❗️ Issue: NotEntitledException after upgrading to Elasticsearch 8.18.1

Shubham.Kumar · August 20, 2025, 6:09am

Hi everyone,

After upgrading to Elasticsearch 8.18.1, I'm encountering the following warning during startup:

[2025-08-20T05:39:57,789][WARN ][o.e.e.r.p.P.r.o.e.r.root ] [node-1] Not entitled: component [rest-root], module [org.elasticsearch.rest.root], class [class org.elasticsearch.rest.root.MainResponse], entitlement [file], operation [read], path [/home/shubham/work/shubham/elasticsearch/elasticsearch8181/etc/version]org.elasticsearch.entitlement.runtime.api.NotEntitledException: component [rest-root], module [org.elasticsearch.rest.root], class [class org.elasticsearch.rest.root.MainResponse], entitlement [file], operation [read], path [/home/shubham/work/shubham/elasticsearch/elasticsearch8181/etc/version]
at org.elasticsearch.entitlement@8.18.1-SNAPSHOT/org.elasticsearch.entitlement.runtime.policy.PolicyManager.notEntitled(PolicyManager.java:690)
at org.elasticsearch.entitlement@8.18.1-SNAPSHOT/org.elasticsearch.entitlement.runtime.policy.PolicyManager.checkFileRead(PolicyManager.java:511)
at org.elasticsearch.entitlement@8.18.1-SNAPSHOT/org.elasticsearch.entitlement.runtime.policy.PolicyManager.checkFileRead(PolicyManager.java:475)
at org.elasticsearch.entitlement@8.18.1-SNAPSHOT/org.elasticsearch.entitlement.runtime.policy.PolicyManager.checkFileRead(PolicyManager.java:454)
at org.elasticsearch.entitlement@8.18.1-SNAPSHOT/org.elasticsearch.entitlement.runtime.api.ElasticsearchEntitlementChecker.check$java_io_FileReader$(ElasticsearchEntitlementChecker.java:1602)

I have provided the Entitlement for the file using java class EntitlementInitialization.java
I have added this code block in createPolicyManager method:

String esHome = System.getProperty("es.path.home");
        System.out.println("esHome: " + esHome);
        Path versionFilePath = Path.of(esHome,"etc/version");
        System.out.println("versionFilePath: " + versionFilePath);
        serverModuleFileDatas.add(FileData.ofPath(versionFilePath, READ));

        serverScopes.add(new Scope("org.elasticsearch.rest.root", List.of(new FilesEntitlement(List.of(FileData.ofPath(versionFilePath, READ))))));

Context:

Elasticsearch version: 8.18.1
Node name: node-1
File path involved: /home/shubham/work/shubham/elasticsearch/elasticsearch8181/etc/version
This started happening after the upgrade from 7.4.2 to 8.18.1

What I've Tried:

Verified file permissions
Checked entitlement policies and modified them using EntitlementInitialization.java

Questions:

Is this a known issue with 8.18.x?
How can I grant the necessary entitlement for this file read operation?
Is there a workaround or configuration change I should apply?

Any help or guidance would be much appreciated!

DavidTurner · August 20, 2025, 11:08am

You’ve truncated the stack trace - could you share it in full please?

Shubham.Kumar · August 20, 2025, 11:18am

Yeah sure. Here it is:

[2025-08-20T09:15:52,159][WARN ][o.e.e.r.p.P.r.o.e.r.root ] [node-1] Not entitled: component [rest-root], module [org.elasticsearch.rest.root], class [class org.elasticsearch.rest.root.MainResponse], entitlement [file], operation [read], path [/home/shubham/work/shubham/elasticsearch/elasticsearch8181/etc/version]org.elasticsearch.entitlement.runtime.api.NotEntitledException: component [rest-root], module [org.elasticsearch.rest.root], class [class org.elasticsearch.rest.root.MainResponse], entitlement [file], operation [read], path [/home/shubham/work/shubham/elasticsearch/elasticsearch8181/etc/version]
	at org.elasticsearch.entitlement@8.18.1-SNAPSHOT/org.elasticsearch.entitlement.runtime.policy.PolicyManager.notEntitled(PolicyManager.java:690)
	at org.elasticsearch.entitlement@8.18.1-SNAPSHOT/org.elasticsearch.entitlement.runtime.policy.PolicyManager.checkFileRead(PolicyManager.java:511)
	at org.elasticsearch.entitlement@8.18.1-SNAPSHOT/org.elasticsearch.entitlement.runtime.policy.PolicyManager.checkFileRead(PolicyManager.java:475)
	at org.elasticsearch.entitlement@8.18.1-SNAPSHOT/org.elasticsearch.entitlement.runtime.policy.PolicyManager.checkFileRead(PolicyManager.java:454)
	at org.elasticsearch.entitlement@8.18.1-SNAPSHOT/org.elasticsearch.entitlement.runtime.api.ElasticsearchEntitlementChecker.check$java_io_FileReader$(ElasticsearchEntitlementChecker.java:1602)

See logs for more details.

