java.lang.Object
org.elasticsearch.entitlement.runtime.policy.PolicyManager

public class PolicyManager extends Object
This class is responsible for finding the component (system, server, plugin, agent) for a caller class to check, retrieve the policy and entitlements for that component, and check them against the action(s) the caller wants to perform.

To find a component:

  • For plugins, we use the Module -> Plugin name (String) passed to the ctor
  • For the system component, we build a set (SYSTEM_LAYER_MODULES) of references to modules that belong that component, i.e. the component containing what we consider system modules. These are the modules that:
  • For the server component, we build a set (SERVER_LAYER_MODULES) as the set of modules that are in the boot module layer but not in the system component.

When a check is performed (e.g. checkExitVM(Class), we get the module the caller class belongs to via Class.getModule() and try (in order) to see if that class belongs to:

  1. The system component - if a module is contained in SYSTEM_LAYER_MODULES
  2. The server component - if a module is contained in SERVER_LAYER_MODULES
  3. One of the plugins or modules - if the module is present in the PluginsResolver map
  4. A known agent (APM)
  5. Something else

Once it has a component, this class maps it to a policy and check the action performed by the caller class against its entitlements, either allowing it to proceed or raising a NotEntitledException if the caller class is not entitled to perform the action.

All these methods start in the same way: the components identified in the previous section are used to establish if and how to check: If the caller class belongs to SYSTEM_LAYER_MODULES, no check is performed (the call is trivially allowed, see isTriviallyAllowed(java.lang.Class<?>)). Otherwise, we lazily compute and create a PolicyManager.ModuleEntitlements record (see computeEntitlements(java.lang.Class<?>)). The record is cached so it can be used in following checks, stored in a Module -> ModuleEntitlement map.

  • Field Details

  • Constructor Details

  • Method Details

    • checkStartProcess

      public void checkStartProcess(Class<?> callerClass)
    • checkWriteStoreAttributes

      public void checkWriteStoreAttributes(Class<?> callerClass)
    • checkReadStoreAttributes

      public void checkReadStoreAttributes(Class<?> callerClass)
    • checkExitVM

      public void checkExitVM(Class<?> callerClass)
    • checkCreateClassLoader

      public void checkCreateClassLoader(Class<?> callerClass)
    • checkSetHttpsConnectionProperties

      public void checkSetHttpsConnectionProperties(Class<?> callerClass)
    • checkChangeJVMGlobalState

      public void checkChangeJVMGlobalState(Class<?> callerClass)
    • checkLoggingFileHandler

      public void checkLoggingFileHandler(Class<?> callerClass)
    • checkChangeNetworkHandling

      public void checkChangeNetworkHandling(Class<?> callerClass)
      Check for operations that can modify the way network operations are handled
    • checkChangeFilesHandling

      public void checkChangeFilesHandling(Class<?> callerClass)
      Check for operations that can modify the way file operations are handled
    • checkFileRead

      public void checkFileRead(Class<?> callerClass, File file)
    • checkFileRead

      public void checkFileRead(Class<?> callerClass, Path path)
    • checkFileRead

      public void checkFileRead(Class<?> callerClass, Path path, boolean followLinks) throws NoSuchFileException
      Throws:
      NoSuchFileException
    • checkFileWrite

      public void checkFileWrite(Class<?> callerClass, File file)
    • checkFileWrite

      public void checkFileWrite(Class<?> callerClass, Path path)
    • checkCreateTempFile

      public void checkCreateTempFile(Class<?> callerClass)
    • checkFileWithZipMode

      public void checkFileWithZipMode(Class<?> callerClass, File file, int zipMode)
    • checkFileDescriptorRead

      public void checkFileDescriptorRead(Class<?> callerClass)
    • checkFileDescriptorWrite

      public void checkFileDescriptorWrite(Class<?> callerClass)
    • checkGetFileAttributeView

      public void checkGetFileAttributeView(Class<?> callerClass)
      Invoked when we try to get an arbitrary FileAttributeView class. Such a class can modify attributes, like owner etc.; we could think about introducing checks for each of the operations, but for now we over-approximate this and simply deny when it is used directly.
    • checkLoadingNativeLibraries

      public void checkLoadingNativeLibraries(Class<?> callerClass)
      Check for operations that can access sensitive network information, e.g. secrets, tokens or SSL sessions
    • checkInboundNetworkAccess

      public void checkInboundNetworkAccess(Class<?> callerClass)
    • checkOutboundNetworkAccess

      public void checkOutboundNetworkAccess(Class<?> callerClass)
    • checkAllNetworkAccess

      public void checkAllNetworkAccess(Class<?> callerClass)
    • checkUnsupportedURLProtocolConnection

      public void checkUnsupportedURLProtocolConnection(Class<?> callerClass, String protocol)
    • checkWriteProperty

      public void checkWriteProperty(Class<?> callerClass, String property)
    • checkManageThreadsEntitlement

      public void checkManageThreadsEntitlement(Class<?> callerClass)
    • toString

      public String toString()
      Overrides:
      toString in class Object