Elasticsearch classic plugin: problem with entitlements

Elastic Stack Elasticsearch
,
1

I’m writing a classic plugin for a custom similarity. ES9.0.1.

The plugin tries to load resources from its own jar:

Enumeration<java.net.URL> resources = Utils.class.getClassLoader().getResources("META-INF/MANIFEST.MF");
        while (resources.hasMoreElements()) {
            Manifest manifest = null;
            InputStream strm = null;
            try {
                strm = resources.nextElement().openStream(); <= failure
                ...
            } finally {
                if (strm!=null) strm.close();
            }
        }

I get a NotEntitledException:

[2026-02-20T12:46:30,969][DEBUG][o.e.e.r.p.FileAccessTree ] [BAARD6] Created FileAccessTree with paths: exclusive [], read [C:\WINDOWS\TEMP\elasticsearch,E:\Elastic\elasticsearch-9.0.1\config,E:\Elastic\elasticsearch-9.0.1\jdk\conf,E:\Elastic\elasticsearch-9.0.1\plugins\bitmanager.analysis.plugin], write [C:\WINDOWS\TEMP\elasticsearch]
[2026-02-20T12:46:30,969][WARN ][o.e.e.r.p.P.b.ALL-UNNAMED] [BAARD6] Not entitled: component [bitmanager-analysis-plugin], module [ALL-UNNAMED], class [class nl.bitmanager.elasticsearch.support.Utils], entitlement [file], operation [read], path [E:\Elastic\elasticsearch-9.0.1\lib\entitlement-bridge\elasticsearch-entitlement-bridge-9.0.1.jar]
org.elasticsearch.entitlement.runtime.api.NotEntitledException: component [bitmanager-analysis-plugin], module [ALL-UNNAMED], class [class nl.bitmanager.elasticsearch.support.Utils], entitlement [file], operation [read], path [E:\Elastic\elasticsearch-9.0.1\lib\entitlement-bridge\elasticsearch-entitlement-bridge-9.0.1.jar]
	at org.elasticsearch.entitlement.runtime.policy.PolicyManager.notEntitled(PolicyManager.java:690) ~[elasticsearch-entitlement-9.0.1.jar:?]
	at org.elasticsearch.entitlement.runtime.policy.PolicyManager.checkFileRead(PolicyManager.java:511) ~[elasticsearch-entitlement-9.0.1.jar:?]
	at org.elasticsearch.entitlement.runtime.policy.PolicyManager.checkFileRead(PolicyManager.java:475) ~[elasticsearch-entitlement-9.0.1.jar:?]
	at org.elasticsearch.entitlement.runtime.api.ElasticsearchEntitlementChecker.checkURLFileRead(ElasticsearchEntitlementChecker.java:2776) ~[elasticsearch-entitlement-9.0.1.jar:?]
	at org.elasticsearch.entitlement.runtime.api.ElasticsearchEntitlementChecker.handleNetworkOrFileUrlCheck(ElasticsearchEntitlementChecker.java:670) ~[elasticsearch-entitlement-9.0.1.jar:?]
	at org.elasticsearch.entitlement.runtime.api.ElasticsearchEntitlementChecker.checkEntitlementForUrl(ElasticsearchEntitlementChecker.java:690) ~[elasticsearch-entitlement-9.0.1.jar:?]
	at org.elasticsearch.entitlement.runtime.api.ElasticsearchEntitlementChecker.check$java_net_URL$openStream(ElasticsearchEntitlementChecker.java:713) ~[elasticsearch-entitlement-9.0.1.jar:?]
	at java.net.URL.openStream(URL.java) ~[?:?]
	at nl.bitmanager.elasticsearch.support.Utils.getManifestEntries(Utils.java:125) ~[BMAnalysisPlugin.jar:?]
...

I am surprised that the read-failure is for “E:\Elastic\elasticsearch-9.0.1\lib\entitlement-bridge\elasticsearch-entitlement-bridge-9.0.1.jar“.

I tried to modify the “entitlement-policy.yaml”-file, but whatever I specify there is not passing me through. Even using a hardcoded path: has no effect.

To verify that this yaml is read, I put a syntax error in it: in that case ES will not start, so the file is read!
Also, the FileAccessTree (see log dump) has always the same value.

I hope that someone can shine a light on this!
Thanks,

Peter

2

Oh, stupid me. It was rather old code. The classloader has way more jars and manifests in it, and I’m just enumerating over them. So that explains why I get the exception for reading an other jar than my own plugin.

But what remains is this: suppose that I do want to read manifests from other jars, how do I specify that in the entitlement-policy.yaml?