Skip to content
Hiromu Hota edited this page Jan 25, 2018 · 4 revisions

Secure webSpoon Reference architecture of secure webSpoon

Secure communication (HTTPS)

HTTPS can be configured in Tomcat/Jetty. If webSpoon is deployed to Tomcat, please refer to here.

User authentication

webSpoon itself does not have a user authentication function. Instead of implementing the function to webSpoon, it looks more reasonable to deploy webSpoon to the BI server's Tomcat and let the PUC do the user authentication for webSpoon users. It is still needed to investigate exactly how to integrate the Pentaho's authentication with webSpoon.

User authorization

File access control

Restrict access to the local files, and use files in a file server instead

As some users have already noticed, webSpoon users can browse the file system of the server and can access files/directories that are accessible by the user who runs webSpoon. For example, if the root user runs webSpoon, webSpoon users can read/write all files of the server. This also means that all webSpoon users gain the same access privileges.

An immediate solution for this issue is to restrict access to the local files by

  • Containerize webSpoon (e.g., Docker) and isolate from the outside
  • Run webSpoon in a chrooted Tomcat

In addition, it is recommended to use files in a file server such as SFTP for data inputs/outputs. You can use VFS to access those files. There are many supported file systems: SFTP, HTTPS, WebDAV; and some of them have a user authentication mechanism.

Access control to Kettle files

Pentaho Enterprise Repository offer a user authentication and a fine-grained access control to Kettle files. For this reason, the author (@HiromuHota) recommends using Pentaho Enterprise Repository in webSpoon.

File access control by a custom security manager (experimental)

End-users can be restricted from accessing to the local file system by enabling a (custom) security manager as follows.

  1. Enable user authentication
  2. Copy webspoon-security-8.0.0.0-28-XX.jar to "$CATALINA_HOME"/lib
  3. Edit bin/setenv.sh as CLASSPATH="$CATALINA_HOME"/lib/webspoon-security-8.0.0.0-28-XX.jar
  4. Create $HOME/.kettle/users and $HOME/.pentaho/users if not exist
  5. Define environment variables and restart Tomcat
$ export CATALINA_OPTS="-Djava.security.manager=org.pentaho.di.security.WebSpoonSecurityManager -Djava.security.policy="$CATALINA_HOME"/conf/catalina.policy"
$ ./bin/startup.sh

Your policy file "$CATALINA_HOME"/conf/catalina.policy should include the following permissions.

grant
{
  permission java.io.FilePermission "${java.io.tmpdir}", "read";
  permission java.io.FilePermission "${java.io.tmpdir}/-", "read,write,delete";
  permission java.io.FilePermission "${catalina.home}/webapps/spoon/rwt-resources", "write,delete";
  permission java.io.FilePermission "${catalina.home}/webapps/spoon/rwt-resources/-", "read,write,delete";

  permission java.io.FilePermission "${java.home}/lib/-", "read";
  permission java.io.FilePermission "${catalina.home}/webapps/spoon/-", "read";
  permission java.io.FilePermission "${user.home}/.pentaho", "read";
  permission java.io.FilePermission "${user.home}/.pentaho/metastore", "read";
  permission java.io.FilePermission "${catalina.home}/lib/-", "read";
  permission java.io.FilePermission "${catalina.home}/plugins/-", "read";
  permission java.io.FilePermission "${catalina.home}/ui/-", "read";
  permission java.io.FilePermission "${catalina.home}/-", "read";
  permission java.io.FilePermission "${catalina.home}/.", "read";
  permission java.io.FilePermission "repositories.xml", "read";
};

How it works

org.pentaho.di.security.WebSpoonSecurityManager is a security manager, tailor-made for webSpoon. It was designed so that only local file access triggered by end-users (more precisely UIThread and its child threads) is controlled. If it is enabled, end-users can only access $HOME/.kettle/users/$username and $HOME/.pentaho/users/$username except for those listed in the policy file.

This effectively restricts steps and job entries such as "Shell" from running because spawning another process requires access to <<ALL FILES>> (meaning anywhere in the local file system). However, this does not apply to "User Defined Java Class" and "Modified Java Script Value" because they are executed within JVM. They are restricted only from accessing outside of permitted directories and not from running.

SpoonGit

The custom security manager and SpoonGit can be used simultaneously with a few restrictions, but requires following configurations.

  1. Define an environment variable export GIT_CONFIG_NOSYSTEM=True
  2. Add the following permissions to your policy file:
grant {
  permission java.io.FilePermission "${user.home}/.gitconfig", "read";
  permission java.io.FilePermission "${user.home}/.gitignore_global", "read";
}

Restriction 1: Hooks do not work. If hooks are present in .git/hooks and are executable, an error access denied ("java.io.FilePermission" "<<ALL FILES>>" "execute") will occur. Please remove those hooks or do not enable the custom security manager.

Restriction 2: Use HTTP(S) instead of SSH. Technically, SSH can be used with the following permissions, but no one wants to do this because every end-user will be using the same (git) user and will have access to the private keys.

grant {
  permission java.io.FilePermission "${user.home}/.ssh", "read";
  permission java.io.FilePermission "${user.home}/.ssh/-", "read";
}

Let me assure you that username and password used for the HTTP(S) authentication are cached for your convenience during the session, but not shared with other end-users.

Steps and job entries restriction

Download kettle-steps.xml and kettle-job-entries.xml to under $CATALINA_HOME. If you restart Tomcat with the following environment variables, Kettle Engine loads only steps and job entries listed in these XML files. If end-users should be restricted from using SHELL for example, remove SHELL element from kettle-job-entries.xml.

export JAVA_OPTS="-DKETTLE_CORE_STEPS_FILE=kettle-steps-alternative.xml -DKETTLE_CORE_JOBENTRIES_FILE=kettle-job-entries-alternative.xml"

Note that these XML files can only list internal steps and job entries. If you want to restrict plugins, simply remove them from ./plugins.