- Elasticsearch Guide: other versions:
- Getting Started
- Setup
- Breaking changes
- Breaking changes in 2.4
- Breaking changes in 2.3
- Breaking changes in 2.2
- Breaking changes in 2.1
- Breaking changes in 2.0
- Removed features
- Network changes
- Multiple
path.datastriping - Mapping changes
- CRUD and routing changes
- Query DSL changes
- Search changes
- Aggregation changes
- Parent/Child changes
- Scripting changes
- Index API changes
- Snapshot and Restore changes
- Plugin and packaging changes
- Setting changes
- Stats, info, and
catchanges - Java API changes
- API Conventions
- Document APIs
- Search APIs
- Aggregations
- Metrics Aggregations
- Avg Aggregation
- Cardinality Aggregation
- Extended Stats Aggregation
- Geo Bounds Aggregation
- Geo Centroid Aggregation
- Max Aggregation
- Min Aggregation
- Percentiles Aggregation
- Percentile Ranks Aggregation
- Scripted Metric Aggregation
- Stats Aggregation
- Sum Aggregation
- Top hits Aggregation
- Value Count Aggregation
- Bucket Aggregations
- Children Aggregation
- Date Histogram Aggregation
- Date Range Aggregation
- Filter Aggregation
- Filters Aggregation
- Geo Distance Aggregation
- GeoHash grid Aggregation
- Global Aggregation
- Histogram Aggregation
- IPv4 Range Aggregation
- Missing Aggregation
- Nested Aggregation
- Range Aggregation
- Reverse nested Aggregation
- Sampler Aggregation
- Significant Terms Aggregation
- Terms Aggregation
- Pipeline Aggregations
- Avg Bucket Aggregation
- Derivative Aggregation
- Max Bucket Aggregation
- Min Bucket Aggregation
- Sum Bucket Aggregation
- Stats Bucket Aggregation
- Extended Stats Bucket Aggregation
- Percentiles Bucket Aggregation
- Moving Average Aggregation
- Cumulative Sum Aggregation
- Bucket Script Aggregation
- Bucket Selector Aggregation
- Serial Differencing Aggregation
- Caching heavy aggregations
- Returning only aggregation results
- Aggregation Metadata
- Metrics Aggregations
- Indices APIs
- Create Index
- Delete Index
- Get Index
- Indices Exists
- Open / Close Index API
- Put Mapping
- Get Mapping
- Get Field Mapping
- Types Exists
- Index Aliases
- Update Indices Settings
- Get Settings
- Analyze
- Index Templates
- Warmers
- Shadow replica indices
- Indices Stats
- Indices Segments
- Indices Recovery
- Indices Shard Stores
- Clear Cache
- Flush
- Refresh
- Force Merge
- Optimize
- Upgrade
- cat APIs
- Cluster APIs
- Query DSL
- Mapping
- Dots in field names
- Field datatypes
- Meta-Fields
- Mapping parameters
analyzerboostcoercecopy_todoc_valuesdynamicenabledfielddataformatgeohashgeohash_precisiongeohash_prefixignore_aboveignore_malformedinclude_in_allindexindex_optionslat_lonfieldsnormsnull_valueposition_increment_gapprecision_steppropertiessearch_analyzersimilaritystoreterm_vector
- Dynamic Mapping
- Transform
- Analysis
- Analyzers
- Tokenizers
- Token Filters
- Standard Token Filter
- ASCII Folding Token Filter
- Length Token Filter
- Lowercase Token Filter
- Uppercase Token Filter
- NGram Token Filter
- Edge NGram Token Filter
- Porter Stem Token Filter
- Shingle Token Filter
- Stop Token Filter
- Word Delimiter Token Filter
- Stemmer Token Filter
- Stemmer Override Token Filter
- Keyword Marker Token Filter
- Keyword Repeat Token Filter
- KStem Token Filter
- Snowball Token Filter
- Phonetic Token Filter
- Synonym Token Filter
- Compound Word Token Filter
- Reverse Token Filter
- Elision Token Filter
- Truncate Token Filter
- Unique Token Filter
- Pattern Capture Token Filter
- Pattern Replace Token Filter
- Trim Token Filter
- Limit Token Count Token Filter
- Hunspell Token Filter
- Common Grams Token Filter
- Normalization Token Filter
- CJK Width Token Filter
- CJK Bigram Token Filter
- Delimited Payload Token Filter
- Keep Words Token Filter
- Keep Types Token Filter
- Classic Token Filter
- Apostrophe Token Filter
- Decimal Digit Token Filter
- Character Filters
- Modules
- Index Modules
- Testing
- Glossary of terms
- Release Notes
- 2.4.6 Release Notes
- 2.4.5 Release Notes
- 2.4.4 Release Notes
- 2.4.3 Release Notes
- 2.4.2 Release Notes
- 2.4.1 Release Notes
- 2.4.0 Release Notes
- 2.3.5 Release Notes
- 2.3.4 Release Notes
- 2.3.3 Release Notes
- 2.3.2 Release Notes
- 2.3.1 Release Notes
- 2.3.0 Release Notes
- 2.2.2 Release Notes
- 2.2.1 Release Notes
- 2.2.0 Release Notes
- 2.1.2 Release Notes
- 2.1.1 Release Notes
- 2.1.0 Release Notes
- 2.0.2 Release Notes
- 2.0.1 Release Notes
- 2.0.0 Release Notes
- 2.0.0-rc1 Release Notes
- 2.0.0-beta2 Release Notes
- 2.0.0-beta1 Release Notes
WARNING: Version 2.4 of Elasticsearch has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Scripting and the Java Security Manager
editScripting and the Java Security Manager
editElasticsearch runs with the Java Security Manager enabled by default. The security policy in Elasticsearch locks down the permissions granted to each class to the bare minimum required to operate. The benefit of doing this is that it severely limits the attack vectors available to a hacker.
