Jedox Integrator: Security of Script Jobs and Functions

image_pdfimage_print

Jedox Integrator contains several generic mainly scriptbased standard components:

  • functions: Groovy, JavaScript, Java
  • transform: RScript
  • jobs: Groovy, JavaScript

The security of these components can be defined on several levels:

1. On Operating System level

The authorizations inside of the script are those of the OS user for the JedoxSuiteTomcatService service.
By assigning limited filesystem and network access to this user on the OS (Windows and Linux), all scriptbased components are restricted.

Note that this restriction applies also to the complete Jedox installation.

2. Deactivation of Integrator components

Unused Integrator server components can be set to inactive in this way:

In file <Installation Path>\tomcat\webapps\etlserver\config\customer\component.xml add a section for the component with attribute status=”inactive”  (e.g. by copying the corresponding section from file .\config\standard\component.xml):

    <jobs>
    <job>
        <component name=”JavaScript” class=”com.jedox.etl.components.job.JavaScript” status=”inactive”>
        </component>
    <job>
    </jobs>

Restart JedoxSuiteTomcatService

3. Groovy Sandbox

The Groovy sandbox allows the precise definition of Java packages and classes that are allowed to be used in the function and job of type Groovy. By default, the Groovy sandbox is disabled and all Java classes are allowed.

The Groovy Sandbox can be configured in file <Installation Path>\tomcat\webapps\etlserver\config\groovy.xml:

  • It is enabled by setting <security enabled=”true”>
  • <defaults>true</defaults>
    Allows the usage of some basic Java classes used e.g. for arithmetical operations: Boolean, String, Integer, Double, Long, Float, Short, Byte, BigDecimal, BigInteger, Date, Math, Calendar, GregorianCalendar
  • <apis>true</apis>
    Allows the usage of the Integrator Scripting API e.g. via API.executeJob()
    (see: https://knowledgebase.jedox.com/knowledgebase/scripting-api/ )
  • <allows>
    A whitelist of Java classes and packages which are explicitly allowed. By default, in the Groovy sandbox no Java class/package is allowed. Packages are defined with the „* wildcard.
  • <denies>
    A blacklist of Java classes and packages which are explicitly not allowed for usage. First the allowed list is evalutated and then the deny list is explicitly forbidden.

Example: Allow all classes from package java.util except the class java.util.HashMap:

<allows>
    <allow>java.util.*</allow>
</allows>

<denies>
       <deny>java.util.HashMap</deny>
</denies>

 

Notes:

  • The usage of the Groovy Sandbox may result in a slight decrease in performance of Groovy functions and jobs for some cases, especially if many allow/deny rules are defined and many different classes are used.
  • The usage of Java Security Manager on the JVM is not supported.
image_pdfimage_print