File Output Policy
GSQL restricts where a query can produce output to files through a file output policy. The policy consists of a whitelist and a blacklist.
GSQL queries must only output to the directories and their descendants or the files indicated by paths in the whitelist.
GSQL queries cannot output to the directories and their descendants or the files indicated by paths in the blacklist. The blacklist takes precedence over the whitelist.
By default, the file output policy allows outputs to all files.
GSQL.FileOutputPolicy
GSQL.FileOutputPolicy
The file output policy is implemented through the system configuration parameterGSQL.FileOutputPolicy
, which is a JSON array of strings that represents a list of paths. If there is an exclamation mark (!
) preceding a path, the path is on the blacklist. If there is no exclamation mark preceding a path, the path is on the whitelist.
Example
For example, if the value for GSQL.FileOutputPolicy
is ["/home/tigergraph", "!/home/tigergraph/documents", "!/home/tigergraph/desktop"]
, then below are the paths on the white list and on the black list:
Whitelist:
/home/tigergraph
and all its descendantsBlacklist:
/home/tigergraph/documents, /home/tigergraph/desktop
and all their descendants.
Since the blacklist takes precedence, GSQL will allow queries to write to all files and directories under /home/tigergraph
except the documents
and destktop
folders.
Edit the file output policy
To edit the file policy, ensure that you are logged in as the TigerGraph Linux user, and run the following command:
In the prompt, enter the new value for the parameter:
Apply the new configurations and restart GSQL
After implementing the file output policy, queries that write to paths that are not on the whitelist are forbidden:
If a FILE
object is defined with an empty string, it is regarded as a null file. The file output policy will not block the definition of the FILE
object, but writing to a null file would cause a runtime error.
Additionally, queries that write to paths on the whitelist, but also on the blacklist are also forbidden:
Last updated