Ryan - are you talking about user contributed code that you store in the database? I'm guessing this is your use case, and the suggestions by Robert and Eli are really for a traditional development model. What you want to stop is one person's contributed code deleting data their code shouldn't be touching - i.e. user contributed malicious code, or user contributed buggy code?
Assuming this is what you are talking about - you have 5 options, depending on your use case (perhaps others exist - would be very interested in hearing them) 1. Try to make python able to run sandboxed code and inject proxy objects into the developer's sandbox, rather than the real datastore API. http://code.google.com/p/googleappengine/issues/detail?id=671 - not likely to be happening. You could also use db hooks - http://blog.notdot.net/2010/04/Pre--and-post--put-hooks-for-Datastore-models, but again unless python is reliably secure you're stuck here. 2. Run code analysis on the user contributed code, hoping to catch any and all security problems. Not likely. 3. Use namespaces (http://code.google.com/appengine/docs/python/ multitenancy/multitenancy.html) and religiously analyse your user contributed code for attempts to switch namespaces. Less to check for than in point 2, but if you look deep enough into the issue at point 1, you'll realise the crazy ways programmers have to achieve unexpected things in python, and would be right to worry that you'll never be able to guess them all. At least with this option you are only detecting malicious code, and not buggy code. Even if you felt you could do this, namespaces might not suit your situation though - e.g. if you want some system to code to be able query across namespaces for example. 4. Write a DSL that you compile into app engine python runnable code, and store in the datastore. Your users write in this language, and not app engine python. This is the only 100% guaranteed python option (assuming your compiler is not broken) that I am aware of. 5. Use Java App engine. However you won't be able to run raw java from the datastore as far as I am aware. Consequently you will need to install something like rhino or groovy for your user contributed code. Java's sandbox security model is much more robust than python, and should be trustable. Your user contributed code will run much slower than it would on python app engine, which obviously affects user experience and cost. Cheers, Colin On Sep 24, 10:50 am, rvjcallanan <[email protected]> wrote: > Hi all, > > I have a requirement to place a thin "security" layer between the > Datastore and my App proper. I need to be able to lock down this layer > and prevent other coders from bypassing it and performing raw > Datastore operations directly. > > I am thinking about a dual App approach where one App is a wrapper for > its own datastore and the other App implements the main functionality > (persisting to the Datastore of the first App via a simple API). This > is obviously not ideal for a number of reasons which I won't go into. > > My question: Is there any way of achieving the same level of > modularisation within a single App? Python seems weak in that > respect. I am not familiar with the Java implementation of the GAE. > Does it fare any better? Are there any non-language mechanisms > available to help here? > > Note: I don't want to get into a separate debate about trust and > security. > > TIA -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
