[
https://issues.apache.org/jira/browse/TRAFODION-1578?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14995560#comment-14995560
]
Hans Zeller commented on TRAFODION-1578:
----------------------------------------
To add a bit more info about the security issues with UDRs (User-defined
Routines):
There are trusted and isolated UDRs: Trusted UDRs run in the Trafodion engine
and can bypass any security rules like GRANT/REVOKE. Therefore, only trusted
users can write such UDRs. Isolated UDRs run in a separate process under a
different user id and should not be able to break security rules.
Right now, Trafodion has neither. UDRs run in a separate process, but that
process runs under the Trafodion id. That will need to change and we can also
implement trusted UDRs.
Another issue is spoofing. We need to make sure that an attacker can't execute
arbitrary code through the UDR mechanism. Our plan to solve that is by doing
the following:
- Require that UDR libraries reside in a directory that is controlled by
Trafodion, such that users other than the Trafodion id can't directly add or
modify them.
- Require a special privilege to create trusted and another (lesser) privilege
to create isolated libraries. Creating a library involves taking user code in
form of a file in HDFS, a URL, or a local file on the server. Venkat is
planning to add a GUI function to provide a client file as the code of a
library.
- Have one or more special user ids that execute UDRs, don't run the MXUDR
process under the Trafodion id as is done today.
> Proposal for SPJ management
> ---------------------------
>
> Key: TRAFODION-1578
> URL: https://issues.apache.org/jira/browse/TRAFODION-1578
> Project: Apache Trafodion
> Issue Type: Improvement
> Components: connectivity-dcs
> Reporter: Kevin Xu
>
> JAR upload process:
> 1. Initialize JAR upload procedure by default
> 2. JAR upload by Trafci(add library LIB_NAME JAR_LOCAL_PATH). Upload and
> create library will be done here. And also, you can only upload the JARs by
> UPLOAD command on Trafci that it will not create a lib.
> Tips: Before put the JAR into HDFS check MD5 first, if the file exists,
> only add a record in metadata table in case users upload the same JAR many
> times on platform.
> 3. On server-side, the JAR will store in HDFS. At the same time JAR
> metadata(path in HDFS, MD5 of the file, and others) stores in store procedure
> metadata table.
> 4. create procedure is the same as now.
> JAR perform process:
> 1. Send a CALL by Trafci/JDBC/ODBC/ADO.NET.
> 2. DCSMaster assign a DCSServer for the CALL.
> 3. DCSServer start a JVM for the user. User can modify JVM options, program
> properties and JAVA classpath. At the same time, a monitor class will be
> starting in the JVM witch will register a node on Zookeeper for this JVM as
> well as metadata info( process id, server info and so on) and the node will
> be removed while JVM exiting. It allows customer to specify JVM idle time in
> case of some realtime senarior like Kafka consumer.
> 4. Useful commands on Trafci: list all JVMs in user; kill one of them that no
> long in use; Restart JVMs with latest JARs and so on.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
