[MediaWiki-commits] [Gerrit] Expand Elasticsearch groovy sandbox - change (operations/puppet)

[Manybubbles (Code Review)]

Manybubbles has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/155065

Change subject: Expand Elasticsearch groovy sandbox
......................................................................

Expand Elasticsearch groovy sandbox

Elasticsearch 1.3 comes with groovy as a scripting language and it is
sandboxed a tiny bit too tight for Cirrus.  This expands the sandbox slightly.
It does not disable dynamic scripting - we can't do that until we've fully
ported Cirrus to groovy and we can't do that until 1.3 is already live.

Technically this will change the groovy sandbox for all Elasticsearch's we
have in production but the change isn't going to hurt anything.

Change-Id: Iebd0a94888140a836189580c38ee4666dc5df8b2
---
M modules/elasticsearch/templates/elasticsearch.yml.erb
1 file changed, 89 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/65/155065/1

diff --git a/modules/elasticsearch/templates/elasticsearch.yml.erb 
b/modules/elasticsearch/templates/elasticsearch.yml.erb
index a309276..701db7d 100644
--- a/modules/elasticsearch/templates/elasticsearch.yml.erb
+++ b/modules/elasticsearch/templates/elasticsearch.yml.erb
@@ -452,3 +452,92 @@
 <% end -%>
 <% end -%>
 <% end -%>
+
+
+
+##
+# Groovy sandboxing
+##
+# Cirrus will start to use groovy soon.  By default the sandbox is too
+# restrictive so we have to allow additional access.
+script.groovy.sandbox.class_whitelist:
+ #Defaults
+ - java.util.Date
+ - java.util.Map
+ - java.util.List
+ - java.util.Set
+ - java.util.ArrayList
+ - java.util.Arrays
+ - java.util.HashMap
+ - java.util.HashSet
+ - java.util.UUID
+ - java.math.BigDecimal
+ - org.joda.time.DateTime
+ - org.joda.time.DateTimeZone
+ - org.elasticsearch.common.joda.time.DateTime
+ - org.elasticsearch.common.joda.time.DateTimeZone
+ # Added for Cirrus
+ - java.util.Locale
+ - org.apache.lucene.util.automaton.RegExp
+ - org.apache.lucene.util.automaton.CharacterRunAutomaton
+script.groovy.sandbox.package_whitelist:
+ # Defaults
+ - java.util
+ - java.lang
+ - org.joda.time
+ - org.elasticsearch.common.joda.time
+ # Added for Cirrus
+ - org.apache.lucene.util.automaton
+script.groovy.sandbox.receiver_whitelist:
+ # Defaults
+ - java.lang.Math
+ - java.lang.Integer
+ - "[I"
+ - "[[I"
+ - "[[[I"
+ - java.lang.Float
+ - "[F"
+ - "[[F"
+ - "[[[F"
+ - java.lang.Double
+ - "[D"
+ - "[[D"
+ - "[[[D"
+ - java.lang.Long
+ - "[J"
+ - "[[J"
+ - "[[[J"
+ - java.lang.Short
+ - "[S"
+ - "[[S"
+ - "[[[S"
+ - java.lang.Character
+ - "[C"
+ - "[[C"
+ - "[[[C"
+ - java.lang.Byte
+ - "[B"
+ - "[[B"
+ - "[[[B"
+ - java.lang.Boolean
+ - "[Z"
+ - "[[Z"
+ - "[[[Z"
+ - java.math.BigDecimal
+ - java.util.Arrays
+ - java.util.Date
+ - java.util.List
+ - java.util.Map
+ - java.util.Set
+ - java.lang.Object
+ - org.joda.time.DateTime
+ - org.joda.time.DateTimeUtils
+ - org.joda.time.DateTimeZone
+ - org.joda.time.Instant
+ - org.elasticsearch.common.joda.time.DateTime
+ - org.elasticsearch.common.joda.time.DateTimeUtils
+ - org.elasticsearch.common.joda.time.DateTimeZone
+ - org.elasticsearch.common.joda.time.Instant
+ # Added for Cirrus
+ - org.apache.lucene.util.automaton.RegExp
+ - org.apache.lucene.util.automaton.CharacterRunAutomaton

-- 
To view, visit https://gerrit.wikimedia.org/r/155065
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Iebd0a94888140a836189580c38ee4666dc5df8b2
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Manybubbles <never...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits