Code executed by a script-enabled Flex action has a number of restrictions placed upon it. This is to prevent operations that might affect system stability and security. A whitelist policy is enabled which controls which packages and classes are allowed to be used in a script.
If are you are trying to use a JDK package or class, and are getting a permission issue, please contact your Flex representative so that the development team can evaluation whether it should be included in the default white-list.
File System Access
Files can only be accessed in the mounted directory `/flex/flex-enterprise/storage/media` and below.
JVM Features
- File API (outside of `/flex/flex-enterprise/storage/media`)
- Direct SQL access
- Reflection
Groovy Features
Classes
Methods
Adding Permissions
Flex allows you to add system-wide permissions via a JSON document in the Consul KV
`flex/flex-jobasyncexecutor-service/securityPolicyPermissions`, but it should be understood that this is a security risk. The example below shows how to allow access to the classes in `accessClassInPackage.org.apache.groovy.internal.util` and to be able to read and write files to `/home/ftpusers`:
{
"permissions": [
{
"type": "RuntimePermission",
"name": "accessClassInPackage.org.apache.groovy.internal.util"
},
{
"type": "FilePermission",
"name": "/home/ftpusers/*",
"action": "read,write"
}
]
}
In Flex versions prior to 2021.8.0 you will need to restart the `flex-jobasyncexecutor-service` after updating this Consul KV. Versions from 2021.8.0 onwards you do not.
Comments
0 comments
Please sign in to leave a comment.