Configuring DSE Graph Security
Where is the dse.yaml
file?
The location of the dse.yaml
file depends on the type of installation:
Installation Type | Location |
---|---|
Package installations + Installer-Services installations |
|
Tarball installations + Installer-No Services installations |
|
Graph sandbox and whitelisted/blacklisted code
The DSE Graph sandbox, configured in the dse.yaml
file under the gremlin-server:
key, is enabled by default.
This security feature prevents malicious code execution in the JVM that could harm a DSE instance.
Sandbox rules are defined to both blacklist (disallow execution) and whitelist (allow execution) packages, superclasses and types.
For Java/Groovy code entered in the Gremlin console, only the specified allowed operations will execute.
The default sandbox rules may be overridden in the dse.yaml
file.
The sandbox rules are applied in the following order:
-
blacklist_supers
, including all classes that implement or extend the listed items -
blacklist_packages
, including all sub-packages -
whitelist_packages
, including all sub-packages -
whitelist_types
, not including sub-classes, but only the specified type -
whitelist_supers
, including all classes that implement or extend the listed items
Any types not specified in the whitelist are blocked by default. If an item is blacklisted, it cannot be placed in the whitelist unless it is removed from the blacklist; otherwise, an error occurs and the item is blocked.
Two classes are hard-coded as blacklisted and cannot be whitelisted:
An example of possible whitelisted and blacklisted items in the |
gremlin_server:
port: 8182
threadPoolWorker: 2
gremlinPool: 0
scriptEngines:
gremlin-groovy:
config:
# sandbox_enabled: false
sandbox_rules:
whitelist_packages:
- org.apache.tinkerpop.gremlin.process
- java.nio
whitelist_types:
- java.lang.String
- java.lang.Boolean
- com.datastax.bdp.graph.spark.SparkSnapshotBuilderImpl
- com.datastax.dse.graph.api.predicates.Search
whitelist_supers:
- groovy.lang.Script
- java.lang.Number
- java.util.Map
- org.apache.tinkerpop.gremlin.process.computer.GraphComputer
blacklist_packages:
- java.io
- org.apache.tinkerpop.gremlin.structure.io
- org.apache.tinkerpop.gremlin.groovy.jsr223
- java.nio.channels
The Fluent API restricts the allowable operations to secure execution, but uses the sandbox to enable lambda functions.
Authentication, authorization, and encryption
DSE can authenticate or authorize access by users, secure the stored data with encryption, or secure Gremlin console with SSL, based on Graph vertex labels or graphs, as applicable.
DSE Graph security is managed by DSE security.
As noted in this topic, you can modify the Graph Sandbox by customizing the gremlin-server:
key of the dse.yaml
file.
To configure the DSE Graph Gremlin console connection to the Gremlin Server, customize the remote.yaml
file for your environment.
DSE Graph also supports auditing using DSE auditing; for details, refer to Setting up database auditing.
Restrict lambda
Lambda restriction is enabled by default to block arbitrary code execution in Gremlin traversals.
Most applications should not require user-defined lambda functions.
If lambda functions are required, disable lambda restrictions using the Schema API to change the restrict_lambda
(default: true) option.
See Apache TinkerPop documentation for more information on lambda functions. |