch-module=java.base=" + bridgeJar,
--- a/libs/core/src/main/java/org/elasticsearch/jdk/RuntimeVersionFeature.java
+++ b/libs/core/src/main/java/org/elasticsearch/jdk/RuntimeVersionFeature.java
@ -1,18 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the "Elastic License
- * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
- * Public License v 1"; you may not use this file except in compliance with, at
- * your election, the "Elastic License 2.0", the "GNU Affero General Public
- * License v3.0 only", or the "Server Side Public License, v 1".
- */
-
-package org.elasticsearch.jdk;
-
-public class RuntimeVersionFeature {
-    private RuntimeVersionFeature() {}
-
-    public static boolean isSecurityManagerAvailable() {
-        return Runtime.version().feature() < 24;
-    }
-}
--- a/libs/entitlement/qa/src/javaRestTest/java/org/elasticsearch/entitlement/qa/EntitlementsTestRule.java
+++ b/libs/entitlement/qa/src/javaRestTest/java/org/elasticsearch/entitlement/qa/EntitlementsTestRule.java
@ -83,7 +83,6 @@ class EntitlementsTestRule implements TestRule {
        cluster = ElasticsearchCluster.local()
            .module("entitled", spec -> buildEntitlements(spec, "org.elasticsearch.entitlement.qa.entitled", ENTITLED_POLICY))
            .module(ENTITLEMENT_TEST_PLUGIN_NAME, spec -> setupEntitlements(spec, modular, policyBuilder))
-            .systemProperty("es.entitlements.enabled", "true")
            .systemProperty("es.entitlements.verify_bytecode", "true")
            .systemProperty("es.entitlements.testdir", () -> testDir.getRoot().getAbsolutePath())
            .systemProperties(spec -> tempDirSystemPropertyProvider.get(testDir.getRoot().toPath()))
--- a/modules/apm/src/javaRestTest/java/org/elasticsearch/telemetry/apm/ApmAgentSettingsIT.java
+++ b/modules/apm/src/javaRestTest/java/org/elasticsearch/telemetry/apm/ApmAgentSettingsIT.java
@ -18,10 +18,7 @@ import org.junit.ClassRule;
 public class ApmAgentSettingsIT extends ESRestTestCase {

    @ClassRule
-    public static ElasticsearchCluster cluster = ElasticsearchCluster.local()
-        .module("apm")
-        .systemProperty("es.entitlements.enabled", "true")
-        .build();
+    public static ElasticsearchCluster cluster = ElasticsearchCluster.local().module("apm").build();

    @Override
    protected String getTestRestCluster() {
--- a/x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/ssl/SslEntitlementRestIT.java
+++ b/x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/ssl/SslEntitlementRestIT.java
@ -32,7 +32,6 @@ public class SslEntitlementRestIT extends ESRestTestCase {
    public static ElasticsearchCluster cluster = ElasticsearchCluster.local()
        .apply(SecurityOnTrialLicenseRestTestCase.commonTrialSecurityClusterConfig)
        .settings(settingsProvider)
-        .systemProperty("es.entitlements.enabled", "true")
        .build();

    @Override
--- a/x-pack/qa/security-example-spi-extension/src/main/java/org/elasticsearch/example/ExampleSecurityExtension.java
+++ b/x-pack/qa/security-example-spi-extension/src/main/java/org/elasticsearch/example/ExampleSecurityExtension.java
@ -11,14 +11,11 @@ import org.elasticsearch.example.realm.CustomAuthenticationFailureHandler;
 import org.elasticsearch.example.realm.CustomRealm;
 import org.elasticsearch.example.realm.CustomRoleMappingRealm;
 import org.elasticsearch.example.role.CustomInMemoryRolesProvider;
-import org.elasticsearch.jdk.RuntimeVersionFeature;
 import org.elasticsearch.xpack.core.security.SecurityExtension;
 import org.elasticsearch.xpack.core.security.authc.AuthenticationFailureHandler;
 import org.elasticsearch.xpack.core.security.authc.Realm;
 import org.elasticsearch.xpack.core.security.authz.store.RoleRetrievalResult;

-import java.security.AccessController;
-import java.security.PrivilegedAction;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashMap;
@ -35,17 +32,6 @@ import static org.elasticsearch.example.role.CustomInMemoryRolesProvider.ROLE_B;
 */
 public class ExampleSecurityExtension implements SecurityExtension {

-    static {
-        final boolean useEntitlements = true;
-        if (useEntitlements == false && RuntimeVersionFeature.isSecurityManagerAvailable()) {
-            // check that the extension's policy works.
-            AccessController.doPrivileged((PrivilegedAction<Void>) () -> {
-                System.getSecurityManager().checkPropertyAccess("myproperty");
-                return null;
-            });
-        }
-    }
-
    @Override
    public String extensionName() {
        return "example";