This is kind of a longshot, but does anyone know a means of disabling dynamic scripting in the Elasticsearch grails plugin? The plugin doesn't have all the features/toggles of normal ES. I'm just curious if anyone has encountered this before. I realize ES grails plugin != ES.
Thank you in advance.
Hi
just had a quick peek at the source... so no guarantees 
If you use the transport client, then there is no need to configure scripting, as you are on the server side. See https://github.com/noamt/elasticsearch-grails-plugin/blob/master/src/main/groovy/grails/plugins/elasticsearch/ClientNodeFactoryBean.groovy#L68-L92
If you use the local mode, you could supply your own config file, but I htink for a web app, the TransportClient makes the most sense.
--Alex
Hi Alexander,
Thanks so much for your response. I should have specified, the reason I'm asking is because the version of ES that's embedded in the plugin is old and has a scripting vulnerability. Disabling dynamic scripting is a way of remediating that vulnerability.
In the meantime, I had a look at the source as well; I was examining it to see if it actually supported any of the parameters I was interested in, specifically:
Thanks again for your response!!!
Mike
Hey,
the plugin still seems to use 1.x, where you should use 2.x... So IMO either update the plugin (and then use a TransportClient and you dont have to worry about this) or run your own.
In 5.0 we will hopefully have a HTTP based client, so you are independent from the Elasticsearch version being used on the server side.
--Alex
Hi Alex,
Thank you! Yup, I think that's my only option at this point. Thanks again for your help!
Mike
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.