Skip to content

[Entitlements] Validation checks on paths #126852

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 12 commits into from
Apr 18, 2025
Merged

[Entitlements] Validation checks on paths #126852

merged 12 commits into from
Apr 18, 2025

Conversation

ldematte
Copy link
Contributor

With this PR we restrict the paths we allow access to, forbidding plugins to specify/request entitlements for reading or writing to specific protected directories.

I added this validation to EntitlementInitialization, as I wanted to fail fast and this is the earliest occurrence where we have all we need: PathLookup to resolve relative paths, policies (for plugins, server, agents) and the Paths for the specific directories we want to protect.

Relates to ES-10918

@ldematte ldematte added >enhancement auto-backport Automatically create backport pull requests when merged v8.18.1 v8.19.0 v9.0.1 v9.1.0 :Core/Infra/Entitlements Entitlements infrastructure labels Apr 15, 2025
@ldematte ldematte requested a review from a team as a code owner April 15, 2025 13:56
@elasticsearchmachine elasticsearchmachine added the Team:Core/Infra Meta label for core/infra team label Apr 15, 2025
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-core-infra (Team:Core/Infra)

@elasticsearchmachine
Copy link
Collaborator

Hi @ldematte, I've created a changelog YAML for you.

ldematte
ldematte commented Apr 15, 2025
View reviewed changes
...nt/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java
@@ -317,6 +319,16 @@ private static PolicyManager createPolicyManager() {
)
)
);

validateFilesEntitlements(
pluginPolicies,
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I considered to add validation for server and agent entitlements here too, but decided it's not worth it. Let me know if you thing those should be validated too.

prdoyle
prdoyle reviewed Apr 16, 2025
View reviewed changes
modules/ingest-geoip/src/main/plugin-metadata/entitlement-policy.yaml
mode: "read_write"
- relative_path: "ingest-geoip"
relative_to: config
mode: read
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🌶️

prdoyle
prdoyle approved these changes Apr 17, 2025
View reviewed changes
Copy link
Contributor

@prdoyle prdoyle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My suggestions above are minor and I think @ldematte can address them as he sees fit. Approving to avoid a wasted day due to time zones. 😄

@ldematte ldematte enabled auto-merge (squash) April 18, 2025 09:26
@ldematte ldematte merged commit 69f6520 into elastic:main Apr 18, 2025
17 checks passed
@ldematte ldematte mentioned this pull request Apr 18, 2025
Merged
ldematte added a commit to ldematte/elasticsearch that referenced this pull request Apr 18, 2025
@ldematte
[Entitlements] Validation checks on paths (elastic#126852)
b57a968 
With this PR we restrict the paths we allow access to, forbidding plugins to specify/request entitlements for reading or writing to specific protected directories.

I added this validation to EntitlementInitialization, as I wanted to fail fast and this is the earliest occurrence where we have all we need: PathLookup to resolve relative paths, policies (for plugins, server, agents) and the Paths for the specific directories we want to protect.

Relates to ES-10918
This was referenced Apr 18, 2025
Merged
Merged
@elasticsearchmachine
Copy link
Collaborator

💚 Backport successful

Status Branch Result
8.18
8.x
9.0

ldematte added a commit to ldematte/elasticsearch that referenced this pull request Apr 18, 2025
@ldematte
[Entitlements] Validation checks on paths (elastic#126852)
342bb59 
With this PR we restrict the paths we allow access to, forbidding plugins to specify/request entitlements for reading or writing to specific protected directories.

I added this validation to EntitlementInitialization, as I wanted to fail fast and this is the earliest occurrence where we have all we need: PathLookup to resolve relative paths, policies (for plugins, server, agents) and the Paths for the specific directories we want to protect.

Relates to ES-10918
ldematte added a commit to ldematte/elasticsearch that referenced this pull request Apr 18, 2025
@ldematte
[Entitlements] Validation checks on paths (elastic#126852)
56c4caf 
With this PR we restrict the paths we allow access to, forbidding plugins to specify/request entitlements for reading or writing to specific protected directories.

I added this validation to EntitlementInitialization, as I wanted to fail fast and this is the earliest occurrence where we have all we need: PathLookup to resolve relative paths, policies (for plugins, server, agents) and the Paths for the specific directories we want to protect.

Relates to ES-10918
elasticsearchmachine pushed a commit that referenced this pull request Apr 18, 2025
@ldematte
[Entitlements] Validation checks on paths (#126852) (#127057)
0c48a96 
With this PR we restrict the paths we allow access to, forbidding plugins to specify/request entitlements for reading or writing to specific protected directories.

I added this validation to EntitlementInitialization, as I wanted to fail fast and this is the earliest occurrence where we have all we need: PathLookup to resolve relative paths, policies (for plugins, server, agents) and the Paths for the specific directories we want to protect.

Relates to ES-10918
elasticsearchmachine pushed a commit that referenced this pull request Apr 18, 2025
@ldematte
[Entitlements] Validation checks on paths (#126852) (#127056)
0ab1fc3 
With this PR we restrict the paths we allow access to, forbidding plugins to specify/request entitlements for reading or writing to specific protected directories.

I added this validation to EntitlementInitialization, as I wanted to fail fast and this is the earliest occurrence where we have all we need: PathLookup to resolve relative paths, policies (for plugins, server, agents) and the Paths for the specific directories we want to protect.

Relates to ES-10918
elasticsearchmachine pushed a commit that referenced this pull request Apr 18, 2025
@ldematte
[Entitlements] Validation checks on paths (#126852) (#127055)
591a08f 
With this PR we restrict the paths we allow access to, forbidding plugins to specify/request entitlements for reading or writing to specific protected directories.

I added this validation to EntitlementInitialization, as I wanted to fail fast and this is the earliest occurrence where we have all we need: PathLookup to resolve relative paths, policies (for plugins, server, agents) and the Paths for the specific directories we want to protect.

Relates to ES-10918
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@prdoyle prdoyle prdoyle approved these changes

Assignees
No one assigned
Labels
auto-backport Automatically create backport pull requests when merged :Core/Infra/Entitlements Entitlements infrastructure >enhancement Team:Core/Infra Meta label for core/infra team v8.18.1 v8.19.0 v9.0.1 v9.1.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ldematte @elasticsearchmachine @prdoyle