[2025-08-20T09:15:52,162][WARN ][stderr                   ] [node-1] org.elasticsearch.entitlement.runtime.api.NotEntitledException: component [rest-root], module [org.elasticsearch.rest.root], class [class org.elasticsearch.rest.root.MainResponse], entitlement [file], operation [read], path [/home/shubham/work/shubham/elasticsearch/elasticsearch8181/etc/version]
[2025-08-20T09:15:52,162][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.entitlement@8.18.1-SNAPSHOT/org.elasticsearch.entitlement.runtime.policy.PolicyManager.notEntitled(PolicyManager.java:690)
[2025-08-20T09:15:52,162][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.entitlement@8.18.1-SNAPSHOT/org.elasticsearch.entitlement.runtime.policy.PolicyManager.checkFileRead(PolicyManager.java:511)
[2025-08-20T09:15:52,163][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.entitlement@8.18.1-SNAPSHOT/org.elasticsearch.entitlement.runtime.policy.PolicyManager.checkFileRead(PolicyManager.java:475)
[2025-08-20T09:15:52,163][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.entitlement@8.18.1-SNAPSHOT/org.elasticsearch.entitlement.runtime.policy.PolicyManager.checkFileRead(PolicyManager.java:454)
[2025-08-20T09:15:52,163][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.entitlement@8.18.1-SNAPSHOT/org.elasticsearch.entitlement.runtime.api.ElasticsearchEntitlementChecker.check$java_io_FileReader$(ElasticsearchEntitlementChecker.java:1602)
[2025-08-20T09:15:52,163][WARN ][stderr                   ] [node-1] 	at java.base/java.io.FileReader.<init>(FileReader.java)
[2025-08-20T09:15:52,163][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.rest.root@8.18.1-SNAPSHOT/org.elasticsearch.rest.root.MainResponse.toXContent(MainResponse.java:77)
[2025-08-20T09:15:52,163][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.rest.root@8.18.1-SNAPSHOT/org.elasticsearch.rest.root.RestMainAction.convertMainResponse(RestMainAction.java:60)
[2025-08-20T09:15:52,163][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.rest.root@8.18.1-SNAPSHOT/org.elasticsearch.rest.root.RestMainAction$1.buildResponse(RestMainAction.java:49)
[2025-08-20T09:15:52,164][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.rest.root@8.18.1-SNAPSHOT/org.elasticsearch.rest.root.RestMainAction$1.buildResponse(RestMainAction.java:46)
[2025-08-20T09:15:52,164][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.server@8.18.1-SNAPSHOT/org.elasticsearch.rest.action.RestBuilderListener.buildResponse(RestBuilderListener.java:28)
[2025-08-20T09:15:52,164][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.server@8.18.1-SNAPSHOT/org.elasticsearch.rest.action.RestResponseListener.processResponse(RestResponseListener.java:27)
[2025-08-20T09:15:52,164][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.server@8.18.1-SNAPSHOT/org.elasticsearch.rest.action.RestActionListener.onResponse(RestActionListener.java:37)
[2025-08-20T09:15:52,164][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.server@8.18.1-SNAPSHOT/org.elasticsearch.tasks.TaskManager$1.onResponse(TaskManager.java:203)
[2025-08-20T09:15:52,164][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.server@8.18.1-SNAPSHOT/org.elasticsearch.tasks.TaskManager$1.onResponse(TaskManager.java:197)
[2025-08-20T09:15:52,164][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.server@8.18.1-SNAPSHOT/org.elasticsearch.action.ActionListenerImplementations$RunBeforeActionListener.onResponse(ActionListenerImplementations.java:336)
[2025-08-20T09:15:52,164][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.rest.root@8.18.1-SNAPSHOT/org.elasticsearch.rest.root.TransportMainAction.doExecute(TransportMainAction.java:47)
[2025-08-20T09:15:52,165][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.rest.root@8.18.1-SNAPSHOT/org.elasticsearch.rest.root.TransportMainAction.doExecute(TransportMainAction.java:27)
[2025-08-20T09:15:52,165][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.server@8.18.1-SNAPSHOT/org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:135)
[2025-08-20T09:15:52,165][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.server@8.18.1-SNAPSHOT/org.elasticsearch.action.support.ActionFilter$Simple.apply(ActionFilter.java:54)
[2025-08-20T09:15:52,165][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.server@8.18.1-SNAPSHOT/org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:132)
[2025-08-20T09:15:52,166][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.server@8.18.1-SNAPSHOT/org.elasticsearch.action.support.MappedActionFilters$MappedFilterChain.proceed(MappedActionFilters.java:71)
[2025-08-20T09:15:52,166][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.server@8.18.1-SNAPSHOT/org.elasticsearch.action.support.MappedActionFilters.apply(MappedActionFilters.java:49)
[2025-08-20T09:15:52,166][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.server@8.18.1-SNAPSHOT/org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:132)
[2025-08-20T09:15:52,167][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.server@8.18.1-SNAPSHOT/org.elasticsearch.action.support.TransportAction.handleExecution(TransportAction.java:96)
[2025-08-20T09:15:52,167][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.server@8.18.1-SNAPSHOT/org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:59)
[2025-08-20T09:15:52,167][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.server@8.18.1-SNAPSHOT/org.elasticsearch.tasks.TaskManager.registerAndExecute(TaskManager.java:197)
[2025-08-20T09:15:52,167][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.server@8.18.1-SNAPSHOT/org.elasticsearch.client.internal.node.NodeClient.executeLocally(NodeClient.java:107)
[2025-08-20T09:15:52,167][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.server@8.18.1-SNAPSHOT/org.elasticsearch.client.internal.node.NodeClient.doExecute(NodeClient.java:85)
[2025-08-20T09:15:52,167][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.server@8.18.1-SNAPSHOT/org.elasticsearch.client.internal.support.AbstractClient.execute(AbstractClient.java:143)
[2025-08-20T09:15:52,167][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.rest.root@8.18.1-SNAPSHOT/org.elasticsearch.rest.root.RestMainAction.lambda$prepareRequest$0(RestMainAction.java:46)
[2025-08-20T09:15:52,168][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.server@8.18.1-SNAPSHOT/org.elasticsearch.rest.BaseRestHandler.handleRequest(BaseRestHandler.java:150)
[2025-08-20T09:15:52,168][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.server@8.18.1-SNAPSHOT/org.elasticsearch.rest.RestController$1.onResponse(RestController.java:519)
[2025-08-20T09:15:52,168][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.server@8.18.1-SNAPSHOT/org.elasticsearch.rest.RestController$1.onResponse(RestController.java:513)
[2025-08-20T09:15:52,168][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.security@8.18.1-SNAPSHOT/org.elasticsearch.xpack.security.rest.SecurityRestFilter.intercept(SecurityRestFilter.java:69)
[2025-08-20T09:15:52,168][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.server@8.18.1-SNAPSHOT/org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:513)
[2025-08-20T09:15:52,168][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.server@8.18.1-SNAPSHOT/org.elasticsearch.rest.RestController.tryAllHandlers(RestController.java:677)
[2025-08-20T09:15:52,168][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.server@8.18.1-SNAPSHOT/org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:349)
[2025-08-20T09:15:52,168][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.server@8.18.1-SNAPSHOT/org.elasticsearch.http.AbstractHttpServerTransport.dispatchRequest(AbstractHttpServerTransport.java:488)
[2025-08-20T09:15:52,168][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.server@8.18.1-SNAPSHOT/org.elasticsearch.http.AbstractHttpServerTransport.handleIncomingRequest(AbstractHttpServerTransport.java:584)
[2025-08-20T09:15:52,168][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.server@8.18.1-SNAPSHOT/org.elasticsearch.http.AbstractHttpServerTransport.incomingRequest(AbstractHttpServerTransport.java:461)
[2025-08-20T09:15:52,169][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.transport.netty4@8.18.1-SNAPSHOT/org.elasticsearch.http.netty4.Netty4HttpPipeliningHandler.handlePipelinedRequest(Netty4HttpPipeliningHandler.java:170)
[2025-08-20T09:15:52,169][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.transport.netty4@8.18.1-SNAPSHOT/org.elasticsearch.http.netty4.Netty4HttpPipeliningHandler.channelRead(Netty4HttpPipeliningHandler.java:149)
[2025-08-20T09:15:52,169][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:442)
[2025-08-20T09:15:52,169][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
[2025-08-20T09:15:52,169][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
[2025-08-20T09:15:52,169][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.transport.netty4@8.18.1-SNAPSHOT/org.elasticsearch.http.netty4.Netty4LeakDetectionHandler.channelRead(Netty4LeakDetectionHandler.java:38)
[2025-08-20T09:15:52,169][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
[2025-08-20T09:15:52,169][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
[2025-08-20T09:15:52,169][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
[2025-08-20T09:15:52,169][WARN ][stderr                   ] [node-1] 	at io.netty.codec@4.1.118.Final/io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:107)
[2025-08-20T09:15:52,170][WARN ][stderr                   ] [node-1] 	at io.netty.codec@4.1.118.Final/io.netty.handler.codec.MessageToMessageCodec.channelRead(MessageToMessageCodec.java:120)
[2025-08-20T09:15:52,170][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:442)
[2025-08-20T09:15:52,170][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
[2025-08-20T09:15:52,170][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
[2025-08-20T09:15:52,170][WARN ][stderr                   ] [node-1] 	at io.netty.codec@4.1.118.Final/io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:107)
[2025-08-20T09:15:52,170][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.transport.netty4@8.18.1-SNAPSHOT/org.elasticsearch.http.netty4.Netty4HttpAggregator.channelRead(Netty4HttpAggregator.java:50)
[2025-08-20T09:15:52,170][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
[2025-08-20T09:15:52,170][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
[2025-08-20T09:15:52,170][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
[2025-08-20T09:15:52,170][WARN ][stderr                   ] [node-1] 	at io.netty.codec@4.1.118.Final/io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:107)
[2025-08-20T09:15:52,170][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
[2025-08-20T09:15:52,170][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
[2025-08-20T09:15:52,171][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
[2025-08-20T09:15:52,171][WARN ][stderr                   ] [node-1] 	at io.netty.codec@4.1.118.Final/io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:346)
[2025-08-20T09:15:52,171][WARN ][stderr                   ] [node-1] 	at io.netty.codec@4.1.118.Final/io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:318)
[2025-08-20T09:15:52,171][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
[2025-08-20T09:15:52,171][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
[2025-08-20T09:15:52,171][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
[2025-08-20T09:15:52,171][WARN ][stderr                   ] [node-1] 	at io.netty.codec@4.1.118.Final/io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:107)
[2025-08-20T09:15:52,171][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
[2025-08-20T09:15:52,171][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
[2025-08-20T09:15:52,171][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
[2025-08-20T09:15:52,171][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1357)
[2025-08-20T09:15:52,172][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440)
[2025-08-20T09:15:52,172][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
[2025-08-20T09:15:52,172][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:868)
[2025-08-20T09:15:52,172][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
[2025-08-20T09:15:52,172][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:796)
[2025-08-20T09:15:52,172][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:697)
[2025-08-20T09:15:52,172][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:660)
[2025-08-20T09:15:52,172][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562)
[2025-08-20T09:15:52,172][WARN ][stderr                   ] [node-1] 	at io.netty.common@4.1.118.Final/io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:998)
[2025-08-20T09:15:52,172][WARN ][stderr                   ] [node-1] 	at io.netty.common@4.1.118.Final/io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
[2025-08-20T09:15:52,172][WARN ][stderr                   ] [node-1] 	at java.base/java.lang.Thread.run(Thread.java:1447)

