Enabling scripting for installed scripts only

greg_j · June 27, 2014, 6:44pm

Hi,

We'd like to enable custom scoring using a script that we'll install under
config/scripts, so that we can invoke it as part of a function_score query,
like

"query": {
"function_score": {
"query" : { ... },
"functions": [ {
"script_score": {
"script": "my-script" // installed in config/scripts/my-script.mvel
}
}]
}
}

In order to do this, it looks like we have to set

script.disable_dynamic: false

in elasticsearch.yml.

But that also allows arbitrary script code to be submitted as the body of
the script field, which we want to disallow.

Is it possible to configure scripting to work only with named scripts that
are installed? It seems like the one config option I found is to coarse
for this.

Thanks!

-gregj

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/e866778e-c8db-4e9e-8ce9-3e1ada7529f6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

spinscale · June 30, 2014, 8:11am

Hey,

I just tested with 1.2.1, and even if dynamic scripting is disabled, you
can still execute locally stored scripts. See the example in

--Alex

On Fri, Jun 27, 2014 at 8:44 PM, greg j gregj@allenai.org wrote:

Hi,

We'd like to enable custom scoring using a script that we'll install under
config/scripts, so that we can invoke it as part of a function_score query,
like

"query": {
"function_score": {
"query" : { ... },
"functions": [ {
"script_score": {
"script": "my-script" // installed in
config/scripts/my-script.mvel
}
}]
}
}

In order to do this, it looks like we have to set

script.disable_dynamic: false

in elasticsearch.yml.

But that also allows arbitrary script code to be submitted as the body of
the script field, which we want to disallow.

Is it possible to configure scripting to work only with named scripts that
are installed? It seems like the one config option I found is to coarse
for this.

Thanks!

-gregj

--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/e866778e-c8db-4e9e-8ce9-3e1ada7529f6%40googlegroups.com
https://groups.google.com/d/msgid/elasticsearch/e866778e-c8db-4e9e-8ce9-3e1ada7529f6%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/CAGCwEM8Ku5RtL%2B_42v1%2B50Ps8bGY-mUb9h5_EWXkism0_sxeCA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

greg_j · June 30, 2014, 9:39pm

You're right. Was sure I tried that, but obviously had done something
wrong along the way.

Thanks!

On Monday, June 30, 2014 1:11:59 AM UTC-7, Alexander Reelsen wrote:

Hey,

I just tested with 1.2.1, and even if dynamic scripting is disabled, you
can still execute locally stored scripts. See the example in
Elasticsearch Platform — Find real-time answers at scale | Elastic

--Alex

On Fri, Jun 27, 2014 at 8:44 PM, greg j <gr...@allenai.org <javascript:>>
wrote:

Hi,

We'd like to enable custom scoring using a script that we'll install
under config/scripts, so that we can invoke it as part of a function_score
query, like

"query": {
"function_score": {
"query" : { ... },
"functions": [ {
"script_score": {
"script": "my-script" // installed in
config/scripts/my-script.mvel
}
}]
}
}

In order to do this, it looks like we have to set

script.disable_dynamic: false

in elasticsearch.yml.

But that also allows arbitrary script code to be submitted as the body of
the script field, which we want to disallow.

Is it possible to configure scripting to work only with named scripts
that are installed? It seems like the one config option I found is to
coarse for this.

Thanks!

-gregj

--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to elasticsearc...@googlegroups.com <javascript:>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/e866778e-c8db-4e9e-8ce9-3e1ada7529f6%40googlegroups.com
https://groups.google.com/d/msgid/elasticsearch/e866778e-c8db-4e9e-8ce9-3e1ada7529f6%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/29a64032-3651-47e0-8ee3-9b5010051e65%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Topic		Replies	Views
Dynamic scripting for local node for 1.6? Elasticsearch	3	727	July 6, 2017
Script_score query does not support [query] Elasticsearch	1	627	October 11, 2021
Custom Scripts In Elastic Search Elasticsearch	5	688	July 6, 2017
Does ES 6.2 supports script files under config/scripts folder Elasticsearch	2	523	June 22, 2018
Script in custom_filters_score/function_score Elasticsearch	2	365	July 6, 2017

Enabling scripting for installed scripts only

Related topics