Need to generate UUID in painless script

Oliver_Henlich · January 23, 2019, 12:29am

Hi,

I am trying to use the reindex api to create a copy of a set of documents. One of the fields (productId) of the document is a UUID. I need the copied documents to have new UUIDs for the productId field.

Please note, simply using the elastic search _id field is not an option as services using these documents depend on this field being a valid UUID.

According to [1] and [2] the method java.util.UUID.randomUUID() is not whitelisted for use in painless scripts.

Questions:

Why is randomUUID() considered an unsafe operation? Or is it just an oversight that it is not whitelisted?
What would be the process for whitelisting this method on our ES server? I have read [3] which describes supplying our own java policy file on jvm startup. The problem with this is that I don't really want to overwrite all the existing policies but only add to them. Is there a way to do this?
Will the approach described in [3] really work for painless whitelisting. Looking at the source, it seems there is a separate framework for whitelisting java classes for painless here [4].

Cheers
Oliver

Details:

Elastic Search: 6.4.2
Deploying to kubernetes with helm (https://github.com/elastic/helm-charts/tree/master/elasticsearch)

References:
[1] - Generate a UUID using randomuuid in painless
[2] - https://www.elastic.co/guide/en/elasticsearch/painless/6.4/painless-api-reference.html
[3] - https://www.elastic.co/guide/en/elasticsearch/reference/6.4/modules-scripting-security.html
[4] - https://github.com/elastic/elasticsearch/blob/master/modules/lang-painless/src/main/resources/org/elasticsearch/painless/spi/java.util.txt

Oliver_Henlich · January 24, 2019, 11:05pm

Hi,

Since my post I've found the example plugin that seems to allow me to extend the whitelisting for painless scripts [5].

I've got it working but for queries only. I can't seem to find what to put for the reindex context here:

@Override
public Map<ScriptContext<?>, List<Whitelist>> getContextWhitelists() {
return Collections.singletonMap(SearchScript.CONTEXT, Collections.singletonList(WHITELIST));
}

I searched the whole ES code base for "new ScriptContext" to see if I could find one. There are many different contexts but nothing for "reindex".

Any advice on what to do here would be much appreciated.

@warkolm I saw you removed the security tag from this question. I used that tag because it seemed to me that the whole business of whitelisting methods that painless is allowed to use is a security issue.

[5] - https://github.com/elastic/elasticsearch/tree/v6.5.4/plugins/examples/painless-whitelist

warkolm · January 25, 2019, 1:04am

The Security tag is specifically for posts relating to the stack functionality of the same name, ie https://www.elastic.co/products/stack/security

It's not super clear though, so apologies for that confusion.

Oliver_Henlich · January 25, 2019, 7:12am

Thanks @warkolm.

Can you or someone from ES give me some quick pointers for the actual question? Or let me know if what I'm trying to achieve is currently impossible.

Cheers
Oliver

Oliver_Henlich · February 15, 2019, 12:32am

Can somebody from ES help or give some pointers for this please.

I've asked the same question on stackoverflow too:

system · March 15, 2019, 12:32am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.