Security & Restrictions

To further facilitate both a safe and reliable experience for all our users, starting with RapidMiner Studio 7.2, we introduced both a java.lang.SecurityManager and a java.security.Policy to RapidMiner Studio. The respective implementations can be found in the com.rapidminer.security package. These mechanisms will prevent certain dangerous calls from specific or unknown sources, e.g. by 3rd party extensions. This means if any of the following points are violated, a SecurityException will be thrown and the call will be prevented. List of default restrictions for 3rd party extensions starting with RapidMiner Studio 7.2:

  • File deletion outside of the java.io.tempdir folder and the .RapidMiner/extensions/workspace/rmx_yourExtension folder is not permitted.
  • ReflectPermission is not granted at all. This includes both newProxyInPackage.* and suppressAccessChecks. Note that regular (non-invasive) usage of reflection is fine and still permitted!
  • No RuntimePermissions except for accessDeclaredMembers, getenv.*, getFileSystemAttributes, readFileDescriptor, writeFileDescriptor, queuePrintJob, and shutdownHooks are granted.
  • No AWTPermissions except for listenToAllAWTEvents, setWindowAlwaysOnTop, and watchMousePointer are granted.
  • Trying to replace the SecurityManager of RapidMiner Studio is not permitted by any code whatsoever.

Please note that Java security works with the principle of the lowest common denominator. The permissions for a call are defined by the lowest permissions for any part of the call stack. This includes libraries you are using. If those libraries for example rely on using reflection to suppress access checks, they will not work for your extension anymore.

If the RapidMiner Studio version is SNAPSHOT, all permissions are granted to all extensions. This is done to make the life of extension developers easier. To test how your extension behaves under real-world conditions, edit the gradle.properties file in the Studio core project and remove the -SNAPSHOT suffix. Then execute the Gradle task jar to update the version and start Studio again.

Granting Additional Permissions

Starting from RapidMiner Studio 7.4 users that have Large licenses can grant additional permissions to unsigned extensions. This is configurable in the Start-up section of the Settings. Activating this setting enables the following permissions:

Group Permission Description
AWTPermission accessClipboard Posting and retrieval of information to and from the AWT clipboard
ReflectPermission suppressAccessChecks Provides the ability to access fields and invoke methods in a class. This includes not only public, but protected and private fields and methods as well.
ReflectPermission newProxyInPackage.* Ability to create a proxy instance in the specified package of which the non-public interface that the proxy class implements.
RuntimePermissions createClassLoader Creation of a class loader
RuntimePermissions getClassLoader Retrieval of a class loader (e.g., the class loader for the calling class)
RuntimePermissions setContextClassLoader Setting of the context class loader used by a thread
RuntimePermissions enableContextClassLoaderOverride Subclass implementation of the thread context class loader methods
RuntimePermissions closeClassLoader Closing of a ClassLoader
RuntimePermissions setFactory Setting of the socket factory used by ServerSocket or Socket, or of the stream handler factory used by URL
RuntimePermissions modifyThread Modification of threads, e.g., via calls to Thread interrupt, stop, suspend, resume, setDaemon, setPriority, setName and setUncaughtExceptionHandler methods
RuntimePermissions stopThread Stopping of threads via calls to the Thread stop method
RuntimePermissions modifyThreadGroup Modification of thread groups, e.g., via calls to ThreadGroup destroy, getParent, resume, setDaemon, setMaxPriority, stop, and suspend methods
RuntimePermissions loadLibrary.* Dynamic linking of the specified library
RuntimePermissions getStackTrace Retrieval of the stack trace information of another thread.
RuntimePermissions setDefaultUncaughtExceptionHandler Setting the default handler to be used when a thread terminates abruptly due to an uncaught exception.
RuntimePermissions preferences Represents the permission required to get access to the java.util.prefs.Preferences implementations user or system root which in turn allows retrieval or update operations within the Preferences persistent backing store.
PropertyPermission write Permission to write. Allows System.setProperty to be called.

Future plans

Please be aware that we will further limit what 3rd party extensions will be able to do in the future to continue to facilitate both a safe and reliable experience for all our users. To allow sophisticated (and safe) extensions that do require those permissions, we will at that point in time also introduce mechanisms to acquire those permissions, e.g. via offering extension verification & signing or by adding mechanisms that allow the user to explicitly grant those permissions to your extension. There is no final list yet as to the exact limitations, but the following points can be assumed with reasonable certainty for unsigned 3rd party extensions:

  • Read/Write access outside of the specific extension workspace folder (found in the .RapidMiner/extensions/workspace/rmx_yourExtension folder) will need to be permitted by the user
  • Access to classes in the sun.misc package will be forbidden entirely. This may be extended to other sun.* packages as well.
  • Opening socket connections (e.g. using URLConnections) will be subject to explicit user permission for each URL.

For more information on Java security features, see the official documentation from Oracle referenced below. Java security documentation