Enabling scripting for installed scripts only


(greg j) #1

Hi,

We'd like to enable custom scoring using a script that we'll install under
config/scripts, so that we can invoke it as part of a function_score query,
like

"query": {
"function_score": {
"query" : { ... },
"functions": [ {
"script_score": {
"script": "my-script" // installed in config/scripts/my-script.mvel
}
}]
}
}

In order to do this, it looks like we have to set

script.disable_dynamic: false

in elasticsearch.yml.

But that also allows arbitrary script code to be submitted as the body of
the script field, which we want to disallow.

Is it possible to configure scripting to work only with named scripts that
are installed? It seems like the one config option I found is to coarse
for this.

Thanks!

-gregj

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/e866778e-c8db-4e9e-8ce9-3e1ada7529f6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


(Alexander Reelsen) #2

Hey,

I just tested with 1.2.1, and even if dynamic scripting is disabled, you
can still execute locally stored scripts. See the example in
http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/modules-scripting.html#modules-scripting

--Alex

On Fri, Jun 27, 2014 at 8:44 PM, greg j gregj@allenai.org wrote:

Hi,

We'd like to enable custom scoring using a script that we'll install under
config/scripts, so that we can invoke it as part of a function_score query,
like

"query": {
"function_score": {
"query" : { ... },
"functions": [ {
"script_score": {
"script": "my-script" // installed in
config/scripts/my-script.mvel
}
}]
}
}

In order to do this, it looks like we have to set

script.disable_dynamic: false

in elasticsearch.yml.

But that also allows arbitrary script code to be submitted as the body of
the script field, which we want to disallow.

Is it possible to configure scripting to work only with named scripts that
are installed? It seems like the one config option I found is to coarse
for this.

Thanks!

-gregj

--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/e866778e-c8db-4e9e-8ce9-3e1ada7529f6%40googlegroups.com
https://groups.google.com/d/msgid/elasticsearch/e866778e-c8db-4e9e-8ce9-3e1ada7529f6%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/CAGCwEM8Ku5RtL%2B_42v1%2B50Ps8bGY-mUb9h5_EWXkism0_sxeCA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


(greg j) #3

You're right. Was sure I tried that, but obviously had done something
wrong along the way.

Thanks!

On Monday, June 30, 2014 1:11:59 AM UTC-7, Alexander Reelsen wrote:

Hey,

I just tested with 1.2.1, and even if dynamic scripting is disabled, you
can still execute locally stored scripts. See the example in
http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/modules-scripting.html#modules-scripting

--Alex

On Fri, Jun 27, 2014 at 8:44 PM, greg j <gr...@allenai.org <javascript:>>
wrote:

Hi,

We'd like to enable custom scoring using a script that we'll install
under config/scripts, so that we can invoke it as part of a function_score
query, like

"query": {
"function_score": {
"query" : { ... },
"functions": [ {
"script_score": {
"script": "my-script" // installed in
config/scripts/my-script.mvel
}
}]
}
}

In order to do this, it looks like we have to set

script.disable_dynamic: false

in elasticsearch.yml.

But that also allows arbitrary script code to be submitted as the body of
the script field, which we want to disallow.

Is it possible to configure scripting to work only with named scripts
that are installed? It seems like the one config option I found is to
coarse for this.

Thanks!

-gregj

--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to elasticsearc...@googlegroups.com <javascript:>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/e866778e-c8db-4e9e-8ce9-3e1ada7529f6%40googlegroups.com
https://groups.google.com/d/msgid/elasticsearch/e866778e-c8db-4e9e-8ce9-3e1ada7529f6%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/29a64032-3651-47e0-8ee3-9b5010051e65%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


(system) #4