Updated security docs a bit for Gremlin Server CTR
Project: http://git-wip-us.apache.org/repos/asf/tinkerpop/repo Commit: http://git-wip-us.apache.org/repos/asf/tinkerpop/commit/9a695169 Tree: http://git-wip-us.apache.org/repos/asf/tinkerpop/tree/9a695169 Diff: http://git-wip-us.apache.org/repos/asf/tinkerpop/diff/9a695169 Branch: refs/heads/TINKERPOP-1730 Commit: 9a695169d59213e7ddf80eb4d08a897815fa7466 Parents: 97aef32 Author: Stephen Mallette <sp...@genoprime.com> Authored: Tue Sep 19 13:43:03 2017 -0400 Committer: Stephen Mallette <sp...@genoprime.com> Committed: Tue Sep 19 13:56:26 2017 -0400 ---------------------------------------------------------------------- docs/src/reference/gremlin-applications.asciidoc | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/9a695169/docs/src/reference/gremlin-applications.asciidoc ---------------------------------------------------------------------- diff --git a/docs/src/reference/gremlin-applications.asciidoc b/docs/src/reference/gremlin-applications.asciidoc index 7e72d33..5af699f 100644 --- a/docs/src/reference/gremlin-applications.asciidoc +++ b/docs/src/reference/gremlin-applications.asciidoc @@ -384,6 +384,10 @@ on how to develop a driver for Gremlin Server. By default, communication with Gremlin Server occurs over link:http://en.wikipedia.org/wiki/WebSocket[WebSocket] and exposes a custom sub-protocol for interacting with the server. +WARNING: Gremlin Server allows for the execution of remotely submitted "scripts" (i.e. arbitrary code sent by a client +to the server). Developers should consider the security implications involved in running Gremlin Server without the +appropriate precautions. Please review the <<script-execution,Script Execution Section>> for more information. + [[starting-gremlin-server]] Starting Gremlin Server ~~~~~~~~~~~~~~~~~~~~~~~ @@ -1328,8 +1332,14 @@ some problems would be, `while(true) {}`, which would consume a thread in the Gr preventing it from serving other requests. Sending enough of these kinds of scripts would eventually consume all available threads and Gremlin Server would stop responding. -Gremlin Server (more specifically the `GremlinGroovyScriptEngine`) provides methods to protect itself from these -kinds of troublesome scripts. A user can configure the script engine with different `CompilerCustomizerProvider` +Scripts have access to the full power of their language and the JVM on which they are running. This means that they +can access certain APIs that have nothing to do with Gremlin itself, such as `java.lang.System` or the `java.io` +and `java.net` packages. Scripts offer developers a lot of flexibility, but having that flexibility comes at the cost +of safety. A Gremlin Server instance that is not secured appropriately provides for a big security risk. + +The previous sections discussed methods for securing Gremlin Server through authentication and encryption, which is a +good first step in protection. Another layer of protection comes in the form of specific configurations for the +`GremlinGroovyScriptEngine`. A user can configure the script engine with different `CompilerCustomizerProvider` implementations. Consider the basic configuration from the Gremlin Server YAML file: [source,yaml]
