Painless and Elasticsearch implement layers of security to build a defense in depth strategy for running scripts safely.
Painless uses a fine-grained allowlist. Anything that is not part of the allowlist results in a compilation error. This capability is the first layer of security in a defense in depth strategy for scripting.
The second layer of security is the Java Security Manager. As part of its startup sequence, Elasticsearch enables the Java Security Manager to limit the actions that portions of the code can take. Painless uses the Java Security Manager as an additional layer of defense to prevent scripts from doing things like writing files and listening to sockets.
You can modify the following script settings to restrict the type of scripts that are allowed to run, and control the available contexts that scripts can run in. To implement additional layers in your defense in depth strategy, follow the Elasticsearch security principles.
Allowed script types settingedit
Elasticsearch supports two script types:
stored. By default, Elasticsearch is
configured to run both types of scripts. To limit what type of scripts are run,
stored. To prevent any scripts from
If you use Kibana, set
script.allowed_types to both or just
Some Kibana features rely on inline scripts and do not function as expected
if Elasticsearch does not allow inline scripts.
For example, to run
inline scripts but not
Allowed script contexts settingedit
By default, all script contexts are permitted. Use the
setting to specify the contexts that are allowed. To specify that no contexts
are allowed, set
For example, to allow scripts to run only in
script.allowed_contexts: score, update