Important
The SingleStore 9.1 release candidate (RC) gives you the opportunity to preview, evaluate, and provide feedback on new and upcoming features prior to their general availability. In the interim, SingleStore 9.0 is recommended for production workloads, which can later be upgraded to SingleStore 9.1.
Restricting Local File System Access
On this page
SingleStore provides two engine variables that control how SQL statements interact with the server's local file system.
local_ file_ system_ access_ restricted
The local_ engine variable controls whether SQL statements can read from or write to the local file system on the server.
|
Property |
Value |
|---|---|
|
Default |
|
|
Scope |
Global |
|
Dynamic |
Yes |
When set to ON, the following operations are blocked:
-
SELECT .. . INTO OUTFILE -
SELECT .. . INTO FS -
LOAD DATA .(without. . INFILE LOCAL) -
CREATE PIPELINE .. . LOAD DATA FS
By default, this engine variable is set to OFF, which allows any user with the appropriate privileges (FILE READ or FILE WRITE) to access files anywhere on the server's file system unless access is further restricted by secure_.
Note
SingleStore recommends setting this engine variable to ON unless local file system access is explicitly required.OFF for backward compatibility with existing deployments that rely on local file import and export workflows.FILE READ or FILE WRITE privileges can access files anywhere on the server's file system unless further restricted by the secure_ engine variable.
To persist across restarts, add the following to the engine configuration file (memsql.) on every node:
[server]local_file_system_access_restricted = ON
secure_ file_ priv
If your workload requires local file system access and you cannot disable local_, set secure_ to restrict file operations to a specific directory.
The secure_ engine variable limits the directories from which LOAD DATA can read and to which SELECT . can write.
|
Property |
Value |
|---|---|
|
Default |
|
|
Scope |
Global |
|
Dynamic |
Yes |
When secure_ is set to NULL (default value), a user with the FILE WRITE privilege can write files to any location on the server's file system accessible to the memsqld process.
When set to a directory path, users with FILE READ or FILE WRITE privileges can only access files within that directory or its subdirectories.
Use the following command to set the engine variable:
SET GLOBAL secure_file_priv = '/var/lib/memsql/data/export';
To persist across restarts, add the following to the engine configuration file (memsql.) on every node:
[server]secure_file_priv = /var/lib/memsql/data/export
Ensure the directory exists and has appropriate permissions before setting this variable.
Best Practices
Apply one of the following configurations for different scenarios:
|
Scenario |
Recommended Configuration |
Behavior |
|---|---|---|
|
Local file I/O needed, unrestricted |
|
File I/O is allowed anywhere on the server's file system accessible to the |
|
Local file I/O needed, restricted to a specific directory |
|
File I/O is allowed only within the specified directory and its subdirectories. |
|
No local file I/O needed |
|
All local file system access is blocked. |
Last modified: