enabling scripting for installed scripts only

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

enabling scripting for installed scripts only

greg j
Hi,

We'd like to enable custom scoring using a script that we'll install under config/scripts, so that we can invoke it as part of a function_score query, like

"query": {
 
"function_score": {
   
"query" : { ... },
   
"functions": [ {
       
"script_score": {
         
"script": "my-script" // installed in config/scripts/my-script.mvel
       
}
   
}]
 
}
}



In order to do this, it looks like we have to set 

script.disable_dynamic: false

in elasticsearch.yml.

But that also allows arbitrary script code to be submitted as the body of the script field, which we want to disallow.

Is it possible to configure scripting to work only with named scripts that are installed?  It seems like the one config option I found is to coarse for this.

Thanks!

-gregj

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/e866778e-c8db-4e9e-8ce9-3e1ada7529f6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: enabling scripting for installed scripts only

Alexander Reelsen-2
Hey,

I just tested with 1.2.1, and even if dynamic scripting is disabled, you can still execute locally stored scripts. See the example in http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/modules-scripting.html#modules-scripting


--Alex


On Fri, Jun 27, 2014 at 8:44 PM, greg j <[hidden email]> wrote:
Hi,

We'd like to enable custom scoring using a script that we'll install under config/scripts, so that we can invoke it as part of a function_score query, like

"query": {
 
"function_score": {
   
"query" : { ... },
   
"functions": [ {
       
"script_score": {
         
"script": "my-script" // installed in config/scripts/my-script.mvel
       
}
   
}]
 
}
}



In order to do this, it looks like we have to set 

script.disable_dynamic: false

in elasticsearch.yml.

But that also allows arbitrary script code to be submitted as the body of the script field, which we want to disallow.

Is it possible to configure scripting to work only with named scripts that are installed?  It seems like the one config option I found is to coarse for this.

Thanks!

-gregj

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/e866778e-c8db-4e9e-8ce9-3e1ada7529f6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/CAGCwEM8Ku5RtL%2B_42v1%2B50Ps8bGY-mUb9h5_EWXkism0_sxeCA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: enabling scripting for installed scripts only

greg j
You're right.  Was sure I tried that, but obviously had done something wrong along the way.

Thanks!

On Monday, June 30, 2014 1:11:59 AM UTC-7, Alexander Reelsen wrote:
Hey,

I just tested with 1.2.1, and even if dynamic scripting is disabled, you can still execute locally stored scripts. See the example in <a href="http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/modules-scripting.html#modules-scripting" target="_blank" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2Fwww.elasticsearch.org%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fmodules-scripting.html%23modules-scripting\46sa\75D\46sntz\0751\46usg\75AFQjCNEQFy8lQOzwZKc0REgLRIKQNMamTA';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2Fwww.elasticsearch.org%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fmodules-scripting.html%23modules-scripting\46sa\75D\46sntz\0751\46usg\75AFQjCNEQFy8lQOzwZKc0REgLRIKQNMamTA';return true;">http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/modules-scripting.html#modules-scripting


--Alex


On Fri, Jun 27, 2014 at 8:44 PM, greg j <<a href="javascript:" target="_blank" gdf-obfuscated-mailto="XpgZftsbi-wJ" onmousedown="this.href='javascript:';return true;" onclick="this.href='javascript:';return true;">gr...@...> wrote:
Hi,

We'd like to enable custom scoring using a script that we'll install under config/scripts, so that we can invoke it as part of a function_score query, like

"query": {
 
"function_score": {
   
"query" : { ... },
   
"functions": [ {
       
"script_score": {
         
"script": "my-script" // installed in config/scripts/my-script.mvel
       
}
   
}]
 
}
}



In order to do this, it looks like we have to set 

script.disable_dynamic: false

in elasticsearch.yml.

But that also allows arbitrary script code to be submitted as the body of the script field, which we want to disallow.

Is it possible to configure scripting to work only with named scripts that are installed?  It seems like the one config option I found is to coarse for this.

Thanks!

-gregj

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="XpgZftsbi-wJ" onmousedown="this.href='javascript:';return true;" onclick="this.href='javascript:';return true;">elasticsearc...@googlegroups.com.
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/elasticsearch/e866778e-c8db-4e9e-8ce9-3e1ada7529f6%40googlegroups.com?utm_medium=email&amp;utm_source=footer" target="_blank" onmousedown="this.href='https://groups.google.com/d/msgid/elasticsearch/e866778e-c8db-4e9e-8ce9-3e1ada7529f6%40googlegroups.com?utm_medium\75email\46utm_source\75footer';return true;" onclick="this.href='https://groups.google.com/d/msgid/elasticsearch/e866778e-c8db-4e9e-8ce9-3e1ada7529f6%40googlegroups.com?utm_medium\75email\46utm_source\75footer';return true;">https://groups.google.com/d/msgid/elasticsearch/e866778e-c8db-4e9e-8ce9-3e1ada7529f6%40googlegroups.com.
For more options, visit <a href="https://groups.google.com/d/optout" target="_blank" onmousedown="this.href='https://groups.google.com/d/optout';return true;" onclick="this.href='https://groups.google.com/d/optout';return true;">https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/29a64032-3651-47e0-8ee3-9b5010051e65%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.