2016-01-31 21:54:17 +08:00
|
|
|
[[modules-scripting-security]]
|
2019-06-06 22:45:04 +08:00
|
|
|
== Scripting and security
|
2021-09-01 00:37:22 +08:00
|
|
|
Painless and {es} implement layers of security to build a defense in depth
|
|
|
|
|
strategy for running scripts safely.
|
2016-05-05 00:17:10 +08:00
|
|
|
|
2021-09-01 00:37:22 +08:00
|
|
|
Painless uses a fine-grained allowlist. Anything that is not part of the
|
|
|
|
|
allowlist results in a compilation error. This capability is the first layer of
|
|
|
|
|
security in a defense in depth strategy for scripting.
|
2016-05-05 00:17:10 +08:00
|
|
|
|
2021-09-01 00:37:22 +08:00
|
|
|
The second layer of security is the https://www.oracle.com/java/technologies/javase/seccodeguide.html[Java Security Manager]. As part of its startup
|
|
|
|
|
sequence, {es} enables the Java Security Manager to limit the actions that
|
|
|
|
|
portions of the code can take. <<modules-scripting-painless,Painless>> uses
|
|
|
|
|
the Java Security Manager as an additional layer of defense to prevent scripts
|
|
|
|
|
from doing things like writing files and listening to sockets.
|
2017-04-07 23:46:41 +08:00
|
|
|
|
2021-09-01 00:37:22 +08:00
|
|
|
{es} uses
|
2020-08-17 21:44:24 +08:00
|
|
|
{wikipedia}/Seccomp[seccomp] in Linux,
|
2017-04-07 23:46:41 +08:00
|
|
|
https://www.chromium.org/developers/design-documents/sandbox/osx-sandboxing-design[Seatbelt]
|
|
|
|
|
in macOS, and
|
|
|
|
|
https://msdn.microsoft.com/en-us/library/windows/desktop/ms684147[ActiveProcessLimit]
|
2021-09-01 00:37:22 +08:00
|
|
|
on Windows as additional security layers to prevent {es} from forking or
|
|
|
|
|
running other processes.
|
2017-04-07 23:46:41 +08:00
|
|
|
|
2021-09-01 00:37:22 +08:00
|
|
|
You can modify the following script settings to restrict the type of scripts
|
|
|
|
|
that are allowed to run, and control the available
|
|
|
|
|
{painless}/painless-contexts.html[contexts] that scripts can run in. To
|
|
|
|
|
implement additional layers in your defense in depth strategy, follow the
|
|
|
|
|
<<es-security-principles,{es} security principles>>.
|
2016-05-05 00:17:10 +08:00
|
|
|
|
2017-05-16 04:37:46 +08:00
|
|
|
[[allowed-script-types-setting]]
|
2020-07-23 23:48:22 +08:00
|
|
|
[discrete]
|
2017-05-16 04:37:46 +08:00
|
|
|
=== Allowed script types setting
|
|
|
|
|
|
2021-09-01 00:37:22 +08:00
|
|
|
{es} supports two script types: `inline` and `stored`. By default, {es} is
|
|
|
|
|
configured to run both types of scripts. To limit what type of scripts are run,
|
|
|
|
|
set `script.allowed_types` to `inline` or `stored`. To prevent any scripts from
|
|
|
|
|
running, set `script.allowed_types` to `none`.
|
2020-08-06 06:56:24 +08:00
|
|
|
|
2021-03-19 03:58:33 +08:00
|
|
|
IMPORTANT: If you use {kib}, set `script.allowed_types` to `both` or `inline`.
|
|
|
|
|
Some {kib} features rely on inline scripts and do not function as expected
|
2020-08-06 06:56:24 +08:00
|
|
|
if {es} does not allow inline scripts.
|
|
|
|
|
|
2021-09-01 00:37:22 +08:00
|
|
|
For example, to run `inline` scripts but not `stored` scripts:
|
2017-05-16 04:37:46 +08:00
|
|
|
|
|
|
|
|
[source,yaml]
|
|
|
|
|
----
|
2021-09-01 00:37:22 +08:00
|
|
|
script.allowed_types: inline
|
2017-05-16 04:37:46 +08:00
|
|
|
----
|
2020-08-06 06:56:24 +08:00
|
|
|
|
2017-05-16 04:37:46 +08:00
|
|
|
[[allowed-script-contexts-setting]]
|
2020-07-23 23:48:22 +08:00
|
|
|
[discrete]
|
2017-05-16 04:37:46 +08:00
|
|
|
=== Allowed script contexts setting
|
|
|
|
|
|
2021-09-01 00:37:22 +08:00
|
|
|
By default, all script contexts are permitted. Use the `script.allowed_contexts`
|
|
|
|
|
setting to specify the contexts that are allowed. To specify that no contexts
|
|
|
|
|
are allowed, set `script.allowed_contexts` to `none`.
|
|
|
|
|
|
|
|
|
|
For example, to allow scripts to run only in `scoring` and `update` contexts:
|
2017-05-16 04:37:46 +08:00
|
|
|
|
|
|
|
|
[source,yaml]
|
|
|
|
|
----
|
2021-09-01 00:37:22 +08:00
|
|
|
script.allowed_contexts: score, update
|
2017-05-16 04:37:46 +08:00
|
|
|
----
|
