Fix entitlements in internalClusterTest#131539
Merged
mosche merged 25 commits intoelastic:mainfrom Jul 29, 2025
Merged
Conversation
* Previously, entitlement checks got disabled when resetting the policy manager (which defaults to inactive). * The shared data dir is granted as additional data base directory. * Due to the lack of entitlement delegation and wipePendingDataDirectories using server's FileSystemUtils, node base directories won't be removed until after the test. * Disable entitlement checks for some command tests. * Disable entitlement checks for some tests requiring entitlement delegation.
Collaborator
|
Pinging @elastic/es-core-infra (Team:Core/Infra) |
mosche
commented
Jul 18, 2025
libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java
Show resolved
Hide resolved
mosche
commented
Jul 18, 2025
| : dataDirs.stream().map(TestEntitlementBootstrap::absolutePath).toList(); | ||
| } | ||
|
|
||
| private static Path sharedDataDir(Settings settings) { |
Contributor
Author
There was a problem hiding this comment.
This is required for some tests, though it looks like we never grant PATH_SHARED_DATA_SETTING in production.
Is this a test-only thing? Or is that a bug?
prdoyle
reviewed
Jul 18, 2025
| import static org.hamcrest.Matchers.startsWith; | ||
|
|
||
| @ESIntegTestCase.ClusterScope(scope = ESIntegTestCase.Scope.TEST, numDataNodes = 0) | ||
| @ESTestCase.WithoutEntitlements // commands don't run with entitlements enforced |
Contributor
There was a problem hiding this comment.
It's a bit unfortunate how often we need to do this. Makes me wonder if there's a more general rule we could apply so that WithoutEntitlements only needs to be used in exceptional cases. 🤔
prdoyle
approved these changes
Jul 18, 2025
Contributor
prdoyle
left a comment
There was a problem hiding this comment.
We're on the same page about what's needed. I'll proactively approve to avoid delays.
… entitlement delegation
…xInternalClusterTest
…xInternalClusterTest
…xInternalClusterTest
…xInternalClusterTest
…xInternalClusterTest
…xInternalClusterTest
mosche
added a commit
to mosche/elasticsearch
that referenced
this pull request
Jul 29, 2025
Previously, entitlement checks got disabled when resetting the policy manager (which defaults to inactive). This change makes sure entitlements are correctly enabled during tests. Due to the lack of entitlement delegation (and usage of server's FileSystemUtils and similar in test code), there's a few remaining issues: - various tests have to run without entitlements - node base dirs cannot be removed immediately when shutting down the node due to pending cleanups (wipePendingDataDirectories) Due to Netty dependency issues (ES-12435), azure and inference tests have to run without entitlements.
Collaborator
💔 Backport failed
You can use sqren/backport to manually backport by running |
mosche
added a commit
to mosche/elasticsearch
that referenced
this pull request
Jul 29, 2025
Previously, entitlement checks got disabled when resetting the policy manager (which defaults to inactive). This change makes sure entitlements are correctly enabled during tests. Due to the lack of entitlement delegation (and usage of server's FileSystemUtils and similar in test code), there's a few remaining issues: - various tests have to run without entitlements - node base dirs cannot be removed immediately when shutting down the node due to pending cleanups (wipePendingDataDirectories) Due to Netty dependency issues (ES-12435), azure and inference tests have to run without entitlements. (cherry picked from commit 5d72a3f) # Conflicts: # modules/repository-azure/src/internalClusterTest/java/org/elasticsearch/repositories/azure/AzureBlobStoreRepositoryTests.java
Contributor
Author
💚 All backports created successfully
Questions ?Please refer to the Backport tool documentation |
elasticsearchmachine
pushed a commit
that referenced
this pull request
Jul 29, 2025
Previously, entitlement checks got disabled when resetting the policy manager (which defaults to inactive). This change makes sure entitlements are correctly enabled during tests. Due to the lack of entitlement delegation (and usage of server's FileSystemUtils and similar in test code), there's a few remaining issues: - various tests have to run without entitlements - node base dirs cannot be removed immediately when shutting down the node due to pending cleanups (wipePendingDataDirectories) Due to Netty dependency issues (ES-12435), azure and inference tests have to run without entitlements.
mosche
added a commit
that referenced
this pull request
Aug 11, 2025
Previously, entitlement checks got disabled when resetting the policy manager (which defaults to inactive). This change makes sure entitlements are correctly enabled during tests. Due to the lack of entitlement delegation (and usage of server's FileSystemUtils and similar in test code), there's a few remaining issues: - various tests have to run without entitlements - node base dirs cannot be removed immediately when shutting down the node due to pending cleanups (wipePendingDataDirectories) Due to Netty dependency issues (ES-12435), azure and inference tests have to run without entitlements. (cherry picked from commit 5d72a3f)
mosche
added a commit
to mosche/elasticsearch
that referenced
this pull request
Sep 10, 2025
…cularityError. We've seen this previously (and predictably) in elastic#131539 due to logging Exceptions in isTriviallyAllowed. elastic#133269 shows exactly the same symptoms. Fixes elastic#133269 Fixes elastic#133267 Fixes elastic#133268
mosche
added a commit
that referenced
this pull request
Sep 10, 2025
mosche
added a commit
to mosche/elasticsearch
that referenced
this pull request
Sep 10, 2025
…cularityError. (elastic#134431) We've seen this previously (and predictably) in elastic#131539 due to logging Exceptions in isTriviallyAllowed. elastic#133269 shows exactly the same symptoms. Fixes elastic#133269 Fixes elastic#133267 Fixes elastic#133268
mosche
added a commit
to mosche/elasticsearch
that referenced
this pull request
Sep 10, 2025
…cularityError. (elastic#134431) We've seen this previously (and predictably) in elastic#131539 due to logging Exceptions in isTriviallyAllowed. elastic#133269 shows exactly the same symptoms. Fixes elastic#133269 Fixes elastic#133267 Fixes elastic#133268
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
I'll follow up with better managing the lifecycle of test entitlement state, as discussed on Slack.