Script Security & Restricted Execution Modes
The following mechanisms control security of the TERR service and to prevent users from running malicious scripts on the server.
- Restricted execution mode (REX).
- TERR engine in Docker containerization.
- Script trust and access control.
Only users in the
Spotfire license group
Script Author
can create and mark
TERR scripts as trusted. Trusted scripts run in an unrestricted execution environment (no REX or container) unless the
TERR service enforces all scripts to be run in restricted mode. Untrusted scripts always run in REX mode or in a container.
- Docker Containerization for TERR Scripts
Scripts running in a container but not using restricted execution mode have full access to the Docker container and have permission to do anything that is possible to do from within the container. The level of isolation a container provides depends on the Docker installation and the privileges given to these containers. - TERR Restricted Execution Mode (REX)
Scripts running in restricted execution mode (REX), but without container isolation, are running directly on the TERR service host using the same user account as is running the node manager on which the service runs. - Impact of Relaxing the TERR Service Security Settings
If you have scripts that cannot run in restricted mode because they need access to resources on the system or network, then you can change the settings to enable those scripts to run.
- Docker Containerization for TERR Scripts
Scripts running in a container but not using restricted execution mode have full access to the Docker container and have permission to do anything that is possible to do from within the container. The level of isolation a container provides depends on the Docker installation and the privileges given to these containers. - TERR Restricted Execution Mode (REX)
Scripts running in restricted execution mode (REX), but without container isolation, are running directly on the TERR service host using the same user account as is running the node manager on which the service runs. - Impact of Relaxing the TERR Service Security Settings
If you have scripts that cannot run in restricted mode because they need access to resources on the system or network, then you can change the settings to enable those scripts to run.
Parent topic: TIBCO Enterprise Runtime for R - Server Edition
Related reference