Comments (6)
Thanks for the report. The comments are correct as written; what's tricky is that the way PostgreSQL uses the terms 'trusted' and 'untrusted' is about equally easy to read in the intended way, or in the exact opposite way!
The way PostgreSQL uses those terms, trusted
is used for a language that non-superusers can be allowed to write routines in, because the language will prevent those routines from doing Bad Things. They will be confined (sandboxed) to doing only a limited range of safe things.
An 'untrusted' language is one that does not impose such limits on what a routine can do. Because a routine in an 'untrusted' language could do Bad Things, only superusers can be allowed to create routines in that language.
So a "trusted" language is a language you can "trust" (because it is sandboxed), and therefore you can make it available to users you don't (have to) "trust" (as much). And an "untrusted" language is a language you don't "trust" (because it isn't so well sandboxed), so you have to only make it available to superusers whom you really "trust".
If you are not an old PostgreSQL hand, you might think a "trusted" language is one that might be allowed to do Bad Things (because you "trust" it), and an "untrusted" language is the one that wouldn't be allowed to (because you don't "trust" it). But that's the reverse of the way PostgreSQL uses the terms.
There is a little paragraph in the documentation touching on that, and explaining why PL/Java favors the terms sandboxed
/unsandboxed
instead, because they are less prone to being accidentally read backwards.
Of course even that nomenclature is approximate because PL/Java in fact uses the Java sandbox in both cases, but just grants a somewhat wider set of default permissions to PLPrincipal$Unsandboxed
(and even allows you to create other language aliases besides the original two java
and javaU
, and assign different permission sets to those).
The only difference in the default policy is that PLPrincipal$Unsandboxed
is allowed full access to the filesystem, and in PLPrincipal$Sandboxed
that access is blocked.
from pljava.
Thanks, that's...baffling. I mean, I get it (and it's not PL/Java's fault), but that's horrendously counterintuitive. (Also I will admit to having read past that note in the docs, despite having been on that page while working on another issue...)
Would you accept a PR to improve the "at-the-point-of-use" documentation in pljava.policy
? Some blindingly obvious comments to the effect of "THIS IS java
" and "THIS IS javau
" would be most welcome and avoid semantic confusion over trusted/untrusted, sandboxed/unsandboxed, and so on.
In the same vein, I suspect a table like the following, at the top of the docs page you linked (and perhaps a bit more prominent than the existing paragraph) would help:
Default PL/Java language name | Trusted? | Sandboxed? |
---|---|---|
java |
Trusted (meaning can be used by non-superusers) | Sandboxed |
javau |
Untrusted (meaning only for superusers) | Unsandboxed |
I realize this all goes out the window once folks start creating language aliases, etc., but in the context of "in another 30 seconds I'm going to go look for a 'big hammer' option to disable the Security Manager entirely..." it would help to have a clearer pointer on how things work in the default configuration.
from pljava.
Yes, delicate is good, as after all, it's not as if the PostgreSQL usage of the terms doesn't make sense. It does make sense. It's just one of those near-perfect examples of English that can be read the way you mean or the opposite way and both make sense.
from pljava.
I would consider such a PR. I might prefer the added comments to be more like "such as 'java'" and "such as 'javaU'", and the column headings in the table to be "PostgreSQL term" and "PL/Java term". (The table is simple enough for the reader to see at a glance one column is trusted/untrusted and one is sandboxed/unsandboxed anyway.) And I'd probably put it right after the existing explanatory paragraph.
The grant
clauses for PLPrincipal$Sandboxed
and PLPrincipal$Unsandboxed
are not only for java
and javaU
; if you create another alias, you still specify which of the two types it is, and it still enjoys all the permissions from that corresponding grant
clause, as well as any grant
you might add for that specific alias.
from pljava.
Thanks - yes, I was deliberately being a bit brutish in my examples, but it could be put more delicately. Once I've tidied up the project I am working on now, I'll try to circle back to this.
from pljava.
Another example of how easy it is for trusted
/untrusted
to have their meanings not just sort of blurred but reversed:
'trusted'/'untrusted' PL in DoD/DISA PostgreSQL STIGs
from pljava.
Related Issues (20)
- wiki update: testcontainers magic HOT 2
- Error building against PostgreSQL 16 HOT 4
- Fails on s390x HOT 1
- Always prompts that the language pljava does not exist HOT 4
- Class Loading issue HOT 31
- Question: How to install Pl/Java into AWS RDS Postgres HOT 2
- Compilen error occuring while running mvn clean install HOT 2
- dependency not adding..issue in plugin HOT 1
- fatal error: postgres.h: No such file or directory HOT 2
- XML parsing errors reported as `XX000` when DOM API is used HOT 1
- Publish PlJava to a public Maven Repository HOT 2
- Unhelpful output when build fails because no platform rules matched HOT 10
- undefined symbol: GetMemoryChunkContext HOT 2
- pljava.ddr This script file related issues HOT 13
- Execute Java Code at PostgreSQL startup to "Get Things Ready" HOT 1
- I meet a compile error while compiling PL/Java using maven HOT 6
- How to implement a special top-N group function? HOT 1
- How to set classpath including multiple jars? HOT 2
- Reminder - there are official-ish releases for Debian + TestContainer notes
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pljava.