Connector cloud permissions
When running a connector in the cloud, be aware of some additional restrictions due to the cloud executing all connectors in the restrictive java SecurityManager. The java SecurityManager uses an "opt-in" security model, where any permission not explicitly granted is denied.
File permissions (java.io.FilePermission)
The following File permissions list the current properties that are granted to connector code.
File Permissions
| File Permission | Access |
|---|---|
"<accountDir>/-", "read" | Read access to all files under the current account's directory. |
"<accountDir>/message/-", "read,write" | Read/Write access to all files under the current account's message directory. |
"<accountDir>/data/-", "read,write,delete" | Read/Write/Delete access to all files under various working directories for the current account. |
"<accountDir>/execution/-", "read,write,delete" | Read/Write/Delete access to all files under various working directories for the current account. |
"<accountDir>/work/-", "read,write,delete" | Read/Write/Delete access to all files under various working directories for the current account. |
"<accountDir>/counter/-", "read,write,delete" | Read/Write/Delete access to all files under various working directories for the current account. |
"<accountDir>/tmp/-", "read,write,delete" | Read/Write/Delete access to all files under various working directories for the current account. |
Network Permissions
The following Network permissions list the current properties that are granted to connector code.
| Network Permission | Access |
|---|---|
com.boomi.security.RemoteSocketPermission "*", "connect,resolve" | Network connect permission for anywhere outside of the private cloud network. |
Miscellaneous Permissions
| Miscellaneous Permission | Access |
|---|---|
java.lang.RuntimePermission "accessDeclaredMembers" | Reflectively view the names of declared members of a class (access permissions are still enforced). |
java.lang.RuntimePermission "instantiateClassLoader" | Instantiate any JDK ClassLoader implementations. |
java.lang.RuntimePermission "setContextClassLoader" | Set the thread context classloader for the current thread. |
java.util.PropertyPermission "*", "read" | Read all system properties. |
javax.net.ssl.SSLPermission "*" | Configure SSL connections. |
groovy.security.GroovyCodeSourcePermission "/groovy/script" | Read/Execute Groovy scripts. |
java.io.FilePermission "/groovy/script", "read" | Read/Execute Groovy scripts. |
java.net.NetPermission "getProxySelector" | Configure certain aspects of network connections. |
java.net.NetPermission "getCookieHandler" | Configure certain aspects of network connections. |
java.net.NetPermission "getResponseCache" | Configure certain aspects of network connections. |
java.lang.RuntimePermission "accessClassInPackage.sun.reflect" | Use java reflection. |
Solutions to Common Permission Issues
| Issue | Solution |
|---|---|
Failure cause is an exception like java.security.AccessControlException: access denied (java.lang.RuntimePermission createClassLoader) when using Apache Axis. | Apache Axis uses Apache Commons Discovery which depends on an older version of this library (0.2). Include a version of Apache Commons Discovery of at least 0.4. |
| AccessControlExceptions are thrown due to FilePermission violations when writing temporary data. | • Two directories can be utilized by connectors when writing "temporary" files in the cloud. These directories are also available on local Atoms, so the code does not need to distinguish the current environment. • For truly temporary files (files used within a given process execution), use the "tmp/" directory. This directory can be addressed directly by creating a File instance with the prefix "tmp/" (this is a relative path.) Additionally, the "java.io.tmpdir" system property is configured to point to this directory so that calling methods like File.createTempFile will work correctly. • For longer-term "temporary" files (files used across process executions, such as relatively static service related resources), use the "work/" directory. This directory can be addressed directly by creating a File instance with the prefix "work/" (this is a relative path.) To reduce the likelihood of conflicts with other connectors, a connector should generally create a connector-specific subdirectory within the "work/" directory. For example, the connector "My Cool Connector" should use a working directory named "work/my_cool_connector/". |
note
Connectors are responsible for maintaining any temporary data across versions and should be able to handle any conflicts that may happen when reading data that is written by previous versions.
lib Directory permissions
The following lib Directory permissions list the current properties that are granted to connector code.
