s-Server lets you implement s-Server in sandboxed mode. This sets up a restricted environment for non-administrator users; you need to create these users before they can access the sandboxed environment. This mode prevents users from doing anything that might be dangerous to either s-Server or other systems, such as deploying a function that deletes files or using JDBC to access external databases.
To set up a sandboxed environment, do the following:
The non-administrator ("sandboxed") user can then log in to s-Server, but will only be able to perform a limited set of DDL or DML with granted privileges. These users can create local tables and streams and query or insert into these, but cannot, for example, create server objects or foreign tables.
s-Server makes extensive use of server objects and foreign streams to import data. An administrator will need to grant "sandboxed" users permission to access foreign streams, or use pumps to move data from foreign streams to local streams. See the Integrating Guavus SQLstream with Other Systems for more details.
To implement sandboxing, you need to log on as a user with administrator privileges (the default s-Server user has such privileges) and execute the following command:
ALTER SYSTEM "sandboxed" = TRUE;
This alters the system (recording in the catalog), putting the following restrictions for non-administrator users in place:
Non-administrator users can still create indexes, functions, local tables, and local streams in a sandboxed environment. They can also create views or pumps, provided they have access to the objects these reference, such as the source and target for a pump.
You can sandbox additional features by setting a variable called sandboxedFeatures. This lets you sandbox the following extra features:
An additional variable, ContextVariables, lets you control the use of context variables such as USER and _CURRENTPATH.
To do so, you need to log on as a user with administrator privileges (the default s-Server user has such privileges) and execute a command along the following lines:
alter system set "sandboxedFeatures" = 'ContextVariables,Grant,CreateTable';
--sandboxes CreateTable
alter system set "sandboxedFeatures" = 'CreateSchema,CreateView,CreateTable,CreateIndex,Grant,DropSchema,ContextVariables,CreatePumpStarted,AlterPump,CreateStream,DropStream';
--sandboxes all extra features
This variable has no effect unless "sandboxed" is also set to true.
CREATE USER <user> [IDENTIFIED BY ‘aPassword’] DEFAULT CATALOG localdb;
This will create a new non-administrator user that by default will not have access to any system tables or functions (even in non-sandboxed environments). Only the creator of an object or schema (or the administrator) is allowed to drop or alter it.
Administrators can use the following SQL to grant access to foreign streams and tables, as well as system tables and streams or views based on system tables and streams:
GRANT <permission> { , <permission> }
TO <user>;
Administrators can use the following SQL to grant access to system functions:
GRANT EXECUTE ON SPECIFIC FUNCTION <function> TO <user>;
Permission | Repository objects to which permission applies |
---|---|
Select | Tables, streams, views |
Insert | Tables, streams |
Update | Tables |
Delete | Streams |
Execute | user-defined routines, user defined functions, user-defined procedures, or user-defined transforms) |