none
Machine Learning Services 2019: Managing AppContainers RRS feed

  • Question

  • Hi,

    From SQL Server 2017 to SQL Server 2019 one of the changes was that ML services started to use the AppContainers windows API (also called Sandbox(?)).

    It's great for security, however, what about R scripts having access to files in the disk? The security is completely isolated, I already discovered that giving permission to the group SQLRUsers (a name like this :-) is not enough, doesn't solve the problem.

    After a lot of research and attempts in the wrong direction, I discovered that each appcontainer uses its own SID. This is needed to give permissions the the R script to read and write files to/from the disk.

    Of course, after understanding app containers, I can assign the permission to the SID of "ALL Application Containers", but this is more than I need, in some ways, a security flaw.

    So, the questions:

    1) How can I discover the SID of the app containers created by the launchpad ? I found out that they behave as a user, creating a user profile folder with their SID, but it should have a better way them running a lot of R scripts to ensure launchpad will use all app containers and them look the user profile folder.

    2) Does R and Python use the same app container, the same set of SIDs, or are there different sets of SIDs for each one?

    3) Raising the bar of something already complex, there is no way to set different permissions for each language, R and Python for example, as long as they share the same SIDs and we have no control of it, right?

    Thank you in advance !

    Dennes



    • Edited by Dennes Wednesday, December 11, 2019 3:50 PM
    Wednesday, December 11, 2019 11:22 AM

All replies

  • Hi Dennes,

     

    Would you please refer tohttps://docs.microsoft.com/en-us/sql/advanced-analytics/concepts/security?view=sql-server-ver15#appcontainer-isolation-in-sql-server-2019?

     

    Best regards,

    Dedmon Dai


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com

    Thursday, December 12, 2019 8:34 AM
  • Hi,

    Yes, I checked this link. It doesn't mention file system access (not completely, at least).

    I believe the text was built for both, SQL 2017 and SQL 2019. In SQL 2017 you can grant permission to SQLRUserGroup and it works, but in SQL 2019 it doesn't, I tested in multiple environments.

    A R script trying to access files only worked after i granted permission to "All Application Containers" SID. This is the only solution I have now for the problem and we get back to the main question: Is there a way to discover the SIDs of the app containers used by launchpad in SQL 2019, in order to give direct permission to them instead of opening permissions to "All Application Containers".

    Thank you!

    Dennes

    • Edited by Dennes Thursday, December 12, 2019 8:56 AM
    Thursday, December 12, 2019 8:55 AM