[cloud] Provide ability to disable executing modified pxl scripts #2062
Conversation
Signed-off-by: Dom Del Nano <[email protected]>
…cation Signed-off-by: Dom Del Nano <[email protected]>
Signed-off-by: Dom Del Nano <[email protected]>
ddelnano
force-pushed
the
ddelnano/enforce-scripts-arent-modified
branch
from
cda686a to
af0447c
Compare
Signed-off-by: Dom Del Nano <[email protected]>
ddelnano
force-pushed
the
ddelnano/enforce-scripts-arent-modified
branch
from
094bbc7 to
4270147
Compare
Signed-off-by: Dom Del Nano <[email protected]>
ddelnano
force-pushed
the
ddelnano/enforce-scripts-arent-modified
branch
2 times, most recently
from
0a31fa1 to
13ffb77
Compare
…ing and renamed to match other SCRIPT_ prefixed settings Signed-off-by: Dom Del Nano <[email protected]>
ddelnano
force-pushed
the
ddelnano/enforce-scripts-arent-modified
branch
from
13ffb77 to
1c57303
Compare
| @@ -85,7 +86,7 @@ export class CodeEditor extends React.PureComponent<CodeEditorProps, CodeEditorS | |||
| scrollBeyondLastColumn: 3, // Prevents hiding text behind the minimap or the scrollbar. Expands the scroll area. | |||
| scrollBeyondLastLine: false, | |||
| fontFamily: COMMON_THEME.typography.monospace.fontFamily, | |||
| readOnly: this.props.isReadOnly === true, | |||
| readOnly: this.props.isReadOnly === true || SCRIPT_MODIFICATION_DISABLED, | |||
There was a problem hiding this comment.
Notably, CodeEditor doesn't show the user why it's read-only, and assumes the caller will tell them why (I don't remember if any existing caller does so, though - they might not).
Having readOnly set directly inside of CodeEditor this way breaks that assumption further, showing nothing and giving no indication that it should. Might be worth consideration in a future change!
There was a problem hiding this comment.
I've changed this in favor of having each instance of the component to provide a read only reason. See testing done screenshots for more details.
| @@ -169,7 +171,8 @@ data: | |||
| env PL_HYDRA_SERVICE; | |||
| env PL_KRATOS_SERVICE; | |||
| env SCRIPT_BUNDLE_URLS; | |||
| env SCRIPT_BUNDE_DEV; | |||
| env SCRIPT_BUNDLE_DEV; | |||
There was a problem hiding this comment.
This is a typo but something that's only used for development.
Signed-off-by: Dom Del Nano <[email protected]>
Signed-off-by: Dom Del Nano <[email protected]>
…tend and proxy service Signed-off-by: Dom Del Nano <[email protected]>
ddelnano
force-pushed
the
ddelnano/enforce-scripts-arent-modified
branch
from
49e06d1 to
b0098ca
Compare
|
@aimichelle please see the latest testing done screenshots. The UI now enables the read only setting for the |
Summary: [cloud] Provide ability to disable executing modified pxl scripts
Certain security conscious users are hesitant to use Pixie because without RBAC anyone with Pixie UI access can write arbitrary BPF code (bpftrace integration), access or export arbitrary data (modifying pxl scripts, writing export scripts). This change aims to address this concern with a global setting to prevent the ability to execute modified scripts. When an adhoc script is executed, the cloud will hash the contents of the script and check it against the scripts known to the scriptmgr service. If it is contained in the scriptmgr service, the script will be allowed to execute.
Note: this does not prevent users from writing new export scripts. Since the query broker can source its scripts from a configmap as of #1326, this is deemed as an appropriate mitigation for cluster admins and I'll follow up with UI support to reflect that a vizier is in "configmap mode".
Relevant Issues: N/A
Type of change: /kind feature
Test Plan: The following checks were performed
Screenshots
Changelog Message: Pixie Cloud can now disable executing modified pxl scripts via the
PL_SCRIPT_MODIFICATION_DISABLEDkey in thepl-script-bundle-configConfigMap. See reference manifests for more details.