DavidTurner · August 20, 2025, 11:35am

Still truncated - we need to see the full details from the log file.

Shubham.Kumar · August 20, 2025, 1:36pm

Apologies for the confusion earlier. Please find the complete logs below:

[2025-08-20T13:30:24,865][WARN ][o.e.e.r.p.P.r.o.e.r.root ] [node-1] Not entitled: component [rest-root], module [org.elasticsearch.rest.root], class [class org.elasticsearch.rest.root.MainResponse], entitlement [file], operation [read], path [/home/shubham/work/shubham/elasticsearch/elasticsearch8181/etc/version]
org.elasticsearch.entitlement.runtime.api.NotEntitledException: component [rest-root], module [org.elasticsearch.rest.root], class [class org.elasticsearch.rest.root.MainResponse], entitlement [file], operation [read], path [/home/shubham/work/shubham/elasticsearch/elasticsearch8181/etc/version]
	at org.elasticsearch.entitlement.runtime.policy.PolicyManager.notEntitled(PolicyManager.java:690) ~[elasticsearch-entitlement-8.18.1-SNAPSHOT.jar:?]
	at org.elasticsearch.entitlement.runtime.policy.PolicyManager.checkFileRead(PolicyManager.java:511) ~[elasticsearch-entitlement-8.18.1-SNAPSHOT.jar:?]
	at org.elasticsearch.entitlement.runtime.policy.PolicyManager.checkFileRead(PolicyManager.java:475) ~[elasticsearch-entitlement-8.18.1-SNAPSHOT.jar:?]
	at org.elasticsearch.entitlement.runtime.policy.PolicyManager.checkFileRead(PolicyManager.java:454) ~[elasticsearch-entitlement-8.18.1-SNAPSHOT.jar:?]
	at org.elasticsearch.entitlement.runtime.api.ElasticsearchEntitlementChecker.check$java_io_FileReader$(ElasticsearchEntitlementChecker.java:1602) ~[elasticsearch-entitlement-8.18.1-SNAPSHOT.jar:?]
	at java.io.FileReader.<init>(FileReader.java) ~[?:?]
	at org.elasticsearch.rest.root.MainResponse.toXContent(MainResponse.java:77) ~[?:?]
	at org.elasticsearch.rest.root.RestMainAction.convertMainResponse(RestMainAction.java:60) ~[?:?]
	at org.elasticsearch.rest.root.RestMainAction$1.buildResponse(RestMainAction.java:49) ~[?:?]
	at org.elasticsearch.rest.root.RestMainAction$1.buildResponse(RestMainAction.java:46) ~[?:?]
	at org.elasticsearch.rest.action.RestBuilderListener.buildResponse(RestBuilderListener.java:28) ~[elasticsearch-8.18.1-SNAPSHOT.jar:?]
	at org.elasticsearch.rest.action.RestResponseListener.processResponse(RestResponseListener.java:27) ~[elasticsearch-8.18.1-SNAPSHOT.jar:?]
	at org.elasticsearch.rest.action.RestActionListener.onResponse(RestActionListener.java:37) ~[elasticsearch-8.18.1-SNAPSHOT.jar:?]
	at org.elasticsearch.tasks.TaskManager$1.onResponse(TaskManager.java:203) ~[elasticsearch-8.18.1-SNAPSHOT.jar:?]
	at org.elasticsearch.tasks.TaskManager$1.onResponse(TaskManager.java:197) ~[elasticsearch-8.18.1-SNAPSHOT.jar:?]
	at org.elasticsearch.action.ActionListenerImplementations$RunBeforeActionListener.onResponse(ActionListenerImplementations.java:336) ~[elasticsearch-8.18.1-SNAPSHOT.jar:?]
	at org.elasticsearch.rest.root.TransportMainAction.doExecute(TransportMainAction.java:47) ~[?:?]
	at org.elasticsearch.rest.root.TransportMainAction.doExecute(TransportMainAction.java:27) ~[?:?]
	at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:135) ~[elasticsearch-8.18.1-SNAPSHOT.jar:?]
	at org.elasticsearch.action.support.ActionFilter$Simple.apply(ActionFilter.java:54) ~[elasticsearch-8.18.1-SNAPSHOT.jar:?]
	at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:132) ~[elasticsearch-8.18.1-SNAPSHOT.jar:?]
	at org.elasticsearch.action.support.MappedActionFilters$MappedFilterChain.proceed(MappedActionFilters.java:71) ~[elasticsearch-8.18.1-SNAPSHOT.jar:?]
	at org.elasticsearch.action.support.MappedActionFilters.apply(MappedActionFilters.java:49) ~[elasticsearch-8.18.1-SNAPSHOT.jar:?]
	at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:132) ~[elasticsearch-8.18.1-SNAPSHOT.jar:?]
	at org.elasticsearch.action.support.TransportAction.handleExecution(TransportAction.java:96) ~[elasticsearch-8.18.1-SNAPSHOT.jar:?]
	at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:59) ~[elasticsearch-8.18.1-SNAPSHOT.jar:?]
	at org.elasticsearch.tasks.TaskManager.registerAndExecute(TaskManager.java:197) ~[elasticsearch-8.18.1-SNAPSHOT.jar:?]
	at org.elasticsearch.client.internal.node.NodeClient.executeLocally(NodeClient.java:107) ~[elasticsearch-8.18.1-SNAPSHOT.jar:?]
	at org.elasticsearch.client.internal.node.NodeClient.doExecute(NodeClient.java:85) ~[elasticsearch-8.18.1-SNAPSHOT.jar:?]
	at org.elasticsearch.client.internal.support.AbstractClient.execute(AbstractClient.java:143) ~[elasticsearch-8.18.1-SNAPSHOT.jar:?]
	at org.elasticsearch.rest.root.RestMainAction.lambda$prepareRequest$0(RestMainAction.java:46) ~[?:?]
	at org.elasticsearch.rest.BaseRestHandler.handleRequest(BaseRestHandler.java:150) ~[elasticsearch-8.18.1-SNAPSHOT.jar:?]
	at org.elasticsearch.rest.RestController$1.onResponse(RestController.java:519) ~[elasticsearch-8.18.1-SNAPSHOT.jar:?]
	at org.elasticsearch.rest.RestController$1.onResponse(RestController.java:513) ~[elasticsearch-8.18.1-SNAPSHOT.jar:?]
	at org.elasticsearch.xpack.security.rest.SecurityRestFilter.intercept(SecurityRestFilter.java:69) ~[?:?]
	at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:513) ~[elasticsearch-8.18.1-SNAPSHOT.jar:?]
	at org.elasticsearch.rest.RestController.tryAllHandlers(RestController.java:677) ~[elasticsearch-8.18.1-SNAPSHOT.jar:?]
	at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:349) ~[elasticsearch-8.18.1-SNAPSHOT.jar:?]
	at org.elasticsearch.http.AbstractHttpServerTransport.dispatchRequest(AbstractHttpServerTransport.java:488) ~[elasticsearch-8.18.1-SNAPSHOT.jar:?]
	at org.elasticsearch.http.AbstractHttpServerTransport.handleIncomingRequest(AbstractHttpServerTransport.java:584) ~[elasticsearch-8.18.1-SNAPSHOT.jar:?]
	at org.elasticsearch.http.AbstractHttpServerTransport.incomingRequest(AbstractHttpServerTransport.java:461) ~[elasticsearch-8.18.1-SNAPSHOT.jar:?]
	at org.elasticsearch.http.netty4.Netty4HttpPipeliningHandler.handlePipelinedRequest(Netty4HttpPipeliningHandler.java:170) ~[?:?]
	at org.elasticsearch.http.netty4.Netty4HttpPipeliningHandler.channelRead(Netty4HttpPipeliningHandler.java:149) ~[?:?]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:442) ~[?:?]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) ~[?:?]
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) ~[?:?]
	at org.elasticsearch.http.netty4.Netty4LeakDetectionHandler.channelRead(Netty4LeakDetectionHandler.java:38) ~[?:?]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444) ~[?:?]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) ~[?:?]
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) ~[?:?]
	at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:107) ~[?:?]
	at io.netty.handler.codec.MessageToMessageCodec.channelRead(MessageToMessageCodec.java:120) ~[?:?]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:442) ~[?:?]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) ~[?:?]
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) ~[?:?]
	at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:107) ~[?:?]
	at org.elasticsearch.http.netty4.Netty4HttpAggregator.channelRead(Netty4HttpAggregator.java:50) ~[?:?]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444) ~[?:?]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) ~[?:?]
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) ~[?:?]
