This is kind of a longshot, but does anyone know a means of disabling dynamic scripting in the Elasticsearch grails plugin? The plugin doesn't have all the features/toggles of normal ES. I'm just curious if anyone has encountered this before. I realize ES grails plugin != ES.
Thank you in advance.
just had a quick peek at the source... so no guarantees
If you use the transport client, then there is no need to configure scripting, as you are on the server side. See https://github.com/noamt/elasticsearch-grails-plugin/blob/master/src/main/groovy/grails/plugins/elasticsearch/ClientNodeFactoryBean.groovy#L68-L92
If you use the
local mode, you could supply your own config file, but I htink for a web app, the
TransportClient makes the most sense.
Thanks so much for your response. I should have specified, the reason I'm asking is because the version of ES that's embedded in the plugin is old and has a scripting vulnerability. Disabling dynamic scripting is a way of remediating that vulnerability.
In the meantime, I had a look at the source as well; I was examining it to see if it actually supported any of the parameters I was interested in, specifically:
I couldn't find instances of either of those in the code (although I found other things, like disableDynamicMethodsInjection). So, my thought is no, those features were not implemented in the grails plugin.
Thanks again for your response!!!
the plugin still seems to use 1.x, where you should use 2.x... So IMO either update the plugin (and then use a
TransportClient and you dont have to worry about this) or run your own.
In 5.0 we will hopefully have a HTTP based client, so you are independent from the Elasticsearch version being used on the server side.
Thank you! Yup, I think that's my only option at this point. Thanks again for your help!