Ottomata has submitted this change and it was merged. Change subject: Expand Elasticsearch groovy sandbox ......................................................................
Expand Elasticsearch groovy sandbox Elasticsearch 1.3 comes with groovy as a scripting language and it is sandboxed a tiny bit too tight for Cirrus. This expands the sandbox slightly. It does not disable dynamic scripting - we can't do that until we've fully ported Cirrus to groovy and we can't do that until 1.3 is already live. Technically this will change the groovy sandbox for all Elasticsearch's we have in production but the change isn't going to hurt anything. Change-Id: Iebd0a94888140a836189580c38ee4666dc5df8b2 --- M modules/elasticsearch/templates/elasticsearch.yml.erb 1 file changed, 89 insertions(+), 0 deletions(-) Approvals: Ottomata: Verified; Looks good to me, approved diff --git a/modules/elasticsearch/templates/elasticsearch.yml.erb b/modules/elasticsearch/templates/elasticsearch.yml.erb index 4dcf824..c14f573 100644 --- a/modules/elasticsearch/templates/elasticsearch.yml.erb +++ b/modules/elasticsearch/templates/elasticsearch.yml.erb @@ -452,3 +452,92 @@ <% end -%> <% end -%> <% end -%> + + + +## +# Groovy sandboxing +## +# The default sandbox for Groovy is too restrictive for Cirrus. This adds a +# few more allowed invocations. +script.groovy.sandbox.class_whitelist: + #Defaults + - java.util.Date + - java.util.Map + - java.util.List + - java.util.Set + - java.util.ArrayList + - java.util.Arrays + - java.util.HashMap + - java.util.HashSet + - java.util.UUID + - java.math.BigDecimal + - org.joda.time.DateTime + - org.joda.time.DateTimeZone + - org.elasticsearch.common.joda.time.DateTime + - org.elasticsearch.common.joda.time.DateTimeZone + # Added for Cirrus + - java.util.Locale + - org.apache.lucene.util.automaton.RegExp + - org.apache.lucene.util.automaton.CharacterRunAutomaton +script.groovy.sandbox.package_whitelist: + # Defaults + - java.util + - java.lang + - org.joda.time + - org.elasticsearch.common.joda.time + # Added for Cirrus + - org.apache.lucene.util.automaton +script.groovy.sandbox.receiver_whitelist: + # Defaults + - java.lang.Math + - java.lang.Integer + - "[I" + - "[[I" + - "[[[I" + - java.lang.Float + - "[F" + - "[[F" + - "[[[F" + - java.lang.Double + - "[D" + - "[[D" + - "[[[D" + - java.lang.Long + - "[J" + - "[[J" + - "[[[J" + - java.lang.Short + - "[S" + - "[[S" + - "[[[S" + - java.lang.Character + - "[C" + - "[[C" + - "[[[C" + - java.lang.Byte + - "[B" + - "[[B" + - "[[[B" + - java.lang.Boolean + - "[Z" + - "[[Z" + - "[[[Z" + - java.math.BigDecimal + - java.util.Arrays + - java.util.Date + - java.util.List + - java.util.Map + - java.util.Set + - java.lang.Object + - org.joda.time.DateTime + - org.joda.time.DateTimeUtils + - org.joda.time.DateTimeZone + - org.joda.time.Instant + - org.elasticsearch.common.joda.time.DateTime + - org.elasticsearch.common.joda.time.DateTimeUtils + - org.elasticsearch.common.joda.time.DateTimeZone + - org.elasticsearch.common.joda.time.Instant + # Added for Cirrus + - org.apache.lucene.util.automaton.RegExp + - org.apache.lucene.util.automaton.CharacterRunAutomaton -- To view, visit https://gerrit.wikimedia.org/r/155065 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: Iebd0a94888140a836189580c38ee4666dc5df8b2 Gerrit-PatchSet: 4 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Manybubbles <[email protected]> Gerrit-Reviewer: BryanDavis <[email protected]> Gerrit-Reviewer: Chad <[email protected]> Gerrit-Reviewer: Giuseppe Lavagetto <[email protected]> Gerrit-Reviewer: Ottomata <[email protected]> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
