Managing AnzoGraph File Access Policies

In AnzoGraph Version 2.5.6 and later, you can configure file system access control policies to ensure that only certain files or directories are accessible to AnzoGraph during the execution of a query. This topic describes the configuration settings that define the file access policies and provides instructions for setting up policies.

File Access Policy Settings Reference

policy_file_enabled

The policy_file_enabled setting is the parent setting that controls whether or not file system access policies are enabled and followed. When policy_file_enabled is false (the default value), AnzoGraph does not perform file path access checks when a query references files or directories on the file system. When policy_file_enabled is true and a query attempts to access a file or directory on the file system, AnzoGraph performs the file path access checks that are configured in the policy_file_read, write, delete, and deny settings described below.

policy_file_read, write, delete, and deny

The policy_file_read, write, delete, and deny settings specify the paths to directories and/or files on the file system that AnzoGraph requests are allowed to read from, write to, or delete from. For each of the "allowed" read, write, and delete settings, there is a corresponding deny setting that configures the paths for which requests are denied read, write, and delete access. This enables you to allow broad access to parent directories, if desired, and then use the deny settings to restrict access to certain subdirectories under them if needed.

The values for the settings are wildcard patterns that AnzoGraph uses to match directories and/or file names. Patterns are specified using basic file globbing syntax as described in the glob(7) Linux manual page. Each policy_file_* setting accepts one or more patterns. Separate multiple patterns with a semicolon (;). For readability, you can also include spaces between patterns.

Prior to matching paths in an incoming request to the configured access policy patterns, AnzoGraph resolves the paths in the request to canonical paths (using the std::filesystem::weakly_canonical function described here at cppreference.com). That means segments such as /./ or /../ are fully expanded prior to being compared to patterns. If a segment in the request path is a symlink, that segment is also expanded prior to checking for a match. Make sure that all access policy patterns match absolute paths. Otherwise, expanded relative path or symlink segments in a request will not match any patterns. For example, if users normally include a path like /source-files/ in a request but /source-files/ is a symlink to /mnt/anzoshare/data/source-files/, include the path to /mnt/anzoshare/data/source-files/ in the pattern.

The following list describes the settings and provides sample pattern values. The File Access Control Behavior section below includes specifics about pattern matching and access checks.

  • policy_file_read: Specifies the pattern(s) to match for paths that queries have permission to read from. For example, a value such as the following gives AnzoGraph requests read-only access to all files and directories under the /opt/anzoshare and /mnt/data directories:
    policy_file_read=/opt/anzoshare/* ; /mnt/data/*
  • policy_file_read_deny: Specifies the pattern(s) to match for paths that queries should not be allowed to read. For example, the following value means requests will not be allowed to read any files or directories under /etc or /root:
    policy_file_read_deny=/etc/* ; /root/*
  • policy_file_write: Specifies the pattern(s) to match for paths that queries have permission to write to. For example, the following value gives requests write access to the /tmp and /home directories in addition to the /opt/anzoshare/store and /mnt/data/store directories.
    policy_file_write=/tmp/* ; /home/* ; /opt/anzoshare/store/* ; /mnt/data/store/*

    If you have Graphmarts with Export Steps, make sure the write policy gives AnzoGraph write access to the appropriate Anzo Data Store.

  • policy_file_write_deny: Specifies the pattern(s) to match for paths that queries are denied write access to.
  • policy_file_delete: Specifies the pattern(s) to match for paths that queries have permission to delete.
  • policy_file_delete_deny: Specifies the pattern(s) to match for paths that queries are denied delete access to.

The AnzoGraph installation path (<install_path>/*) is automatically added to each of the *_deny policies.

File Access Control Behavior

When a query that includes a path to a file or directory is run (such as in a GDI query with s:url "/opt/anzoshare/data/csv" or in a LOAD <dir:/mnt/data/rdf.ttl.gz> statement), AnzoGraph resolves that path (for example, if the path includes /./ or /../ segments) to a canonical path prior to checking whether it matches a policy_file pattern. If any segment of the path is a symlink, that segment is also expanded prior to being matched to a pattern. If the specified file or directory matches one of the allowed access patterns and it is not matched to a deny pattern, the query is executed. If the specified path is matched to a denied pattern or is not matched to any of the allowed patterns, the query is aborted and AnzoGraph returns an access denied error message.

Setting Up File Access Policies

  1. Stop the database. See Stop the Database (Leave the System Management Daemon Running) for instructions.
  2. On the leader node, open the AnzoGraph settings file, settings.conf, in a text editor. The file is in the <install_path>/config directory.
  3. In settings.conf, uncomment the policy_file_enabled=false line and change the value to true:
    policy_file_enabled=true
  4. Locate the additional policy_file_* settings:
    # File system paths that may be deleted (';' delimited) ()
    # policy_file_delete=
    
    # File system paths that may not be deleted (';' delimited) ()
    # policy_file_delete_deny=
    
    # File system paths that may be read from (';' delimited) ()
    # policy_file_read=
    
    # File system paths that may not be read from (';' delimited) ()
    # policy_file_read_deny=
    
    # File system paths that may be written to (';' delimited) ()
    # policy_file_write=
    
    # File system paths that may not be written to (';' delimited) ()
    # policy_file_write_deny=
  5. Uncomment each of the policy_file_*= lines that you want to set, and add the wildcard pattern or patterns that you want to match for each of the policies.
  6. Save and close settings.conf.
  7. Restart the database to apply the configuration change. See Start the Database (the Daemon is Running) for instructions.