Code executed by a script-enabled Flex action has a number of restrictions placed upon it. This is to prevent operations that might affect system stability and security. A whitelist policy is enabled which controls which packages and classes are allowed to be used in a script.
File System Access
Files can only be accessed in the mounted directory `/flex/flex-enterprise/storage/media` and below.
JVM Features
- File API (outside of `/flex/flex-enterprise/storage/media`)
- Direct SQL access
- Reflection
Groovy Features
- Array execution
- String execution
Classes
Methods
Adding Permissions
Flex allows you to add system-wide permissions via a JSON document in the Consul KV
`flex/flex-jobasyncexecutor-service/securityPolicyPermissions`, but it should be understood that this is a security risk. The example below shows how to allow access to the classes in `accessClassInPackage.org.apache.groovy.internal.util` and to be able to read and write files to `/home/ftpusers`:
{ "permissions": [ { "type": "RuntimePermission", "name": "accessClassInPackage.org.apache.groovy.internal.util" }, { "type": "FilePermission", "name": "/home/ftpusers/*", "action": "read,write" } ] }
In Flex versions prior to 2021.8.0 you will need to restart the `flex-jobasyncexecutor-service` after updating this Consul KV. Versions from 2021.8.0 onwards you do not.
Comments
1 comment
For some reason i cannot edit this article and submit it for review. Anyway, this is the list of available permissions types for JAE:
list (it might change based on JAE version)
Also check java docs for knowing what options are accepted on each permission:
https://docs.oracle.com/javase/8/docs/api/java/security/Permission.html
Thanks!
Please sign in to leave a comment.