啟用或停用 RDL 沙箱Enable and Disable RDL Sandboxing

RDL (報表定義語言) 沙箱功能可在多個租用戶使用報表伺服器之單一 Web 伺服陣列的環境中,讓您偵測及限制個別租用戶使用特定資源類型的情形。The RDL (Report Definition Language) Sandboxing feature lets you detect and restrict the usage of specific types of resources, by individual tenants, in an environment of multiple tenants that use a single web farm of report servers. 這種情形的一個範例是裝載服務案例,在此案例中,您可能要為由多個可能分屬不同公司的租用戶所使用的報表伺服器,維護單一 Web 伺服器陣列。An example of this is a hosting services scenario where you might maintain a single web farm of report servers that are used by multiple tenants, and perhaps different companies. 您身為報表伺服器管理員,可以啟用此功能來幫助您達成下列目標:As a report server administrator, you can enable this feature to help achieve the following objectives:

  • 限制外部資源的大小。Restrict external resource sizes. 外部資源包括影像、.xslt 檔案和對應資料。External resources include images, .xslt files, and map data.

  • 在報表發行時間,限制用於運算式文字的型別和成員。At report publish time, limit types and members that are used in expression text.

  • 在報表處理時間,限制運算式的文字長度和傳回值大小。At report processing time, limit the length of the text and the size of the return value for expressions.

當啟用 RDL 沙箱功能時,將會停用下列功能:When RDL Sandboxing is enabled, the following features are disabled:

  • 報表定義之 <Code> 項目中的自訂程式碼。Custom code in the <Code> element of a report definition.

  • RDL 對於 SQL Server 2005 Reporting Services (SSRS)SQL Server 2005 Reporting Services (SSRS) 自訂報表項目的回溯相容性模式。RDL backward compatibility mode for SQL Server 2005 Reporting Services (SSRS)SQL Server 2005 Reporting Services (SSRS) custom report items.

  • 運算式中的指名參數。Named parameters in expressions.

本主題說明中的每個項目 <RDLSandboxing> RSReportServer.Config 檔案中的項目。This topic describes each element in the <RDLSandboxing> element in the RSReportServer.Config file. 如需如何編輯此檔案的詳細資訊,請參閱Modify a Reporting Services Configuration File (RSreportserver.config) (修改 Reporting Services 組態檔 (RSreportserver.config))。For more information about how to modify this file, see Modify a Reporting Services Configuration File (RSreportserver.config). 伺服器追蹤記錄會記錄與 RDL 沙箱功能有關的活動。A server trace log records activity related to the RDL Sandboxing feature. 如需追蹤紀錄的詳細資訊,請參閱 報表伺服器服務追蹤記錄For more information about trace logs, see Report Server Service Trace Log.

範例組態Example Configuration

下列範例示範設定和範例值 <RDLSandboxing> RSReportServer.Config 檔案中的項目。The following example shows the settings and example values for the <RDLSandboxing> element in the RSReportServer.Config file.

<RDLSandboxing>  
   <MaxExpressionLength>5000</MaxExpressionLength>  
   <MaxResourceSize>5000</MaxResourceSize>  
   <MaxStringResultLength>3000</MaxStringResultLength>  
   <MaxArrayResultLength>250</MaxArrayResultLength>  
   <Types>  
      <Allow Namespace="System.Drawing" AllowNew="True">Bitmap</Allow>  
      <Allow Namespace="TypeConverters.Custom" AllowNew="True">*</Allow>  
   </Types>  
   <Members>  
      <Deny>Format</Deny>  
      <Deny>StrDup</Deny>  
   </Members>  
</RDLSandboxing>  

組態設定Configuration Settings

下表提供有關組態設定的資訊。The following table provides information about configuration settings. 設定會依其出現在組態檔的順序顯示。Settings are presented in the order in which they appear in the configuration file.

設定Setting 描述Description
MaxExpressionLengthMaxExpressionLength RDL 運算式中允許的最大字元數。Maximum number of characters allowed in RDL expressions.

預設:1000Default: 1000
MaxResourceSizeMaxResourceSize 外部資源允許的最大 KB 數。Maximum number of KB allowed for an external resource.

預設:100Default: 100
MaxStringResultLengthMaxStringResultLength RDL 運算式的傳回值中允許的最大字元數。Maximum number of characters allowed in a return value for an RDL expression.

預設:1000Default: 1000
MaxArrayResultLengthMaxArrayResultLength RDL 運算式的陣列傳回值中允許的最大項目數。Maximum number of items allowed in an array return value for an RDL expression.

