Xpress Insight configuration

python3 module can only be used when Mosel restrictions are disabled (MOSEL_RESTR=0). When the restrictions are disabled, any executed Mosel and Python code have the same rights (in particular for file system access) as the operating system user that runs the Insight Execution Worker. In order to use the python3 module in an Insight app, it is necessary to relax the Mosel restrictions in the Insight Execution Worker configuration file (xprmsrv.cfg). After relaxing the Mosel restrictions, we strongly recommend that the Insight administrator makes sure of the following points:

• The operating system user that runs the Insight Execution Worker should only be granted the minimal rights that are necessary for running the Insight app.
• Access to the workers should be protected by a password and additionally by IP filters (see the example extract of the configuration file xprmsrv.cfg below).
• If the network is not trusted, the workers should only accept SSH connections: Set TCP_PORT=-1 (configurable via xprmsrv.cfg) and use xssh instead of the xsrv protocol (Execution Worker configuration in the Insight admin interface).
• Only trusted users should be granted the right to upload trusted Insight apps to the Insight Server.

And the Insight app developer needs to address the following points:

• The app should not execute any untrusted Python scripts that an end user may have uploaded as an app attachment (see pyrun function).
• The app should not concatenate untrusted strings entered by the end user (e.g. Insight scalars or arrays) into a Python evaluation string, because this could allow an attacker to inject and execute custom Python code. For example, the first function input parameter of pycall, pyexec and pyget is a Python evaluation string. Note that it is safe to transfer untrusted data between Mosel and Python variables. The developer just needs to avoid using untrusted strings directly in a Python evaluation string parameter.

If the Insight Execution Worker runs on the same machine as the Insight Server, it is recommended to modify the configuration settings in xprmsrv.cfg as follows:

...
XPRMSRV_ACCESS=+127.0.0.1
[insight]
PASS=my_password
MOSEL_RESTR=0
PYTHONHOME=C:\opt\anaconda3
PATH=${PYTHONHOME}\Library\bin;${PATH}
...

Restart the Execution Worker after changing the configuration file. Then log into the Insight admin interface, go to Execution Services, edit the Execution Worker, enter the password in the password edit field and save the changes. Depending on your system configuration, the PYTHONHOME environment variable is optional. The PATH entry is only necessary for Anaconda on Windows. You can also specify the PYTHONHOME and PATH environment variables as system environment variables. Note that it is not sufficient to specify them for your personal user account, because the Insight service runs as a different user.