raboof commented on code in PR #4299: URL: https://github.com/apache/texera/pull/4299#discussion_r2964889765
########## SECURITY.md: ########## @@ -86,6 +86,8 @@ account. - Network and firewall settings - Container orchestration +**Important**: Texera's security model defines distinct roles with different privilege levels. However, REGULAR and ADMIN users can execute arbitrary code within computing units through User-Defined Functions (UDFs), which is a known limitation that can break the intended role boundaries. UDF code may access resources available in the execution environment, including environment variables, configuration values, and application state. Deployment managers are responsible for mitigating this by applying techniques such as sandboxing UDF execution and disallowing in-process (coordinator JVM) UDFs. See [Deployments and Computing Units](#deployments-and-computing-units) and [What is NOT a Security Issue](#what-is-not-a-security-issue) for more details. Review Comment: This still seems confusing to me: right above we say "UI users (...) do not have access to (...) System configuration files", but here we say "UDF code may access resources available in the execution environment, including environment variables, configuration values, and application state.". Should "sandboxing UDF execution" be a link to documentation on how a deployment manager would sandbox UDF execution? Can we make it more clear which types of configuration are inside and which types of configuration are only outside of the sandbox? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
