Add Groovy as a scripting language, add groovy sandboxing #6233
Conversation
| @@ -6,28 +6,30 @@ expressions. For example, scripts can be used to return "script fields" | |||
| as part of a search request, or can be used to evaluate a custom score | |||
| for a query and so on. | |||
|
|
|||
| The scripting module uses by default http://mvel.codehaus.org/[mvel] as | |||
There was a problem hiding this comment.
we should really have a section that says that we added this in 1.3 and where to find the docs for the prev. version?
There was a problem hiding this comment.
Sure, I added the "coming in 1.3.0" part, but not sure where to link for older documentation since 1.2 hasn't been released yet. Once it's released I'll add a commit to point to the older documentation.
There was a problem hiding this comment.
Docs are built for branches, ie 1.x, master, not for released versions. So you should use a deprecated tag for mvel eg deprecated[1.3.0,Replace by groovy as the default scripting language, see old docs here <>]
There was a problem hiding this comment.
@dakrone can you address clintons comments?
There was a problem hiding this comment.
Added a commit to rearrange and (hopefully) clarify the mvel deprecation.
|
oh man this looks awesome! |
| "java.lang.Double", "[D", "[[D", "[[[D", | ||
| "java.lang.Long", "[J", "[[J", "[[[J", | ||
| "java.lang.Short", "[S", "[[S", "[[[S", | ||
| "java.lang.Char", "[C", "[[C", "[[[C", |
There was a problem hiding this comment.
shouldn't this be java.lang.Character?
There was a problem hiding this comment.
Whoops, good catch, fixed.
|
Added a number of commits to address the feedback, @s1monw can you take another look? |
| @@ -74,7 +74,7 @@ public ScriptService(Settings settings, Environment env, Set<ScriptEngineService | |||
| TimeValue cacheExpire = componentSettings.getAsTime("cache.expire", null); | |||
| logger.debug("using script cache with max_size [{}], expire [{}]", cacheMaxSize, cacheExpire); | |||
|
|
|||
| this.defaultLang = componentSettings.get("default_lang", "mvel"); | |||
There was a problem hiding this comment.
any chance we can make this a constant?
There was a problem hiding this comment.
Yes, I will make everything a constant that can be for this.
| @@ -951,7 +951,7 @@ public void script_Score() { | |||
| SearchResponse response = client().prepareSearch("idx").setTypes("type") | |||
| .setQuery(functionScoreQuery(matchAllQuery()).add(ScoreFunctionBuilders.scriptFunction("doc['" + SINGLE_VALUED_FIELD_NAME + "'].value"))) | |||
| .addAggregation(terms("terms") | |||
| .script("ceil(_doc.score/3)") | |||
| .script("ceil(_doc.score()/3)") | |||
There was a problem hiding this comment.
mabye we can use _score here too?
There was a problem hiding this comment.
I looked into this, _score doesn't work for either Groovy or Mvel (probably due to this being in an aggregation?). If this is something we want to support I think we should open a separate issue for it.
|
did another review.... looks pretty close... left some commetns |
| /** | ||
| * Float encapsulation that allows updating the value with public member access | ||
| */ | ||
| public class UpdateableFloat extends Number { |
There was a problem hiding this comment.
IMO we should make this class package private and final? Can you also put in the comment where this is used and for what reason just be a little more verbose.... we might also just put it as a inner class?
|
@s1monw updated this PR with all of the changes you recommended :) |
|
this actually LGTM maybe @kimchy want's to take a look? |
|
@dakrone this looks great!, a few comments:
For 2.0:
For 1.3:
|
|
@kimchy Sounds good, I updated the documentation and completely removed mvel as well. I also added the 3-value setting for dynamic scripting. |
|
so this means that upgrading to |
|
@s1monw yes, the mvel plugin will have to be installed and the For an upgrade guide, do we want to add the two settings to the release notes? It will also be on the scripting blog post to come out after this is merged as well. |
dakrone
changed the title
Sandboxes the groovy scripting language with multiple configurable whitelists: `script.groovy.sandbox.receiver_whitelist`: comma-separated list of string classes for objects that may have methods invoked. `script.groovy.sandbox.package_whitelist`: comma-separated list of packages under which new objects may be constructed. `script.groovy.sandbox.class_whitelist` comma-separated list of classes that are allowed to be constructed. As well as a method blacklist: `script.groovy.sandbox.method_blacklist`: comma-separated list of methods that are never allowed to be invoked, regardless of target object. The sandbox can be entirely disabled by setting: `script.groovy.sandbox.enabled: false`
clintongormley
changed the title
As for elasticsearch 1.3.0, `groovy` is the new default scripting language. Related to: elastic/elasticsearch#6233 Closes #61. (cherry picked from commit 170a2cd)
As for elasticsearch 1.3.0, `groovy` is the new default scripting language. Related to: elastic/elasticsearch#6233 Closes #61. (cherry picked from commit 170a2cd)
As for elasticsearch 1.3.0, `groovy` is the new default scripting language. Related to: elastic/elasticsearch#6233 Closes #61.
clintongormley
added
the
:Core/Infra/Scripting
clintongormley
changed the title
Sandboxes the groovy scripting language with multiple configurable
whitelists:
script.groovy.sandbox.receiver_whitelist: comma-separated list of stringclasses for objects that may have methods invoked.
script.groovy.sandbox.package_whitelist: comma-separated list ofpackages under which new objects may be constructed.
script.groovy.sandbox.class_whitelistcomma-separated list of classesthat are allowed to be constructed.
As well as a method blacklist:
script.groovy.sandbox.method_blacklist: comma-separated list ofmethods that are never allowed to be invoked, regardless of target
object.
The sandbox can be entirely disabled by setting:
script.groovy.sandbox.enabled: false