Protected Directories

When the Transformer Security Manager is enabled, the following Transformer directories are protected directories:

$TRANSFORMER_CONF - Stages cannot access files in the configuration directory.
$TRANSFORMER_DATA - Stages cannot access files in the data directory.
$TRANSFORMER_RESOURCES - Stages can read files in the resources directory, but cannot write to files in the directory.

If needed, you can allow stages to access specific files in these protected directories by modifying Transformer Security Manager exception properties in the $TRANSFORMER_CONF/transformer-security.policy fileSecurity Policy configuration properties of the deployment. However, use caution when configuring exceptions to these protected directories.

You can configure exceptions to protected directories as follows:

Exceptions for all stage libraries

To allow all stage libraries access to files in protected directories, modify the security_manager.transformer_dirs.exceptions property to define files that can be accessed.

Exceptions for specific stage libraries

To allow a specific stage library access to files in protected directories, add the following property and then define the files that the stage library can access:

security_manager.transformer_dirs.exceptions.<stage_library_name>=<file_path>

For example, the default Transformer configuration fileconfiguration properties includes an exception for the Java keystore credential store stage library defined as follows:

security_manager.transformer_dirs.exceptions.lib.streamsets-transformer-jks-credentialstore-lib=$TRANSFORMER_CONF/jks-credentialStore.pkcs12

When you configure a Security Manager exception property, use the appropriate directory environment variabledirectory environment variable in the file path: $TRANSFORMER_CONF, $TRANSFORMER_DATA, or $TRANSFORMER_RESOURCES. You can enter multiple file paths separated by commas.