| Lib Directory Permissions | Access |
|---|---|
com.boomi.security.PathPermission "${java.ext.dirs}", "read"; | This permission is required for the Runtime to perform XSLT transformation functionalities. |
com.boomi.security.PathPermission "${java.class.path}", "read"; | This permission is required for the Runtime to perform XSLT transformation functionalities. |
com.boomi.security.PathPermission "${sun.boot.class.path}", "read"; | This permission is required for the Runtime to perform XSLT transformation functionalities. |
java.net.SocketPermission "localhost:1380", "connect,resolve"; | This permission is required since it is the default port used by the server on the atom node which the runners/workers connect to in order to communicate various events. |
java.lang.RuntimePermission "com.boomi.container.control"; | This is a custom permission which manages access to internal classes and methods which should not be accessed by any untrusted code. |
java.lang.RuntimePermission "createClassLoader"; | This permission is used for creating custom classloaders within Runtime which manage Custom Scripting and Connector classloading. |
java.lang.RuntimePermission "getClassLoader"; | This permission is used by custom classloaders within Runtime which manage custom scripting and connector classloading. |
java.lang.RuntimePermission "modifyClassLoader"; | This permission is a custom permission and enforces that only trusted code can modify the functionality of the custom classloaders within Runtime. |
java.lang.RuntimePermission "exitVM.*"; | This permission allows for Runtime to shut itself down when a forked execution has completed. |
java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler"; | This permission is required by Runtime for gracefully handling an unhandled exception during an execution. |
java.lang.RuntimePermission "modifyThread"; | This permission is applied to both trusted and untrusted code. For trusted code, this permission is necessary for interrupting threads as well as for setting exception handlers. For untrusted code, all threads are restricted to a specific "limited" ThreadGroup. The Runtime enforces that untrusted code cannot modify any ThreadGroup and cannot start/modify any threads outside of the limited ThreadGroup. Additionally, the limited ThreadGroup has an upper limit on the number of threads which can be created in it. This permission is required to manage this within the Runtime. |
java.lang.RuntimePermission "modifyThreadGroup"; | This permission allows for the creation of the limited ThreadGroup which all threads created by untrusted code are restricted to. |
java.lang.RuntimePermission "modifyThread.all"; | This permission is a custom permission which allows for any thread in any ThreadGroup to be modified. Since untrusted code does not have this permission, untrusted code can only modify threads in the limited ThreadGroup. |
java.lang.RuntimePermission "modifyThreadGroup.all"; | This permission is a custom permission which allows for ThreadGroup modification, including adding new threads to a ThreadGroup. Since untrusted code does not have this permission, untrusted code cannot modify any ThreadGroup nor can it add any threads to any other ThreadGroup except the limited ThreadGroup. |
java.lang.RuntimePermission "setIO"; | This permission is required since the Runtime will redirect standard system streams to the container logs. |
java.lang.RuntimePermission "accessClassInPackage.sun.misc"; | This permission is required since a custom classloader requires the sun.misc.PerfCounter class. |
java.lang.RuntimePermission "accessClassInPackage.com.sun.*"; | This permission is required for multiple functionalities including tracking the JVM memory as well as for custom classloading purposes. |
java.lang.RuntimePermission "setFactory"; | This permission is required since the Runtime will update the default SSL socket factory using the appropriate truststore which will then be used for all HTTPS connections. |
java.security.SecurityPermission "getPolicy"; | This permission is required since the Runtime will retrieve the security policy in order to enforce access checks to various internal logic as well as to implement custom permissions. |
java.security.SecurityPermission "createAccessControlContext"; | This permission is required since the Runtime creates AccessControlContext as part of ensuring that only the trusted script engines are getting the classloader of a class. It is also used to allow instantiation of trusted custom classloaders. |
java.lang.reflect.ReflectPermission "suppressAccessChecks"; | This permission provides additional security such as the RemoteSocketPermission extension of SocketPermission. It’s also used to add additional multi-tenant protections between tenants on top of libraries that do not provide this. |
java.lang.RuntimePermission "shutdownHooks"; | This permission is required since we want forked JVMs to stop all resources gracefully and report any pertinent information to the atom node prior to shutting down. |
java.util.PropertyPermission "*", "read,write"; | The Runtime sets system properties in order to provide various functionalities such as http proxy, enabling SSL debug logging, etc. |
java.util.logging.LoggingPermission "control"; | The Runtime has multiple custom logging handlers which provide various flexible logging functionalities such as rotating log files, buffering debug messages in-memory, etc. |
java.io.SerializablePermission "enableSubstitution"; | This permission is required since the Runtime uses certain serialization mechanisms when persisting data of a process execution. (Internal note: This is needed for the writeReplace() method which is called by the JDK via reflection during serialization.) |
java.security.SecurityPermission "insertProvider.BC"; | This permission allows Runtime to add Bouncy Castle as a security provider. |
java.security.SecurityPermission "putProviderProperty.BC"; | This permission is also required to add Bouncy Castle as a security provider. |
java.security.SecurityPermission "insertProvider.STRTransform"; | This permission allows Runtime to add STRTransform as a security provider. |
java.security.SecurityPermission "putProviderProperty.STRTransform"; | This permission is also required to add STRTransform as a security provider. |
java.security.SecurityPermission "setProperty.jdk.*"; | This permission is required since the Runtime adds certain security properties for the purposes of compatibility. All the “jdk.*” security properties set by Runtime are documented here: Controlling Java security compatibility |
javax.management.MBeanServerPermission "createMBeanServer"; | The Runtime uses JMX for communication purposes as well as for monitoring. As such, this permission is required to create a MBeanServer object. |
javax.management.MBeanPermission "com.boomi.execution.forker.*", "registerMBean"; | This permission is required to register objects which handle communication and monitoring functionality via JMX to the MBeanServer. |
javax.management.MBeanTrustPermission "register"; | This permission is also required to register objects to the MBeanServer. |
java.lang.management.ManagementPermission "monitor"; | This permission is required since |
jaxbwrapper Permissions
| File Permission | Access |
|---|---|
java.lang.reflect.ReflectPermission "suppressAccessChecks"; | This permission is required by the Runtime for serialization purposes. |
javax.xml.bind.JAXBPermission "setDatatypeConverter"; | This permission is required by the Runtime for serialization purposes. |
Global Permissions
These permissions apply to trusted code as well as untrusted code such as custom scripting and connectors.
| File Permission | Access |
|---|---|
com.boomi.security.RemoteSocketPermission "*", "connect,resolve"; | A custom implementation of SocketPermission which prevents any local socket access. Use "*" to connect to any non-local URLs via our connectors. |
java.lang.RuntimePermission "modifyThread"; | Amazon Corretto JDK documentation states this permission allows for code to stop, suspend, or interrupt any thread. However, this is not true for untrusted code since our custom SecurityManager builds additional restrictions. See the java.lang.RuntimePermission "modifyThread"; permission entry earlier in this topic for more details on how untrusted code is impacted. |
Was this topic helpful?
