From 2428489944a2ec366b4a77a5ea8d52a924ca2173 Mon Sep 17 00:00:00 2001
From: Moritz Mack <mmack@apache.org>
Date: Thu, 10 Jul 2025 17:59:06 +0200
Subject: [PATCH 1/2] Log NotEntitledExceptions using logger with
 <component>.<package> suffix rather than <component>.<module> for more
 fine-grained mutes. Relates to ES-12231

---
 .../runtime/policy/PolicyCheckerImpl.java     | 63 +++++++++----------
 .../runtime/policy/PolicyManager.java         | 34 +++-------
 2 files changed, 38 insertions(+), 59 deletions(-)

diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyCheckerImpl.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyCheckerImpl.java
index 2c3374f594847..3fb9acebfaf87 100644
--- a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyCheckerImpl.java
+++ b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyCheckerImpl.java
@@ -139,7 +139,7 @@ private void neverEntitled(Class<?> callerClass, Supplier<String> operationDescr
                 requestingClass,
                 operationDescription.get()
             ),
-            callerClass,
+            requestingClass,
             entitlements
         );
     }
@@ -251,7 +251,7 @@ public void checkFileRead(Class<?> callerClass, Path path, boolean followLinks)
                     requestingClass,
                     realPath == null ? path : Strings.format("%s -> %s", path, realPath)
                 ),
-                callerClass,
+                requestingClass,
                 entitlements
             );
         }
@@ -283,7 +283,7 @@ public void checkFileWrite(Class<?> callerClass, Path path) {
                     requestingClass,
                     path
                 ),
-                callerClass,
+                requestingClass,
                 entitlements
             );
         }
@@ -360,8 +360,8 @@ public void checkAllNetworkAccess(Class<?> callerClass) {
         }
 
         var classEntitlements = policyManager.getEntitlements(requestingClass);
-        checkFlagEntitlement(classEntitlements, InboundNetworkEntitlement.class, requestingClass, callerClass);
-        checkFlagEntitlement(classEntitlements, OutboundNetworkEntitlement.class, requestingClass, callerClass);
+        checkFlagEntitlement(classEntitlements, InboundNetworkEntitlement.class, requestingClass);
+        checkFlagEntitlement(classEntitlements, OutboundNetworkEntitlement.class, requestingClass);
     }
 
     @Override
@@ -378,16 +378,15 @@ public void checkWriteProperty(Class<?> callerClass, String property) {
 
         ModuleEntitlements entitlements = policyManager.getEntitlements(requestingClass);
         if (entitlements.getEntitlements(WriteSystemPropertiesEntitlement.class).anyMatch(e -> e.properties().contains(property))) {
-            entitlements.logger()
-                .debug(
-                    () -> Strings.format(
-                        "Entitled: component [%s], module [%s], class [%s], entitlement [write_system_properties], property [%s]",
-                        entitlements.componentName(),
-                        entitlements.moduleName(),
-                        requestingClass,
-                        property
-                    )
-                );
+            PolicyManager.generalLogger.debug(
+                () -> Strings.format(
+                    "Entitled: component [%s], module [%s], class [%s], entitlement [write_system_properties], property [%s]",
+                    entitlements.componentName(),
+                    entitlements.moduleName(),
+                    requestingClass,
+                    property
+                )
+            );
             return;
         }
         notEntitled(
@@ -398,7 +397,7 @@ public void checkWriteProperty(Class<?> callerClass, String property) {
                 requestingClass,
                 property
             ),
-            callerClass,
+            requestingClass,
             entitlements
         );
     }
@@ -439,8 +438,7 @@ Optional<StackWalker.StackFrame> findRequestingFrame(Stream<StackWalker.StackFra
     private void checkFlagEntitlement(
         ModuleEntitlements classEntitlements,
         Class<? extends Entitlement> entitlementClass,
-        Class<?> requestingClass,
-        Class<?> callerClass
+        Class<?> requestingClass
     ) {
         if (classEntitlements.hasEntitlement(entitlementClass) == false) {
             notEntitled(
@@ -451,27 +449,26 @@ private void checkFlagEntitlement(
                     requestingClass,
                     PolicyParser.buildEntitlementNameFromClass(entitlementClass)
                 ),
-                callerClass,
+                requestingClass,
                 classEntitlements
             );
         }
-        classEntitlements.logger()
-            .debug(
-                () -> Strings.format(
-                    "Entitled: component [%s], module [%s], class [%s], entitlement [%s]",
-                    classEntitlements.componentName(),
-                    classEntitlements.moduleName(),
-                    requestingClass,
-                    PolicyParser.buildEntitlementNameFromClass(entitlementClass)
-                )
-            );
+        PolicyManager.generalLogger.debug(
+            () -> Strings.format(
+                "Entitled: component [%s], module [%s], class [%s], entitlement [%s]",
+                classEntitlements.componentName(),
+                classEntitlements.moduleName(),
+                requestingClass,
+                PolicyParser.buildEntitlementNameFromClass(entitlementClass)
+            )
+        );
     }
 