	at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:107) ~[?:?]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444) ~[?:?]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) ~[?:?]
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) ~[?:?]
	at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:346) ~[?:?]
	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:318) ~[?:?]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444) ~[?:?]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) ~[?:?]
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) ~[?:?]
	at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:107) ~[?:?]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444) ~[?:?]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) ~[?:?]
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) ~[?:?]
	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1357) ~[?:?]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440) ~[?:?]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) ~[?:?]
	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:868) ~[?:?]
	at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166) ~[?:?]
	at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:796) ~[?:?]
	at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:697) ~[?:?]
	at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:660) ~[?:?]
	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562) ~[?:?]
	at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:998) ~[?:?]
	at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) ~[?:?]
	at java.lang.Thread.run(Thread.java:1447) ~[?:?]
[2025-08-20T13:30:24,873][WARN ][stderr                   ] [node-1] org.elasticsearch.entitlement.runtime.api.NotEntitledException: component [rest-root], module [org.elasticsearch.rest.root], class [class org.elasticsearch.rest.root.MainResponse], entitlement [file], operation [read], path [/home/shubham/work/shubham/elasticsearch/elasticsearch8181/etc/version]
[2025-08-20T13:30:24,873][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.entitlement@8.18.1-SNAPSHOT/org.elasticsearch.entitlement.runtime.policy.PolicyManager.notEntitled(PolicyManager.java:690)
[2025-08-20T13:30:24,873][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.entitlement@8.18.1-SNAPSHOT/org.elasticsearch.entitlement.runtime.policy.PolicyManager.checkFileRead(PolicyManager.java:511)
[2025-08-20T13:30:24,873][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.entitlement@8.18.1-SNAPSHOT/org.elasticsearch.entitlement.runtime.policy.PolicyManager.checkFileRead(PolicyManager.java:475)
[2025-08-20T13:30:24,874][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.entitlement@8.18.1-SNAPSHOT/org.elasticsearch.entitlement.runtime.policy.PolicyManager.checkFileRead(PolicyManager.java:454)
[2025-08-20T13:30:24,874][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.entitlement@8.18.1-SNAPSHOT/org.elasticsearch.entitlement.runtime.api.ElasticsearchEntitlementChecker.check$java_io_FileReader$(ElasticsearchEntitlementChecker.java:1602)
[2025-08-20T13:30:24,874][WARN ][stderr                   ] [node-1] 	at java.base/java.io.FileReader.<init>(FileReader.java)
[2025-08-20T13:30:24,874][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.rest.root@8.18.1-SNAPSHOT/org.elasticsearch.rest.root.MainResponse.toXContent(MainResponse.java:77)
[2025-08-20T13:30:24,875][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.rest.root@8.18.1-SNAPSHOT/org.elasticsearch.rest.root.RestMainAction.convertMainResponse(RestMainAction.java:60)
[2025-08-20T13:30:24,875][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.rest.root@8.18.1-SNAPSHOT/org.elasticsearch.rest.root.RestMainAction$1.buildResponse(RestMainAction.java:49)
[2025-08-20T13:30:24,875][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.rest.root@8.18.1-SNAPSHOT/org.elasticsearch.rest.root.RestMainAction$1.buildResponse(RestMainAction.java:46)
[2025-08-20T13:30:24,876][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.server@8.18.1-SNAPSHOT/org.elasticsearch.rest.action.RestBuilderListener.buildResponse(RestBuilderListener.java:28)
[2025-08-20T13:30:24,877][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.server@8.18.1-SNAPSHOT/org.elasticsearch.rest.action.RestResponseListener.processResponse(RestResponseListener.java:27)
[2025-08-20T13:30:24,877][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.server@8.18.1-SNAPSHOT/org.elasticsearch.rest.action.RestActionListener.onResponse(RestActionListener.java:37)
[2025-08-20T13:30:24,877][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.server@8.18.1-SNAPSHOT/org.elasticsearch.tasks.TaskManager$1.onResponse(TaskManager.java:203)
[2025-08-20T13:30:24,877][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.server@8.18.1-SNAPSHOT/org.elasticsearch.tasks.TaskManager$1.onResponse(TaskManager.java:197)
[2025-08-20T13:30:24,878][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.server@8.18.1-SNAPSHOT/org.elasticsearch.action.ActionListenerImplementations$RunBeforeActionListener.onResponse(ActionListenerImplementations.java:336)
[2025-08-20T13:30:24,878][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.rest.root@8.18.1-SNAPSHOT/org.elasticsearch.rest.root.TransportMainAction.doExecute(TransportMainAction.java:47)
[2025-08-20T13:30:24,878][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.rest.root@8.18.1-SNAPSHOT/org.elasticsearch.rest.root.TransportMainAction.doExecute(TransportMainAction.java:27)
[2025-08-20T13:30:24,878][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.server@8.18.1-SNAPSHOT/org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:135)
[2025-08-20T13:30:24,879][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.server@8.18.1-SNAPSHOT/org.elasticsearch.action.support.ActionFilter$Simple.apply(ActionFilter.java:54)
[2025-08-20T13:30:24,879][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.server@8.18.1-SNAPSHOT/org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:132)
[2025-08-20T13:30:24,879][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.server@8.18.1-SNAPSHOT/org.elasticsearch.action.support.MappedActionFilters$MappedFilterChain.proceed(MappedActionFilters.java:71)
[2025-08-20T13:30:24,879][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.server@8.18.1-SNAPSHOT/org.elasticsearch.action.support.MappedActionFilters.apply(MappedActionFilters.java:49)
[2025-08-20T13:30:24,880][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.server@8.18.1-SNAPSHOT/org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:132)
[2025-08-20T13:30:24,880][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.server@8.18.1-SNAPSHOT/org.elasticsearch.action.support.TransportAction.handleExecution(TransportAction.java:96)
[2025-08-20T13:30:24,880][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.server@8.18.1-SNAPSHOT/org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:59)
[2025-08-20T13:30:24,880][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.server@8.18.1-SNAPSHOT/org.elasticsearch.tasks.TaskManager.registerAndExecute(TaskManager.java:197)
[2025-08-20T13:30:24,880][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.server@8.18.1-SNAPSHOT/org.elasticsearch.client.internal.node.NodeClient.executeLocally(NodeClient.java:107)
[2025-08-20T13:30:24,881][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.server@8.18.1-SNAPSHOT/org.elasticsearch.client.internal.node.NodeClient.doExecute(NodeClient.java:85)
