Home Explore Help
Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: c9e03e6ead
Branches Tags
elasticsearch
/
docs
/
reference
/
modules
/
scripting
/
security.asciidoc

security.asciidoc 4.6 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107 
  1. [[modules-scripting-security]]
    2. 

  2. === Scripting and security
    3. 

  3. 

  4. While Elasticsearch contributors make every effort to prevent scripts from
    5. 

  5. running amok, security is something best done in
    6. 

  6. https://en.wikipedia.org/wiki/Defense_in_depth_(computing)[layers] because
    7. 

  7. all software has bugs and it is important to minimize the risk of failure in
    8. 

  8. any security layer. Find below rules of thumb for how to keep Elasticsearch
    9. 

  9. from being a vulnerability.
    10. 

  10. 

  11. [float]
    12. 

  12. === Do not run as root
    13. 

  13. First and foremost, never run Elasticsearch as the `root` user as this would
    14. 

  14. allow any successful effort to circumvent the other security layers to do
    15. 

  15. *anything* on your server. Elasticsearch will refuse to start if it detects
    16. 

  16. that it is running as `root` but this is so important that it is worth double
    17. 

  17. and triple checking.
    18. 

  18. 

  19. [float]
    20. 

  20. === Do not expose Elasticsearch directly to users
    21. 

  21. Do not expose Elasticsearch directly to users, instead have an application
    22. 

  22. make requests on behalf of users. If this is not possible, have an application
    23. 

  23. to sanitize requests from users. If *that* is not possible then have some
    24. 

  24. mechanism to track which users did what. Understand that it is quite possible
    25. 

  25. to write a <<search, `_search`>> that overwhelms Elasticsearch and brings down
    26. 

  26. the cluster. All such searches should be considered bugs and the Elasticsearch
    27. 

  27. contributors make an effort to prevent this but they are still possible.
    28. 

  28. 

  29. [float]
    30. 

  30. === Do not expose Elasticsearch directly to the Internet
    31. 

  31. Do not expose Elasticsearch to the Internet, instead have an application
    32. 

  32. make requests on behalf of the Internet. Do not entertain the thought of having
    33. 

  33. an application "sanitize" requests to Elasticsearch. Understand that it is
    34. 

  34. possible for a sufficiently determined malicious user to write searches that
    35. 

  35. overwhelm the Elasticsearch cluster and bring it down. For example:
    36. 

  36. 

  37. Good:
    38. 

  38. 

  39. * Users type text into a search box and the text is sent directly to a
    40. 

  40. <<query-dsl-match-query>>, <<query-dsl-match-query-phrase>>,
    41. 

  41. <<query-dsl-simple-query-string-query>>, or any of the <<search-suggesters>>.
    42. 

  42. * Running a script with any of the above queries that was written as part of
    43. 

  43. the application development process.
    44. 

  44. * Running a script with `params` provided by users.
    45. 

  45. * User actions makes documents with a fixed structure.
    46. 

  46. 

  47. Bad:
    48. 

  48. 

  49. * Users can write arbitrary scripts, queries, `_search` requests.
    50. 

  50. * User actions make documents with structure defined by users.
    51. 

  51. 

  52. [float]
    53. 

  53. [[modules-scripting-other-layers]]
    54. 

  54. === Other security layers
    55. 

  55. In addition to user privileges and script sandboxing Elasticsearch uses the
    56. 

  56. http://www.oracle.com/technetwork/java/seccodeguide-139067.html[Java Security Manager]
    57. 

  57. and native security tools as additional layers of security.
    58. 

  58. 

  59. As part of its startup sequence Elasticsearch enables the Java Security Manager
    60. 

  60. which limits the actions that can be taken by portions of the code. Painless
    61. 

  61. uses this to limit the actions that generated Painless scripts can take,
    62. 

  62. preventing them from being able to do things like write files and listen to
    63. 

  63. sockets.
    64. 

  64. 

  65. Elasticsearch uses
    66. 

  66. https://en.wikipedia.org/wiki/Seccomp[seccomp] in Linux,
    67. 

  67. https://www.chromium.org/developers/design-documents/sandbox/osx-sandboxing-design[Seatbelt]
    68. 

  68. in macOS, and
    69. 

  69. https://msdn.microsoft.com/en-us/library/windows/desktop/ms684147[ActiveProcessLimit]
    70. 

  70. on Windows to prevent Elasticsearch from forking or executing other processes.
    71. 

  71. 

  72. Below this we describe the security settings for scripts and how you can
    73. 

  73. change from the defaults described above. You should be very, very careful
    74. 

  74. when allowing more than the defaults. Any extra permissions weakens the total
    75. 

  75. security of the Elasticsearch deployment.
    76. 

  76. 

  77. [[allowed-script-types-setting]]
    78. 

  78. [float]
    79. 

  79. === Allowed script types setting
    80. 

  80. 

  81. By default all script types are allowed to be executed.  This can be modified using the
    82. 

  82. setting `script.allowed_types`.  Only the types specified as part of the setting will be
    83. 

  83. allowed to be executed.  To specify no types are allowed, set `script.allowed_types` to
    84. 

  84. be `none`.
    85. 

  85. 

  86. [source,yaml]
    87. 

  87. ----
    88. 

  88. script.allowed_types: inline <1>
    89. 

  89. ----
    90. 

  90. <1> This will allow only inline scripts to be executed but not stored scripts
    91. 

  91. (or any other types).
    92. 

  92. 

  93. [[allowed-script-contexts-setting]]
    94. 

  94. [float]
    95. 

  95. === Allowed script contexts setting
    96. 

  96. 

  97. By default all script contexts are allowed to be executed.  This can be modified using the
    98. 

  98. setting `script.allowed_contexts`.  Only the contexts specified as part of the setting will
    99. 

  99. be allowed to be executed.  To specify no contexts are allowed, set `script.allowed_contexts`
    100. 

  100. to be `none`.
    101. 

  101. 

  102. [source,yaml]
    103. 

  103. ----
    104. 

  104. script.allowed_contexts: search, update <1>
    105. 

  105. ----
    106. 

  106. <1> This will allow only search and update scripts to be executed but not
    107. 

  107. aggs or plugin scripts (or any other contexts).
    108.