bobbai00 commented on code in PR #4299: URL: https://github.com/apache/texera/pull/4299#discussion_r2971121205
########## SECURITY.md: ########## @@ -86,6 +86,8 @@ account. - Network and firewall settings - Container orchestration +**Important**: Texera's security model defines distinct roles with different privilege levels. However, REGULAR and ADMIN users can execute arbitrary code within computing units through User-Defined Functions (UDFs), which is a known limitation that can break the intended role boundaries. UDF code may access resources available in the execution environment, including environment variables, configuration values, and application state. Deployment managers are responsible for mitigating this by applying techniques such as sandboxing UDF execution and disallowing in-process (coordinator JVM) UDFs. See [Deployments and Computing Units](#deployments-and-computing-units) and [What is NOT a Security Issue](#what-is-not-a-security-issue) for more details. Review Comment: Thanks for pointing that out. I changed it to "user do not have **direct** access". UI users can't SSH into the server or browse config files, but UDF code runs in the same environment and can programmatically reach things like application configs and env vars. Regarding the sandboxing: currently Texera doesn't have native sandboxing support yet. So I added the paragraph saying that "deployment managers should grant REGULAR/ADMIN roles to trusted users, and set untrusted users to RESTRICTED". Sandboxing UDF execution is planned for near future releases, which will isolate user code from system-level secrets. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