[2025-08-20T13:30:24,881][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.server@8.18.1-SNAPSHOT/org.elasticsearch.client.internal.support.AbstractClient.execute(AbstractClient.java:143)
[2025-08-20T13:30:24,881][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.rest.root@8.18.1-SNAPSHOT/org.elasticsearch.rest.root.RestMainAction.lambda$prepareRequest$0(RestMainAction.java:46)
[2025-08-20T13:30:24,881][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.server@8.18.1-SNAPSHOT/org.elasticsearch.rest.BaseRestHandler.handleRequest(BaseRestHandler.java:150)
[2025-08-20T13:30:24,882][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.server@8.18.1-SNAPSHOT/org.elasticsearch.rest.RestController$1.onResponse(RestController.java:519)
[2025-08-20T13:30:24,882][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.server@8.18.1-SNAPSHOT/org.elasticsearch.rest.RestController$1.onResponse(RestController.java:513)
[2025-08-20T13:30:24,882][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.security@8.18.1-SNAPSHOT/org.elasticsearch.xpack.security.rest.SecurityRestFilter.intercept(SecurityRestFilter.java:69)
[2025-08-20T13:30:24,882][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.server@8.18.1-SNAPSHOT/org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:513)
[2025-08-20T13:30:24,882][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.server@8.18.1-SNAPSHOT/org.elasticsearch.rest.RestController.tryAllHandlers(RestController.java:677)
[2025-08-20T13:30:24,883][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.server@8.18.1-SNAPSHOT/org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:349)
[2025-08-20T13:30:24,883][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.server@8.18.1-SNAPSHOT/org.elasticsearch.http.AbstractHttpServerTransport.dispatchRequest(AbstractHttpServerTransport.java:488)
[2025-08-20T13:30:24,883][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.server@8.18.1-SNAPSHOT/org.elasticsearch.http.AbstractHttpServerTransport.handleIncomingRequest(AbstractHttpServerTransport.java:584)
[2025-08-20T13:30:24,883][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.server@8.18.1-SNAPSHOT/org.elasticsearch.http.AbstractHttpServerTransport.incomingRequest(AbstractHttpServerTransport.java:461)
[2025-08-20T13:30:24,884][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.transport.netty4@8.18.1-SNAPSHOT/org.elasticsearch.http.netty4.Netty4HttpPipeliningHandler.handlePipelinedRequest(Netty4HttpPipeliningHandler.java:170)
[2025-08-20T13:30:24,884][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.transport.netty4@8.18.1-SNAPSHOT/org.elasticsearch.http.netty4.Netty4HttpPipeliningHandler.channelRead(Netty4HttpPipeliningHandler.java:149)
[2025-08-20T13:30:24,884][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:442)
[2025-08-20T13:30:24,884][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
[2025-08-20T13:30:24,885][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
[2025-08-20T13:30:24,885][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.transport.netty4@8.18.1-SNAPSHOT/org.elasticsearch.http.netty4.Netty4LeakDetectionHandler.channelRead(Netty4LeakDetectionHandler.java:38)
[2025-08-20T13:30:24,885][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
[2025-08-20T13:30:24,885][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
[2025-08-20T13:30:24,885][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
[2025-08-20T13:30:24,886][WARN ][stderr                   ] [node-1] 	at io.netty.codec@4.1.118.Final/io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:107)
[2025-08-20T13:30:24,886][WARN ][stderr                   ] [node-1] 	at io.netty.codec@4.1.118.Final/io.netty.handler.codec.MessageToMessageCodec.channelRead(MessageToMessageCodec.java:120)
[2025-08-20T13:30:24,886][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:442)
[2025-08-20T13:30:24,886][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
[2025-08-20T13:30:24,886][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
[2025-08-20T13:30:24,887][WARN ][stderr                   ] [node-1] 	at io.netty.codec@4.1.118.Final/io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:107)
[2025-08-20T13:30:24,887][WARN ][stderr                   ] [node-1] 	at org.elasticsearch.transport.netty4@8.18.1-SNAPSHOT/org.elasticsearch.http.netty4.Netty4HttpAggregator.channelRead(Netty4HttpAggregator.java:50)
[2025-08-20T13:30:24,887][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
[2025-08-20T13:30:24,887][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
[2025-08-20T13:30:24,888][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
[2025-08-20T13:30:24,888][WARN ][stderr                   ] [node-1] 	at io.netty.codec@4.1.118.Final/io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:107)
[2025-08-20T13:30:24,888][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
[2025-08-20T13:30:24,888][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
[2025-08-20T13:30:24,888][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
[2025-08-20T13:30:24,889][WARN ][stderr                   ] [node-1] 	at io.netty.codec@4.1.118.Final/io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:346)
[2025-08-20T13:30:24,889][WARN ][stderr                   ] [node-1] 	at io.netty.codec@4.1.118.Final/io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:318)
[2025-08-20T13:30:24,889][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
[2025-08-20T13:30:24,889][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
[2025-08-20T13:30:24,889][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
[2025-08-20T13:30:24,890][WARN ][stderr                   ] [node-1] 	at io.netty.codec@4.1.118.Final/io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:107)
[2025-08-20T13:30:24,890][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
[2025-08-20T13:30:24,890][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
[2025-08-20T13:30:24,890][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
[2025-08-20T13:30:24,890][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1357)
[2025-08-20T13:30:24,891][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440)
[2025-08-20T13:30:24,891][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
[2025-08-20T13:30:24,891][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:868)
[2025-08-20T13:30:24,891][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
[2025-08-20T13:30:24,891][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:796)
[2025-08-20T13:30:24,892][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:697)
[2025-08-20T13:30:24,892][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:660)
[2025-08-20T13:30:24,892][WARN ][stderr                   ] [node-1] 	at io.netty.transport@4.1.118.Final/io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562)
[2025-08-20T13:30:24,892][WARN ][stderr                   ] [node-1] 	at io.netty.common@4.1.118.Final/io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:998)
[2025-08-20T13:30:24,892][WARN ][stderr                   ] [node-1] 	at io.netty.common@4.1.118.Final/io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
[2025-08-20T13:30:24,893][WARN ][stderr                   ] [node-1] 	at java.base/java.lang.Thread.run(Thread.java:1447)

