1

Concerns about Python Access

Hello, 

 

On our Pyramid installation, we're looking to host multiple tenants. However, we've encountered an issue where we can access the host's file system through Pyramid, regardless of the security settings in place. This poses a significant security risk as a tenant's data may not be secure.

 

Through the Python node in Model, we're able to access everything that the user used to run Pyramid. This includes full access to the file system, including the IMDB repositories. Below is an example:

 

Here's a script that reads the file system, providing all files, the current user, and file access details:

import os

import subprocess

import pandas as pd

import getpass

 

def list_files(start_path):

file_info = []

for root, dirs, files in os.walk(start_path):

for name in files:

file_path = os.path.join(root, name)

ls_output = subprocess.check_output(['ls', '-ahl', file_path]).decode('utf-8')

user_name = getpass.getuser()

file_info.append({'File_Name': name, 'File_Path': file_path, 'User_Name': user_name, 'LS_Output': ls_output})

for name in dirs:

dir_path = os.path.join(root, name)

ls_output = subprocess.check_output(['ls', '-ahl', dir_path]).decode('utf-8')

user_name = getpass.getuser()

file_info.append({'File_Name': name, 'File_Path': dir_path, 'User_Name': user_name, 'LS_Output': ls_output})

return file_info

 

file_info_list = list_files('/opt/Pyramid/repository/imdata')

 

df = pd.DataFrame(file_info_list)

 

Snippet of the result: 

 

These are the IMDB's.

 

The issue here is that we can gain access to any file on the host and read them if we have the proper access. For the IMDBs, the setup allows for easy creation of a connection to an IMDB, potentially allowing access to another tenant's data.

 

How can we ensure that this does not happen and that our clients' data remains secure?

8 replies

null
    • NPANS
    • 7 mths ago
    • Reported - view

    Pyramid includes a variety of capabilities (Python, R, command line access, SQL) that can all be abused if not managed: "with great power comes great responsibility".

    Thats the point of an all-powerful analytics platform: it comes with the tools necessary to wire up complex sophisticated workflows and functions in the company.  It's not entirely unique to Pyramid or analytics (you could use the Python engine in Excel to delete a user's hard drive if you wanted to).

    So first, if you can't trust your users, remove their access to those features through user and role profiles. You cannot hand open-ended Python scripting to untrustworthy people and expect the platform to magically determine what they are doing with it - regardless of use case or scenario. So too with the other power capabilities in Model.

    Secondly, you can install IMDB on separate machines from the servers that run Python and R (DSML service).  That way no one can access any IMDB files on those servers. BTW, this also happens to be the correct approach to a deployed Pyramid cluster.

      • Dmitri_Kanounnikov
      • 7 mths ago
      • Reported - view

       , distilling your message, I see only one proposed solution - moving IMDB databases to a separate server, right?

      • "making the sophisticated simple"
      • AviPerez
      • 7 mths ago
      • Reported - view

       2 solutions: turn off Python access to your users and/or move the IMDB services. 

      • Dmitri_Kanounnikov
      • 7 mths ago
      • Reported - view

       , thanks for taking a look at this. It looks like we'll have to move IMDB. Thanks!

    • Redeemed from the Dark Side (Power BI)
    • Obee1
    • 7 mths ago
    • Reported - view

    To block access to Python capabilities for users, turn off access to these items:

      • Dmitri_Kanounnikov
      • 7 mths ago
      • Reported - view

       , this won't work, as the question is about enabling this for multi-tenancy, assuming that the tenant can do whatever within their realm, but cannot access other tenants. Disabling this functionality will substantially reduce the offering.

      • Redeemed from the Dark Side (Power BI)
      • Obee1
      • 7 mths ago
      • Reported - view

       It depends what you think your tenants should be able to do or not. But you cannot have it both ways - you cannot insist on giving your end users access to powerful features and then complain they're too powerful to give them. 

    • Senior Director of Product
    • Ian_Macdonald
    • 7 mths ago
    • Reported - view

    As it can be difficult to anticipate the resources consumed by the IMDB service, it is recommended practice for production systems to isolate the IMDB service on its own server so that it does not impact the core Pyramid analytic services.

    Hope that helps.

    Ian

Content aside

  • Status Answered
  • 1 Likes
  • 7 mths agoLast active
  • 8Replies
  • 90Views
  • 6 Following