Configuring the Graph sandbox

Where is the dse.yaml file?

The location of the dse.yaml file depends on the type of installation:

Installation Type Location

Package installations + Installer-Services installations

/etc/dse/dse.yaml

Tarball installations + Installer-No Services installations

<installation_location>/resources/dse/conf/dse.yaml

DSE Graph has sandbox rules enabled by default to prevent malicious code execution in the JVM that could harm a DSE instance.

The Graph sandbox is enabled by default in DSE 5.0.11 and later and DSE 5.1.4 and later.

Sandbox rules are defined to both blacklist (disallow execution) and whitelist (allow execution) packages, superclasses and types. The default sandbox rules may be overridden in the dse.yaml file. The sandbox rules are applied in the following order:

  1. blacklist_supers, including all classes that implement or extend the listed items

  2. blacklist_packages, including all sub-packages

  3. whitelist_packages, including all sub-packages

  4. whitelist_types, not including sub-classes, but only the specified type

  5. whitelist_supers, including all classes that implement or extend the listed items

Any types not specified in the whitelist are blocked by default. If an item is blacklisted, it cannot be placed in the whitelist unless it is removed from the blacklist; an error occurs and the item is blocked.

Two classes are hard-coded as blacklisted and cannot be whitelisted:

  • java.lang.System: All methods other than currentTimeMillis and nanoTime are blocked (blacklisted).

  • java.lang.Thread: currentThread().isInterrupted is an allowed method that can return a wrapped thread with toString, and sleep is another allowed method, and all other methods are disallowed.

An example of possible whitelisted and blacklisted items in the gremlin_server section of the dse.yaml file:

gremlin_server:
     port: 8182
     threadPoolWorker: 2
     gremlinPool: 0
        scriptEngines:
            gremlin-groovy:
                config:
 #                  sandbox_enabled: false
                       sandbox_rules:
                            whitelist_packages:
                            - org.apache.tinkerpop.gremlin.process
                            - java.nio
                        whitelist_types:
                            - java.lang.String
                            - java.lang.Boolean
                            - com.datastax.bdp.graph.spark.SparkSnapshotBuilderImpl
                            - com.datastax.dse.graph.api.predicates.Search
                        whitelist_supers:
                            - groovy.lang.Script
                            - java.lang.Number
                            - java.util.Map
                            - org.apache.tinkerpop.gremlin.process.computer.GraphComputer
                        blacklist_packages:
                            - java.io
                            - org.apache.tinkerpop.gremlin.structure.io
                            - org.apache.tinkerpop.gremlin.groovy.jsr223
                            - java.nio.channels
                        blacklist_supers:
                            - java.lang.System
                            - java.io.File
                            - org.apache.tinkerpop.gremlin.structure.Transaction

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com