Mention agg allow list in scripting security doc

alex-spies · Jun 12, 2024 · fb6eab8 · fb6eab8
1 parent 05cee7d
commit fb6eab8
Showing 1 changed file with 53 additions and 8 deletions.
diff --git a/docs/reference/scripting/security.asciidoc b/docs/reference/scripting/security.asciidoc
@@ -9,31 +9,37 @@ security in a defense in depth strategy for scripting.
 
 The second layer of security is the https://www.oracle.com/java/technologies/javase/seccodeguide.html[Java Security Manager]. As part of its startup
 sequence, {es} enables the Java Security Manager to limit the actions that
-portions of the code can take. <<modules-scripting-painless,Painless>> uses 
-the Java Security Manager as an additional layer of defense to prevent scripts 
+portions of the code can take. <<modules-scripting-painless,Painless>> uses
+the Java Security Manager as an additional layer of defense to prevent scripts
 from doing things like writing files and listening to sockets.
 
 {es} uses
 {wikipedia}/Seccomp[seccomp] in Linux,
 https://www.chromium.org/developers/design-documents/sandbox/osx-sandboxing-design[Seatbelt]
 in macOS, and
 https://msdn.microsoft.com/en-us/library/windows/desktop/ms684147[ActiveProcessLimit]
-on Windows as additional security layers to prevent {es} from forking or 
+on Windows as additional security layers to prevent {es} from forking or
 running other processes.
 
+Finally, scripts used in
+<<search-aggregations-metrics-scripted-metric-aggregation,scripted metrics aggregations>>
+can be restricted to a defined list of scripts, or forbidden altogether.
+This can prevent users from running particularly slow or resource intensive aggregation
+queries.
+
 You can modify the following script settings to restrict the type of scripts
-that are allowed to run, and control the available 
+that are allowed to run, and control the available
 {painless}/painless-contexts.html[contexts] that scripts can run in. To
-implement additional layers in your defense in depth strategy, follow the 
+implement additional layers in your defense in depth strategy, follow the
 <<es-security-principles,{es} security principles>>.
 
 [[allowed-script-types-setting]]
 [discrete]
 === Allowed script types setting
 
-{es} supports two script types: `inline` and `stored`. By default, {es} is 
-configured to run both types of scripts. To limit what type of scripts are run, 
-set `script.allowed_types` to `inline` or `stored`. To prevent any scripts from 
+{es} supports two script types: `inline` and `stored`. By default, {es} is
+configured to run both types of scripts. To limit what type of scripts are run,
+set `script.allowed_types` to `inline` or `stored`. To prevent any scripts from
 running, set `script.allowed_types` to `none`.
 
 IMPORTANT: If you use {kib}, set `script.allowed_types` to both or just `inline`.
@@ -61,3 +67,42 @@ For example, to allow scripts to run only in `scoring` and `update` contexts:
 ----
 script.allowed_contexts: score, update
 ----
+
+[[allowed-script-in-aggs-settings]]
+[discrete]
+=== Allowed scripts in scripted metrics aggregations
+
+By default, all scripts are permitted in
+<<search-aggregations-metrics-scripted-metric-aggregation,scripted metrics aggregations>>.
+To restrict the set of allowed scripts, set
+<<search-settings-only-allowed-scripts,`search.aggs.only_allowed_metric_scripts`>>
+to `true` and provide the allowed scripts using
+<<search-settings-allowed-inline-scripts,`search.aggs.allowed_inline_metric_scripts`>>
+and
+<<search-settings-allowed-stored-scripts,`search.aggs.allowed_stored_metric_scripts`>>.
+
+The following example permits only 4 specific stored scripts to be used, and no inline scripts:
+
+[source,yaml]
+----
+search.aggs.only_allowed_metric_scripts: true
+search.aggs.allowed_inline_metric_scripts: []
+search.aggs.allowed_stored_metric_scripts:
+   - script_id_1
+   - script_id_2
+   - script_id_3
+   - script_id_4
+----
+
+Conversely, the next example allows specific inline scripts but no stored scripts:
+
+[source,yaml]
+----
+search.aggs.only_allowed_metric_scripts: true
+search.aggs.allowed_inline_metric_scripts:
+   - 'state.transactions = []'
+   - 'state.transactions.add(doc.some_field.value)'
+   - 'long sum = 0; for (t in state.transactions) { sum += t } return sum'
+   - 'long sum = 0; for (a in states) { sum += a } return sum'
+search.aggs.allowed_stored_metric_scripts: []
+----