DavidTurner · August 20, 2025, 2:11pm

This doesn’t make any sense, MainResponse.java:77 doesn’t open a FileReader, it renders the luceneVersion field.

github.com/elastic/elasticsearch

modules/rest-root/src/main/java/org/elasticsearch/rest/root/MainResponse.java

v8.18.1


      
              builder.field("name", nodeName);
              builder.field("cluster_name", clusterName.value());
              builder.field("cluster_uuid", clusterUuid);
              builder.startObject("version")
                  .field("number", build.qualifiedVersion())
                  .field("build_flavor", build.flavor())
                  .field("build_type", build.type().displayName())
                  .field("build_hash", build.hash())
                  .field("build_date", build.date())
                  .field("build_snapshot", build.isSnapshot())
                  .field("lucene_version", luceneVersion)
                  .field("minimum_wire_compatibility_version", build.minWireCompatVersion())
                  .field("minimum_index_compatibility_version", build.minIndexCompatVersion())
                  .endObject();
              builder.field("tagline", "You Know, for Search");
              builder.endObject();
              return builder;
          }
          
          @Override
          public boolean equals(Object o) {

Shubham.Kumar · August 20, 2025, 2:23pm

Sorry I forgot to mention that I have customized it according to my usage. Here I am sharing my MainResponse.java file:

/*
 * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
 * or more contributor license agreements. Licensed under the "Elastic License
 * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
 * Public License v 1"; you may not use this file except in compliance with, at
 * your election, the "Elastic License 2.0", the "GNU Affero General Public
 * License v3.0 only", or the "Server Side Public License, v 1".
 */

package org.elasticsearch.rest.root;

import org.elasticsearch.Build;
import org.elasticsearch.action.ActionResponse;
import org.elasticsearch.action.support.TransportAction;
import org.elasticsearch.cluster.ClusterName;
import org.elasticsearch.common.io.stream.StreamOutput;
import org.elasticsearch.xcontent.ToXContentObject;
import org.elasticsearch.xcontent.XContentBuilder;

import java.io.BufferedReader;
import java.io.File;
import java.io.FileReader;
import java.io.IOException;
import java.util.Objects;

public class MainResponse extends ActionResponse implements ToXContentObject {

    private final String nodeName;
    private final String luceneVersion;
    private final ClusterName clusterName;
    private final String clusterUuid;
    private final Build build;

    private static String nfdbVersion = "";
    private static String nfdbBuild = "";

    public MainResponse(String nodeName, String luceneVersion, ClusterName clusterName, String clusterUuid, Build build) {
        this.nodeName = nodeName;
        this.luceneVersion = luceneVersion;
        this.clusterName = clusterName;
        this.clusterUuid = clusterUuid;
        this.build = build;
    }

    public String getNodeName() {
        return nodeName;
    }

    public String getLuceneVersion() {
        return luceneVersion;
    }

    public ClusterName getClusterName() {
        return clusterName;
    }

    public String getClusterUuid() {
        return clusterUuid;
    }

    public Build getBuild() {
        return build;
    }

    @Override
    public void writeTo(StreamOutput out) throws IOException {
        TransportAction.localOnly();
    }

    @Override
    public XContentBuilder toXContent(XContentBuilder builder, Params params) throws IOException {
        // To get nfdb build and version
        String nfdbHome = System.getProperty("es.path.home");
        String VPath = nfdbHome + File.separator + "etc/version";
        try {
            File VFile = new File(VPath);
            BufferedReader br = new BufferedReader(new FileReader(VFile));
            String read = "";
            while ((read = br.readLine()) != null) {
                String arr[] = read.split(" ");
                if (arr[0].equals("VERSION")) {
                    nfdbVersion = arr[1];
                }
                if (arr[0].equals("BUILD")) {
                    nfdbBuild = arr[1];
                }
            }
            br.close();
        } catch (Exception e) {
            e.printStackTrace();
        }
        // end
        builder.startObject();
        builder.field("name", nodeName);
        builder.field("cluster_name", clusterName.value());
        builder.field("cluster_uuid", clusterUuid);
        builder.startObject("version")
            .field("number", build.qualifiedVersion())
            .field("build_flavor", build.flavor())
            .field("build_type", build.type().displayName())
            .field("build_hash", build.hash())
            .field("build_date", build.date())
            .field("build_snapshot", build.isSnapshot())
            .field("lucene_version", luceneVersion)
            .field("minimum_wire_compatibility_version", build.minWireCompatVersion())
            .field("minimum_index_compatibility_version", build.minIndexCompatVersion())
            .field("nfdb_version", nfdbVersion)
            .field("nfdb_build", nfdbBuild)
            .endObject();
        builder.field("tagline", "You Know, for Search");
        builder.endObject();
        return builder;
    }

