This is kind of a longshot, but does anyone know a means of disabling dynamic scripting in the Elasticsearch grails plugin? The plugin doesn't have all the features/toggles of normal ES. I'm just curious if anyone has encountered this before. I realize ES grails plugin != ES.
Thanks so much for your response. I should have specified, the reason I'm asking is because the version of ES that's embedded in the plugin is old and has a scripting vulnerability. Disabling dynamic scripting is a way of remediating that vulnerability.
In the meantime, I had a look at the source as well; I was examining it to see if it actually supported any of the parameters I was interested in, specifically:
elasticsearch.script.disable_dynamic
elasticsearch.script.groovy.sandbox.enabled
I couldn't find instances of either of those in the code (although I found other things, like disableDynamicMethodsInjection). So, my thought is no, those features were not implemented in the grails plugin.
the plugin still seems to use 1.x, where you should use 2.x... So IMO either update the plugin (and then use a TransportClient and you dont have to worry about this) or run your own.
In 5.0 we will hopefully have a HTTP based client, so you are independent from the Elasticsearch version being used on the server side.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.