Sandboxing in s-Server

s-Server lets you implement s-Server in sandboxed mode. This sets up a restricted environment for non-administrator users; you need to create these users before they can access the sandboxed environment. This mode prevents users from doing anything that might be dangerous to either s-Server or other systems, such as deploying a function that deletes files or using JDBC to access external databases.

Sandboxing Process

To set up a sandboxed environment, do the following:

  1. Log in to s-Server as an administrator.
  2. Create a non-administrator user.
  3. Alter s-Server to run in "sandboxed" mode.
  4. Grant privileges to the non-administrator user.

The non-administrator ("sandboxed") user can then log in to s-Server, but will only be able to perform a limited set of DDL or DML with granted privileges. These users can create local tables and streams and query or insert into these, but cannot, for example, create server objects or foreign tables.

s-Server makes extensive use of server objects and foreign streams to import data. An administrator will need to grant "sandboxed" users permission to access foreign streams, or use pumps to move data from foreign streams to local streams. See the Integrating Guavus SQLstream with Other Systems for more details.

Implementing Sandboxing

To implement sandboxing, you need to log on as a user with administrator privileges (the default s-Server user has such privileges) and execute the following command:

ALTER SYSTEM "sandboxed" = TRUE;

This alters the system (recording in the catalog), putting the following restrictions for non-administrator users in place:

  • Disallows creation of any Java-based - user defined function, user defined procedure, or user defined transform unless these refer to a Java function that is annotated with the @AllowedInSandbox annotation.
  • Disallows the commands ALTER SYSTEM, ALTER SESSION, CREATE JAR, IMPORT FOREIGN SCHEMA, CREATE USER, CREATE SERVER, CREATE FOREIGN STREAM, and CREATE FOREIGN TABLE.
  • Disallows direct access to imported schemas in the SYS_BOOT catalog.

Non-administrator users can still create indexes, functions, local tables, and local streams in a sandboxed environment. They can also create views or pumps, provided they have access to the objects these reference, such as the source and target for a pump.

Setting the sandboxedFeatures Variable

You can sandbox additional features by setting a variable called sandboxedFeatures. This lets you sandbox the following extra features:

  • AlterPump
  • CreateIndex
  • CreatePumpStarted
  • CreatePumpStopped
  • CreateSchema
  • CreateStream
  • CreateTable
  • CreateView
  • DropSchema
  • DropStream
  • Grant

An additional variable, ContextVariables, lets you control the use of context variables such as USER and _CURRENTPATH.

To do so, you need to log on as a user with administrator privileges (the default s-Server user has such privileges) and execute a command along the following lines:

alter system set "sandboxedFeatures" = 'ContextVariables,Grant,CreateTable';
--sandboxes CreateTable
alter system set "sandboxedFeatures" = 'CreateSchema,CreateView,CreateTable,CreateIndex,Grant,DropSchema,ContextVariables,CreatePumpStarted,AlterPump,CreateStream,DropStream';
--sandboxes all extra features

This variable has no effect unless "sandboxed" is also set to true.

Creating a Non-Administrator User

CREATE USER Syntax

CREATE USER <user> [IDENTIFIED BY ‘aPassword’] DEFAULT CATALOG localdb;

This will create a new non-administrator user that by default will not have access to any system tables or functions (even in non-sandboxed environments). Only the creator of an object or schema (or the administrator) is allowed to drop or alter it.

Granting Users Permissions

Administrators can use the following SQL to grant access to foreign streams and tables, as well as system tables and streams or views based on system tables and streams:

GRANT <permission> { , <permission> }
TO <user>;

Administrators can use the following SQL to grant access to system functions:

GRANT EXECUTE ON SPECIFIC FUNCTION <function> TO <user>;

List of Permissions

Permission Repository objects to which permission applies
Select Tables, streams, views
Insert Tables, streams
Update Tables
Delete Streams
Execute user-defined routines, user defined functions, user-defined procedures, or user-defined transforms)