Home Explore Help
Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: 3879aa2a98
Branches Tags
elasticsearch
/
docs
/
reference
/
modules
/
scripting
/
security.asciidoc

security.asciidoc 4.9 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148 
  1. [[modules-scripting-security]]
    2. 

  2. === Scripting and the Java Security Manager
    3. 

  3. 

  4. Elasticsearch runs with the https://docs.oracle.com/javase/tutorial/essential/environment/security.html[Java Security Manager]
    5. 

  5. enabled by default.  The security policy in Elasticsearch locks down the
    6. 

  6. permissions granted to each class to the bare minimum required to operate.
    7. 

  7. The benefit of doing this is that it severely limits the attack vectors
    8. 

  8. available to a hacker.
    9. 

  9. 

  10. Restricting permissions is particularly important with scripting languages
    11. 

  11. like Groovy and Javascript which are designed to do anything that can be done
    12. 

  12. in Java itself, including writing to the file system, opening sockets to
    13. 

  13. remote servers, etc.
    14. 

  14. 

  15. [float]
    16. 

  16. === Script Classloader Whitelist
    17. 

  17. 

  18. Scripting languages are only allowed to load classes which appear in a
    19. 

  19. hardcoded whitelist that can be found in
    20. 

  20. https://github.com/elastic/elasticsearch/blob/{branch}/core/src/main/java/org/elasticsearch/script/ClassPermission.java[`org.elasticsearch.script.ClassPermission`].
    21. 

  21. 

  22. 

  23. In a script, attempting to load a class that does not appear in the whitelist
    24. 

  24. _may_ result in a `ClassNotFoundException`, for instance this script:
    25. 

  25. 

  26. [source,json]
    27. 

  27. ------------------------------
    28. 

  28. GET _search
    29. 

  29. {
    30. 

  30.   "script_fields": {
    31. 

  31.     "the_hour": {
    32. 

  32.       "script": "use(java.math.BigInteger); new BigInteger(1)"
    33. 

  33.     }
    34. 

  34.   }
    35. 

  35. }
    36. 

  36. ------------------------------
    37. 

  37. 

  38. will return the following exception:
    39. 

  39. 

  40. [source,json]
    41. 

  41. ------------------------------
    42. 

  42. {
    43. 

  43.   "reason": {
    44. 

  44.     "type": "script_exception",
    45. 

  45.     "reason": "failed to run inline script [use(java.math.BigInteger); new BigInteger(1)] using lang [groovy]",
    46. 

  46.     "caused_by": {
    47. 

  47.       "type": "no_class_def_found_error",
    48. 

  48.       "reason": "java/math/BigInteger",
    49. 

  49.       "caused_by": {
    50. 

  50.         "type": "class_not_found_exception",
    51. 

  51.         "reason": "java.math.BigInteger"
    52. 

  52.       }
    53. 

  53.     }
    54. 

  54.   }
    55. 

  55. }
    56. 

  56. ------------------------------
    57. 

  57. 

  58. However, classloader issues may also result in more difficult to interpret
    59. 

  59. exceptions.  For instance, this script:
    60. 

  60. 

  61. [source,groovy]
    62. 

  62. ------------------------------
    63. 

  63. use(groovy.time.TimeCategory); new Date(123456789).format('HH')
    64. 

  64. ------------------------------
    65. 

  65. 

  66. Returns the following exception:
    67. 

  67. 

  68. [source,json]
    69. 

  69. ------------------------------
    70. 

  70. {
    71. 

  71.   "reason": {
    72. 

  72.     "type": "script_exception",
    73. 

  73.     "reason": "failed to run inline script [use(groovy.time.TimeCategory); new Date(123456789).format('HH')] using lang [groovy]",
    74. 

  74.     "caused_by": {
    75. 

  75.       "type": "missing_property_exception",
    76. 

  76.       "reason": "No such property: groovy for class: 8d45f5c1a07a1ab5dda953234863e283a7586240"
    77. 

  77.     }
    78. 

  78.   }
    79. 

  79. }
    80. 

  80. ------------------------------
    81. 

  81. 

  82. [float]
    83. 

  83. == Dealing with Java Security Manager issues
    84. 

  84. 

  85. If you encounter issues with the Java Security Manager, you have two options
    86. 

  86. for resolving these issues:
    87. 

  87. 

  88. [float]
    89. 

  89. === Fix the security problem
    90. 

  90. 

  91. The safest and most secure long term solution is to change the code causing
    92. 

  92. the security issue.  We recognise that this may take time to do correctly and
    93. 

  93. so we provide the following two alternatives.
    94. 

  94. 

  95. [float]
    96. 

  96. === Customising the classloader whitelist
    97. 

  97. 

  98. The classloader whitelist can be customised by tweaking the local Java
    99. 

  99. Security Policy either:
    100. 

  100. 

  101. * system wide: `$JAVA_HOME/lib/security/java.policy`,
    102. 

  102. * for just the `elasticsearch` user: `/home/elasticsearch/.java.policy`
    103. 

  103. * by adding a system property to the <<sysconfig,es-java-opts>> configuration: `-Djava.security.policy=someURL`, or
    104. 

  104. * via the `ES_JAVA_OPTS` environment variable with `-Djava.security.policy=someURL`:
    105. 

  105. +
    106. 

  106. [source,js]
    107. 

  107. ---------------------------------
    108. 

  108. export ES_JAVA_OPTS="${ES_JAVA_OPTS} -Djava.security.policy=file:///path/to/my.policy`
    109. 

  109. ./bin/elasticsearch
    110. 

  110. ---------------------------------
    111. 

  111. 

  112. Permissions may be granted at the class, package, or global level.  For instance:
    113. 

  113. 

  114. [source,js]
    115. 

  115. ----------------------------------
    116. 

  116. grant {
    117. 

  117.     permission org.elasticsearch.script.ClassPermission "java.util.Base64"; // allow class
    118. 

  118.     permission org.elasticsearch.script.ClassPermission "java.util.*"; // allow package
    119. 

  119.     permission org.elasticsearch.script.ClassPermission "*"; // allow all (disables filtering basically)
    120. 

  120. };
    121. 

  121. ----------------------------------
    122. 

  122. 

  123. Here is an example of how to enable the `groovy.time.TimeCategory` class:
    124. 

  124. 

  125. [source,js]
    126. 

  126. ----------------------------------
    127. 

  127. grant {
    128. 

  128.     permission org.elasticsearch.script.ClassPermission "java.lang.Class";
    129. 

  129.     permission org.elasticsearch.script.ClassPermission "groovy.time.TimeCategory";
    130. 

  130. };
    131. 

  131. ----------------------------------
    132. 

  132. 

  133. [TIP]
    134. 

  134. ======================================
    135. 

  135. 

  136. Before adding classes to the whitelist, consider the security impact that it
    137. 

  137. will have on Elasticsearch. Do you really need an extra class or can your code
    138. 

  138. be rewritten in a more secure way?
    139. 

  139. 

  140. It is quite possible that we have not whitelisted a generically useful and
    141. 

  141. safe class. If you have a class that you think should be whitelisted by
    142. 

  142. default, please open an issue on GitHub and we will consider the impact of
    143. 

  143. doing so.
    144. 

  144. 

  145. ======================================
    146. 

  146. 

  147. See http://docs.oracle.com/javase/7/docs/technotes/guides/security/PolicyFiles.html for more information.
    148. 

  148.