Recommended security settings now that 'disable_dynamic' is deprecated?

[jeffwidman]

Several threads about the ElasticSearch addon suggest setting:

script.disable_dynamic: true

However, that was deprecated in ElasticSearch 1.6. What are the new recommended settings?

I looked through the docs, but I'm not sure what they mean when they refer to 'languages that are sandboxed'. cc @Xon @eva2000 @Slavik

It looks like dynamic scripting is still disabled by default, but for these kinds of things I like to explicitly set it just in case the defaults ever change down the road.

Also, with this setting being deprecated, do I still need to copy the /path/to/Xenforo/library/XenES/_scripts/*.groovy files over to /etc/elasticsearch/scripts/ ?

 

[Mike]

The deprecation is of the particular option. It is being replaced with a few options to allow the same limits and more. What was dynamic scripting appears to be script.inline now.

...but I'm not sure what they mean when they refer to 'languages that are sandboxed'.

Higher up that page they list the available languages and whether they are sandboxed.

Also, with this setting being deprecated, do I still need to copy the /path/to/Xenforo/library/XenES/_scripts/*.groovy files over to /etc/elasticsearch/scripts/ ?

Yes, especially if you are disabling script.inline (but allowing script.file). Note that our script implementations aren't in sandboxed languages.