File Output Policy

GSQL restricts where a query can produce output to files through a file output policy. The policy consists of an allowlist and a blocklist.

  • GSQL queries must only output to the directories and their descendants or the files indicated by paths in the allowlist.

  • GSQL queries cannot output to the directories and their descendants or the files indicated by paths in the blocklist. The blocklist takes precedence over the allowlist.

By default, the file output policy of an on-prem installation of TigerGraph Server allows outputs to all files. We strongly suggest that you change the default configuration to specify a limit on where the file can be output to.

On TigerGraph Cloud, you cannot output files outside the directory at path /home/tigergraph/gsql_output.

GSQL.FileOutputPolicy

The file output policy is implemented through the system configuration parameterGSQL.FileOutputPolicy, which is a JSON array of strings that represents a list of paths:

  • If there is an exclamation mark (!) preceding a path, the path is on the blocklist.

  • If there is no exclamation mark preceding a path, the path is on the allowlist.

Example

For example, if the value for GSQL.FileOutputPolicy is ["/home/tigergraph", "!/home/tigergraph/documents", "!/home/tigergraph/desktop"], then below are the paths on the allowlist and on the blocklist:

  • allowlist: /home/tigergraph and all its descendants

  • blocklist: /home/tigergraph/documents, /home/tigergraph/desktop and all their descendants.

Since the blocklist takes precedence, GSQL will allow queries to write to all files and directories under /home/tigergraph except the documents and destktop folders.

Edit the file output policy

The following are the steps to edit the file output policy:

  1. To edit the file policy, ensure that you are logged in as the TigerGraph Linux user, and run the following command:

    $ gadmin config entry GSQL.FileOutputPolicy
  2. In the prompt, enter the new value for the parameter:

    GSQL.FileOutputPolicy [ ["/"] ]: The policy to control file outputs in GSQL queries
    New: ["/home/tigergraph", "!/home/tigergraph/app"]
    # allowlist: /home/tigergraph and all its descendants
    # blocklist: /home/tigergraph/app and all its descendants
    # Effect: GSQL can output to /home/tigergraph and all its descendants except /home/tigergraph/app
  3. Apply the new configurations and restart GSQL

    $ gadmin config apply
    $ gadmin restart gsql

After implementing the file output policy, queries that write to paths that are not on the allowlist are forbidden:

GSQL > BEGIN
GSQL > CREATE QUERY fileOutput() FOR GRAPH tpc_graph {
GSQL >   FILE f ("/home/documents/data.txt");
GSQL > }
GSQL > END

Semantic Check Error in query fileOutput (SEM-2502): line 2, col 7
The path '/home/documents/data.txt' is not allowed by the file output policy.
For more info, please check log at node 'm2': /home/tigergraph/tigergraph/log/gsql/log.ERROR
Failed to create queries: [fileOutput].
If a FILE object is defined with an empty string, GSQL regards it as a null file. The file output policy will not block the definition of the FILE object, but writing to a null file would cause a runtime error.

Additionally, queries that write to paths on the allowlist, but also on the blocklist are also forbidden:

GSQL > BEGIN
GSQL > CREATE QUERY fileOutput() FOR GRAPH tpc_graph {
GSQL >   FILE f ("/home/tigergraph/app/data.txt");
GSQL > }
GSQL > END

Semantic Check Error in query fileOutput (SEM-2502): line 3, col 7
The path '/home/tigergraph/app/data.txt' is not allowed by the file output
policy.
For more info, please check log at node 'm2': /home/tigergraph/tigergraph/log/gsql/log.ERROR
Failed to create queries: [fileOutput].