-    private void notEntitled(String message, Class<?> callerClass, ModuleEntitlements entitlements) {
+    private void notEntitled(String message, Class<?> requestingClass, ModuleEntitlements entitlements) {
         var exception = new NotEntitledException(message);
         // Don't emit a log for suppressed packages, e.g. packages containing self tests
-        if (suppressFailureLogPackages.contains(callerClass.getPackage()) == false) {
-            entitlements.logger().warn("Not entitled: {}", message, exception);
+        if (suppressFailureLogPackages.contains(requestingClass.getPackage()) == false) {
+            entitlements.logger(requestingClass).warn("Not entitled: {}", message, exception);
         }
         throw exception;
     }
@@ -482,7 +479,7 @@ public void checkEntitlementPresent(Class<?> callerClass, Class<? extends Entitl
         if (policyManager.isTriviallyAllowed(requestingClass)) {
             return;
         }
-        checkFlagEntitlement(policyManager.getEntitlements(requestingClass), entitlementClass, requestingClass, callerClass);
+        checkFlagEntitlement(policyManager.getEntitlements(requestingClass), entitlementClass, requestingClass);
     }
 
     @Override
diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java
index f7d465adee631..d837061d58347 100644
--- a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java
+++ b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java
@@ -122,8 +122,7 @@ protected record ModuleEntitlements(
         String componentName,
         String moduleName,
         Map<Class<? extends Entitlement>, List<Entitlement>> entitlementsByType,
-        FileAccessTree fileAccess,
-        Logger logger
+        FileAccessTree fileAccess
     ) {
 
         public ModuleEntitlements {
@@ -141,6 +140,11 @@ public <E extends Entitlement> Stream<E> getEntitlements(Class<E> entitlementCla
             }
             return entitlements.stream().map(entitlementClass::cast);
         }
+
+        Logger logger(Class<?> requestingClass) {
+            var loggerSuffix = "." + componentName + "." + requestingClass.getPackageName();
+            return LogManager.getLogger(PolicyManager.class.getName() + loggerSuffix);
+        }
     }
 
     private FileAccessTree getDefaultFileAccess(Collection<Path> componentPaths) {
@@ -149,13 +153,7 @@ private FileAccessTree getDefaultFileAccess(Collection<Path> componentPaths) {
 
     // pkg private for testing
     ModuleEntitlements defaultEntitlements(String componentName, Collection<Path> componentPaths, String moduleName) {
-        return new ModuleEntitlements(
-            componentName,
-            moduleName,
-            Map.of(),
-            getDefaultFileAccess(componentPaths),
-            getLogger(componentName, moduleName)
-        );
+        return new ModuleEntitlements(componentName, moduleName, Map.of(), getDefaultFileAccess(componentPaths));
     }
 
     // pkg private for testing
@@ -175,8 +173,7 @@ ModuleEntitlements policyEntitlements(
             componentName,
             moduleName,
             entitlements.stream().collect(groupingBy(Entitlement::getClass)),
-            FileAccessTree.of(componentName, moduleName, filesEntitlement, pathLookup, componentPaths, exclusivePaths),
-            getLogger(componentName, moduleName)
+            FileAccessTree.of(componentName, moduleName, filesEntitlement, pathLookup, componentPaths, exclusivePaths)
         );
     }
 
@@ -286,21 +283,6 @@ private static void validateEntitlementsPerModule(
         }
     }
 
-    private static Logger getLogger(String componentName, String moduleName) {
-        var loggerSuffix = "." + componentName + "." + ((moduleName == null) ? ALL_UNNAMED : moduleName);
-        return MODULE_LOGGERS.computeIfAbsent(PolicyManager.class.getName() + loggerSuffix, LogManager::getLogger);
-    }
-
-    /**
-     * We want to use the same {@link Logger} object for a given name, because we want {@link ModuleEntitlements}
-     * {@code equals} and {@code hashCode} to work.
-     * <p>
-     * This would not be required if LogManager
-     * <a href="https://github.com/elastic/elasticsearch/issues/87511">memoized the loggers</a>,
-     * but here we are.
-     */
-    private static final ConcurrentHashMap<String, Logger> MODULE_LOGGERS = new ConcurrentHashMap<>();
-
     protected ModuleEntitlements getEntitlements(Class<?> requestingClass) {
         return moduleEntitlementsMap.computeIfAbsent(requestingClass.getModule(), m -> computeEntitlements(requestingClass));
     }

From 3f2225afc73b10be9b1878fa9b1bc5f12da6acb6 Mon Sep 17 00:00:00 2001
From: Moritz Mack <mmack@apache.org>
Date: Mon, 14 Jul 2025 09:19:43 +0200
Subject: [PATCH 2/2] backwards compatible logger name

---
 .../entitlement/runtime/policy/PolicyManager.java              | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java
index d837061d58347..ff6f3baf0a6b6 100644
--- a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java
+++ b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java
@@ -142,7 +142,8 @@ public <E extends Entitlement> Stream<E> getEntitlements(Class<E> entitlementCla
         }
 
         Logger logger(Class<?> requestingClass) {
-            var loggerSuffix = "." + componentName + "." + requestingClass.getPackageName();
+            var packageName = requestingClass.getPackageName();
+            var loggerSuffix = "." + componentName + "." + ((moduleName == null) ? ALL_UNNAMED : moduleName) + "." + packageName;
             return LogManager.getLogger(PolicyManager.class.getName() + loggerSuffix);
         }
     }