class SandboxRestrictions: (source)
Set of restrictions that can be applied to a sandbox.
| Method | with |
Create a new restriction set with passthrough_all_modules as true. |
| Method | with |
Create a new restriction set with the given modules added to the passthrough_modules set. |
| Class Variable | default |
Combination of passthrough_modules_default, invalid_module_members_default, and no invalid modules. |
| Class Variable | invalid |
Module members which cannot be accessed. This includes variables, functions, class methods (including __init__, etc). The check compares the against the fully qualified path to the item. |
| Class Variable | invalid |
Default set of module members Temporal suggests be restricted for non-determinism reasons. |
| Class Variable | invalid |
Modules which cannot even be imported. If possible, use invalid_module_members instead so modules that are unused by running code can still be imported for other non-running code. The check whether a module matches here is an access match using the fully qualified module name. |
| Class Variable | passthrough |
Pass through all modules, do not sandbox any modules. This is the equivalent of setting passthrough_modules to a list of all modules imported by the workflow. This is unsafe. This means modules are never reloaded per workflow run which means workflow authors have to be careful that they don't import modules that do non-deterministic things... |
| Class Variable | passthrough |
Modules which pass through because we know they are side-effect free (or the side-effecting pieces are restricted). These modules will not be reloaded, but instead will just be forwarded from outside of the sandbox... |
| Class Variable | passthrough |
Same as passthrough_modules_maximum. |
| Class Variable | passthrough |
All modules that can be passed through. This includes all standard library modules. |
| Class Variable | passthrough |
Set of modules that must be passed through at the minimum. |
| Class Variable | passthrough |
Minimum modules that must be passed through and the Temporal modules. |
Module members which cannot be accessed. This includes variables, functions, class methods (including __init__, etc). The check compares the against the fully qualified path to the item.
Modules which cannot even be imported. If possible, use
invalid_module_members instead so modules that are unused by
running code can still be imported for other non-running code. The check
whether a module matches here is an access match using the fully qualified
module name.
Pass through all modules, do not sandbox any modules. This is the equivalent
of setting passthrough_modules to a list of all modules imported
by the workflow. This is unsafe. This means modules are never reloaded per
workflow run which means workflow authors have to be careful that they don't
import modules that do non-deterministic things. Note, just because a module
is passed through from outside the sandbox doesn't mean runtime restrictions
on invalid calls are not still applied.
Modules which pass through because we know they are side-effect free (or the side-effecting pieces are restricted). These modules will not be reloaded, but instead will just be forwarded from outside of the sandbox. Any module listed will apply to all children.