Restricting permissions is particularly important with scripting languages like Groovy and Javascript which are designed to do anything that can be done in Java itself, including writing to the file system, opening sockets to remote servers, etc.
Script Classloader Whitelist
editScripting languages are only allowed to load classes which appear in a
hardcoded whitelist that can be found in
org.elasticsearch.script.ClassPermission.
In a script, attempting to load a class that does not appear in the whitelist
may result in a ClassNotFoundException, for instance this script:
GET _search { "script_fields": { "the_hour": { "script": "use(java.math.BigInteger); new BigInteger(1)" } } }
will return the following exception:
{ "reason": { "type": "script_exception", "reason": "failed to run inline script [use(java.math.BigInteger); new BigInteger(1)] using lang [groovy]", "caused_by": { "type": "no_class_def_found_error", "reason": "java/math/BigInteger", "caused_by": { "type": "class_not_found_exception", "reason": "java.math.BigInteger" } } } }
However, classloader issues may also result in more difficult to interpret exceptions. For instance, this script:
use(groovy.time.TimeCategory); new Date(123456789).format('HH')
Returns the following exception:
{ "reason": { "type": "script_exception", "reason": "failed to run inline script [use(groovy.time.TimeCategory); new Date(123456789).format('HH')] using lang [groovy]", "caused_by": { "type": "missing_property_exception", "reason": "No such property: groovy for class: 8d45f5c1a07a1ab5dda953234863e283a7586240" } } }
Dealing with Java Security Manager issues
editIf you encounter issues with the Java Security Manager, you have three options for resolving these issues:
Fix the security problem
editThe safest and most secure long term solution is to change the code causing the security issue. We recognise that this may take time to do correctly and so we provide the following two alternatives.
Disable the Java Security Manager
editDeprecated in 2.2.0.
The ability to disable the Java Security Manager will be removed in a future version
You can disable the Java Security Manager entirely with the
security.manager.enabled command line flag:
./bin/elasticsearch --security.manager.enabled false
This disables the Security Manager entirely and makes Elasticsearch much more vulnerable to attacks! It is an option that should only be used in the most urgent of situations and for the shortest amount of time possible. Optional security is not secure at all because it will be disabled and leave the system vulnerable. This option will be removed in a future version.
Customising the classloader whitelist
editThe classloader whitelist can be customised by tweaking the local Java Security Policy either:
-
system wide:
$JAVA_HOME/lib/security/java.policy, -
for just the
elasticsearchuser:/home/elasticsearch/.java.policy, or -
from a file specified in the
JAVA_OPTSenvironment variable with-Djava.security.policy=someURL:export JAVA_OPTS="${JAVA_OPTS} -Djava.security.policy=file:///path/to/my.policy` ./bin/elasticsearch
Permissions may be granted at the class, package, or global level. For instance:
grant { permission org.elasticsearch.script.ClassPermission "java.util.Base64"; // allow class permission org.elasticsearch.script.ClassPermission "java.util.*"; // allow package permission org.elasticsearch.script.ClassPermission "*"; // allow all (disables filtering basically) };
Here is an example of how to enable the groovy.time.TimeCategory class:
grant { permission org.elasticsearch.script.ClassPermission "java.lang.Class"; permission org.elasticsearch.script.ClassPermission "groovy.time.TimeCategory"; };
Before adding classes to the whitelist, consider the security impact that it will have on Elasticsearch. Do you really need an extra class or can your code be rewritten in a more secure way?
It is quite possible that we have not whitelisted a generically useful and safe class. If you have a class that you think should be whitelisted by default, please open an issue on GitHub and we will consider the impact of doing so.
See http://docs.oracle.com/javase/7/docs/technotes/guides/security/PolicyFiles.html for more information.
On this page