    @Override
    public boolean equals(Object o) {
        if (this == o) {
            return true;
        }
        if (o == null || getClass() != o.getClass()) {
            return false;
        }
        MainResponse other = (MainResponse) o;
        return Objects.equals(nodeName, other.nodeName)
            && Objects.equals(luceneVersion, other.luceneVersion)
            && Objects.equals(clusterUuid, other.clusterUuid)
            && Objects.equals(build, other.build)
            && Objects.equals(clusterName, other.clusterName);
    }

    @Override
    public int hashCode() {
        return Objects.hash(nodeName, luceneVersion, clusterUuid, build, clusterName);
    }

    @Override
    public String toString() {
        return "MainResponse{"
            + "nodeName='"
            + nodeName
            + '\''
            + ", luceneVersion="
            + luceneVersion
            + ", clusterName="
            + clusterName
            + ", clusterUuid='"
            + clusterUuid
            + '\''
            + ", build="
            + build
            + '}';
    }
}

DavidTurner · August 20, 2025, 2:35pm

Bit of a big thing to omit!

It isn’t acceptable to read anything from ${es.path.home}/etc/version anywhere, nor is it acceptable to perform IO in a toXContent method implementation. For security reasons Elasticsearch will only read data from specifically configured paths such as the config path.

It’s also not appropriate to modify the output of an API such as GET / yourself. Instead, create a plugin that defines its own APIs for retrieving such information.

Shubham.Kumar · August 20, 2025, 2:55pm

Are these restrictions specific only to the toXContent method, or do they apply more broadly across other parts of Elasticsearch's core (e.g., serialization, deserialization, API response generation)? I want to make sure I'm adhering to best practices when accessing external resources or customizing output.

As in server module I used IO operations to read some external configuration files and I used createPolicyManager method of EntitlementInitialization.java class for it.
Here I am attaching my createPolicyManager method :

private static PolicyManager createPolicyManager() {
        EntitlementBootstrap.BootstrapArgs bootstrapArgs = EntitlementBootstrap.bootstrapArgs();
        Map<String, Policy> pluginPolicies = bootstrapArgs.pluginPolicies();
        PathLookup pathLookup = bootstrapArgs.pathLookup();

        List<Scope> serverScopes = new ArrayList<>();
        List<FileData> serverModuleFileDatas = new ArrayList<>();
        Collections.addAll(
            serverModuleFileDatas,
            // Base ES directories
            FileData.ofBaseDirPath(PLUGINS, READ),
            FileData.ofBaseDirPath(MODULES, READ),
            FileData.ofBaseDirPath(CONFIG, READ),
            FileData.ofBaseDirPath(LOGS, READ_WRITE),
            FileData.ofBaseDirPath(LIB, READ),
            FileData.ofBaseDirPath(DATA, READ_WRITE),
            FileData.ofBaseDirPath(SHARED_REPO, READ_WRITE),
            // exclusive settings file
            FileData.ofRelativePath(Path.of("operator/settings.json"), CONFIG, READ_WRITE).withExclusive(true),

            // OS release on Linux
            FileData.ofPath(Path.of("/etc/os-release"), READ).withPlatform(LINUX),
            FileData.ofPath(Path.of("/etc/system-release"), READ).withPlatform(LINUX),
            FileData.ofPath(Path.of("/usr/lib/os-release"), READ).withPlatform(LINUX),
            // read max virtual memory areas
            FileData.ofPath(Path.of("/proc/sys/vm/max_map_count"), READ).withPlatform(LINUX),
            FileData.ofPath(Path.of("/proc/meminfo"), READ).withPlatform(LINUX),
            // load averages on Linux
            FileData.ofPath(Path.of("/proc/loadavg"), READ).withPlatform(LINUX),
            // control group stats on Linux. cgroup v2 stats are in an unpredicable
            // location under `/sys/fs/cgroup`, so unfortunately we have to allow
            // read access to the entire directory hierarchy.
            FileData.ofPath(Path.of("/proc/self/cgroup"), READ).withPlatform(LINUX),
            FileData.ofPath(Path.of("/sys/fs/cgroup/"), READ).withPlatform(LINUX),
            // // io stats on Linux
            FileData.ofPath(Path.of("/proc/self/mountinfo"), READ).withPlatform(LINUX),
            FileData.ofPath(Path.of("/proc/diskstats"), READ).withPlatform(LINUX)
        );
        if (pathLookup.pidFile() != null) {
            serverModuleFileDatas.add(FileData.ofPath(pathLookup.pidFile(), READ_WRITE));
        }
        // Add custom entitlements for cav.util.SSLUtil in org.elasticsearch.server
        serverModuleFileDatas.add(FileData.ofRelativePath(Path.of("config/cert"), CONFIG, READ_WRITE));
        String nsWdir = System.getProperty("ns.wdir");
        if (nsWdir == null) {
            throw new IllegalStateException("System property 'ns.wdir' must be set");
        }
        Path nosqlConfigPath = Path.of(nsWdir, "webapps/sys/nosqlConfiguration.properties");
        serverModuleFileDatas.add(FileData.ofPath(nosqlConfigPath, READ_WRITE));

         // Add custom entitlements /etc/version
        String esHome = System.getProperty("es.path.home");
        Path versionFilePath = Path.of(esHome,"etc/version");
        serverModuleFileDatas.add(FileData.ofPath(versionFilePath, READ));

        serverScopes.add(new Scope("rest-root", List.of(new FilesEntitlement(List.of(FileData.ofPath(versionFilePath, READ))))));
        serverScopes.add(
            new Scope(
                "ConfigDB",
                    List.of(
                        new FilesEntitlement(
                            List.of(FileData.ofPath(nosqlConfigPath, READ_WRITE))
                        )
                    )
            )
        );

        serverScopes.add(
            new Scope(
                "mongo.java.driver",
                List.of(
                    new ManageThreadsEntitlement(),
                    new OutboundNetworkEntitlement()
                )
            )
        );



        Collections.addAll(
            serverScopes,
            new Scope(
                "org.elasticsearch.base",
                List.of(
                    new CreateClassLoaderEntitlement(),
                    new FilesEntitlement(
                        List.of(
                            // TODO: what in es.base is accessing shared repo?
                            FileData.ofBaseDirPath(SHARED_REPO, READ_WRITE),
                            FileData.ofBaseDirPath(DATA, READ_WRITE)
                        )
                    )
                )
            ),
            new Scope("org.elasticsearch.xcontent", List.of(new CreateClassLoaderEntitlement())),
            new Scope(
                "org.elasticsearch.server",
                List.of(
                    new ExitVMEntitlement(),
                    new ReadStoreAttributesEntitlement(),
                    new CreateClassLoaderEntitlement(),
                    new InboundNetworkEntitlement(),
                    new LoadNativeLibrariesEntitlement(),
                    new ManageThreadsEntitlement(),
                    new FilesEntitlement(serverModuleFileDatas)
                )
            ),
            new Scope("java.desktop", List.of(new LoadNativeLibrariesEntitlement())),
            new Scope("org.apache.httpcomponents.httpclient", List.of(new OutboundNetworkEntitlement())),
            new Scope(
                "org.apache.lucene.core",
                List.of(
                    new LoadNativeLibrariesEntitlement(),
                    new ManageThreadsEntitlement(),
                    new FilesEntitlement(List.of(FileData.ofBaseDirPath(CONFIG, READ), FileData.ofBaseDirPath(DATA, READ_WRITE)))
                )
            ),
            new Scope("org.apache.lucene.misc", List.of(new FilesEntitlement(List.of(FileData.ofBaseDirPath(DATA, READ_WRITE))))),
            new Scope(
                "org.apache.logging.log4j.core",
                List.of(new ManageThreadsEntitlement(), new FilesEntitlement(List.of(FileData.ofBaseDirPath(LOGS, READ_WRITE))))
            ),
            new Scope(
                "org.elasticsearch.nativeaccess",
                List.of(new LoadNativeLibrariesEntitlement(), new FilesEntitlement(List.of(FileData.ofBaseDirPath(DATA, READ_WRITE))))
            )
        );

        // conditionally add FIPS entitlements if FIPS only functionality is enforced
        if (Booleans.parseBoolean(System.getProperty("org.bouncycastle.fips.approved_only"), false)) {
            // if custom trust store is set, grant read access to its location, otherwise use the default JDK trust store
            String trustStore = System.getProperty("javax.net.ssl.trustStore");
            Path trustStorePath = trustStore != null
                ? Path.of(trustStore)
                : Path.of(System.getProperty("java.home")).resolve("lib/security/jssecacerts");

            Collections.addAll(
                serverScopes,
                new Scope(
                    "org.bouncycastle.fips.tls",
                    List.of(
                        new FilesEntitlement(List.of(FileData.ofPath(trustStorePath, READ))),
                        new ManageThreadsEntitlement(),
                        new OutboundNetworkEntitlement()
                    )
                ),
                new Scope(
                    "org.bouncycastle.fips.core",
                    // read to lib dir is required for checksum validation
                    List.of(new FilesEntitlement(List.of(FileData.ofBaseDirPath(LIB, READ))), new ManageThreadsEntitlement())
                )
            );
        }

        var serverPolicy = new Policy(
            "server",
            bootstrapArgs.serverPolicyPatch() == null
                ? serverScopes
                : PolicyUtils.mergeScopes(serverScopes, bootstrapArgs.serverPolicyPatch().scopes())
        );

        // agents run without a module, so this is a special hack for the apm agent
        // this should be removed once https://github.com/elastic/elasticsearch/issues/109335 is completed
        // See also modules/apm/src/main/plugin-metadata/entitlement-policy.yaml
        List<Entitlement> agentEntitlements = List.of(
            new CreateClassLoaderEntitlement(),
            new ManageThreadsEntitlement(),
            new SetHttpsConnectionPropertiesEntitlement(),
            new OutboundNetworkEntitlement(),
            new WriteSystemPropertiesEntitlement(Set.of("AsyncProfiler.safemode")),
            new LoadNativeLibrariesEntitlement(),
            new FilesEntitlement(
                List.of(
                    FileData.ofBaseDirPath(LOGS, READ_WRITE),
                    FileData.ofPath(Path.of("/proc/meminfo"), READ),
                    FileData.ofPath(Path.of("/sys/fs/cgroup/"), READ)
                )
            )
        );

        validateFilesEntitlements(pluginPolicies, pathLookup);

        return new PolicyManager(
            serverPolicy,
            agentEntitlements,
            pluginPolicies,
            EntitlementBootstrap.bootstrapArgs().scopeResolver(),
            EntitlementBootstrap.bootstrapArgs().sourcePaths(),
            ENTITLEMENTS_MODULE,
            pathLookup,
            bootstrapArgs.suppressFailureLogClasses()
        );
    }

DavidTurner · August 20, 2025, 3:10pm

Best practice is definitely not to customize the output by modifying the Elasticsearch source in any way.

I don’t have any better suggestions for what you’re trying to do, sorry. To answer your original questions:

No this isn’t a known issue with 8.18.x, it’s due to your changes.
I don’t have a good answer for how to achieve what you want because what you want is fundamentally not something we recommend or support.
Probably you can work around this, I mean you’re changing the source code so in principle you can make the system do anything.

Shubham.Kumar · August 20, 2025, 5:20pm

Thanks for the clarification — I appreciate the candid feedback.

I understand now that modifying the core source or customizing built-in API outputs isn’t aligned with best practices, and that what I’m trying to achieve falls outside the scope of what’s officially supported. I’ll explore the plugin route more seriously, even if it means rethinking how I expose the data I need.

Out of curiosity, are there any examples or references for plugins that expose custom metadata or versioning info via their own endpoints? I’d love to see how others have approached similar needs without touching the core.

Thanks again for your time and guidance.

DavidTurner · August 21, 2025, 8:37am

In the source tree there’s an example plugin in plugins/examples/rest-handler that shows how to add a new API endpoint.

Shubham.Kumar · August 21, 2025, 8:50am

Ah yes, I’ve seen that one before—thanks though, always good to double-check!

RainTown · August 21, 2025, 10:09am

It’s not clear to me what precisely you are trying to achieve with your changes. From high level perspective, what’s the actual problem you are trying to solve?

This cuts both ways. There’s a chance someone else has had same or similar thought/requirement, maybe already has a variant of a solution? On flip side, there might be a reason the product doesn’t already provide such a solution.

Topic		Replies	Views
ES security entitlements v8.18 onwards Elasticsearch	0	68	July 24, 2025
Self-hosted ES startup fails after upgrading 8.18.0 -> 8.18.2 due to changes in entitlements Elasticsearch	3	136	June 25, 2025
Not entitled: component [repository-s3] after update from 8.17.4 to 8.18.0 Elasticsearch	11	629	April 17, 2025
Elasticsearch WARN message after upgrade 8.19.2 to 8.19.3 Elasticsearch	1	29	August 30, 2025
Can I upgrade my existing ELK setup to 8.x? Elasticsearch	29	755	April 6, 2024

❗️ Issue: NotEntitledException after upgrading to Elasticsearch 8.18.1

Related topics