預設:100Default: 100
類型Types RDL 運算式中允許的成員清單。The list of members to allow within RDL expressions.
AllowAllow RDL 運算式中允許的類型或類型集合。A type or set of types to allow in RDL expressions.
NamespaceNamespace Allow 的屬性,這是包含一或多個套用至 Value 之類型的命名空間。Attribute for Allow that is the namespace that contains one or more types that apply to Value. 這個屬性不區分大小寫。This property is case-insensitive.
AllowNew Allow 的布林屬性,可控制 RDL 運算式或 RDL <Class> 項目中是否允許建立此類型的新執行個體。Boolean attribute for Allow that controls whether new instances of the type are allowed to be created in RDL expressions or in an RDL <Class> element.

注意:當RDLSandboxing啟用時,無法建立新的陣列,在 RDL 運算式中,不論設定為何AllowNewNote: When RDLSandboxing is enabled, new arrays cannot be created in RDL expressions, regardless of the setting of AllowNew.
Value Allow 的值,這是 RDL 運算式中允許之類型的名稱。Value for Allow that is the name of the type to allow in RDL expressions. * 值表示允許命名空間中的所有類型。The value * indicates that all types in the namespace are allowed. 這個屬性不區分大小寫。This property is case-insensitive.
成員Members 如果是 <Types> 項目中所包含的類型清單,則為 RDL 運算式中不允許的成員名稱清單。For the list of types that are include in the <Types> element, the list of member names that are not allowed in RDL expressions.
拒絕Deny RDL 運算式中不允許的成員名稱。The name of a member that is not allowed in RDL expressions. 這個屬性不區分大小寫。This property is case-insensitive.

注意:為成員指定 Deny 時,將不會允許所有類型中具有這個名稱的所有成員。Note: When Deny is specified for a member, all members with this name for all types are not allowed.

在啟用 RDL 沙箱功能時使用運算式Working with Expressions when RDL Sandboxing is Enabled

您可以修改 RDL 沙箱功能,透過下列方式幫助管理運算式所使用的資源:You can modify the RDL Sandboxing feature to help manage the resources that are used by an expression in the following ways:

  • 限制用於運算式的字元數。Restrict the number of characters that are used for an expression.

  • 限制運算式傳回之結果的大小。Restrict the size of the result returned by an expression.

  • 允許可用於運算式的特定類型清單。Allow a specific list of types that can be used in an expression.

  • 針對可用於運算式的允許類型清單,依名稱限制成員的清單。Restrict the list of members by name for the list of allowed types that can be used in an expression.

  • RDL 沙箱功能可讓您建立核准的類型清單以及遭到拒絕的成員清單。The RDL Sandboxing feature enables you to create a list of approved types and a list of denied members. 核准的類型清單稱為允許清單,The list of approved types is called an allow list. 遭到拒絕的成員清單則稱為封鎖清單。The list of denied members is called a block list.

注意

在報告定義中,電腦無法得知運算式參考的每個執行個體的類型。In the report definition, a computer cannot know the type of each instances of an expression reference. 當您將成員加入至封鎖清單時,您會在允許清單的所有類型中拒絕該名稱的所有成員。When you add a member to the block list, you are denying all members of that name across all types in the allow list.

RDL 運算式的結果會在執行階段驗證。RDL expression results are verified at run time. 當發行報表時,便會在報表定義中驗證 RDL 運算式。RDL expressions are verified in the report definition when the report is published. 監視報表伺服器追蹤記錄,查看是否有違規情形。Monitor the report server trace log for violations. 如需詳細資訊,請參閱 Report Server Service Trace LogFor more information, see Report Server Service Trace Log.

處理類型Working with Types

當您將某個類型加入至允許清單時,您會控制存取 RDL 運算式的下列進入點:When you add a type to the allow list, you are controlling the following entry points to access RDL expressions:

  • 某個類型的靜態成員。Static members of a type.

  • Visual BasicVisual Basic New方法。The Visual BasicVisual Basic New method.

  • 報表定義中的 <Classes> 項目。The <Classes> element in the report definition.

  • 您已經針對允許清單內的某個類型加入至封鎖清單中的成員。Members that you have added to the block list for a type in the allow list.

允許清單不能控制下列進入點:The allow list does not control the following entry points:

  • 報表資料集。Report datasets. 報表資料集中從查詢傳回的欄位可能會包含任何有效的 RDL 類型。Fields in report datasets that are returned from queries might contain any valid RDL type.

  • 報表參數。Report parameters. 使用者提供的參數值可能會包含任何有效的 RDL 類型。User-supplied parameter values might contain any valid RDL type.

  • 具備已啟用的類型而不在封鎖清單內的成員。Members of an enabled type that are not in the block list. 根據預設,將會啟用允許清單中所有類型的所有成員。By default, all members of all types in the allow list are enabled. 當您將成員名稱加入至封鎖清單時,您會在允許清單的所有類型中拒絕該名稱的所有成員。When you add a member name to the block list, you are denying all members with that name across all types that are in the allow list.

若要啟用一個類型的成員,但是拒絕另一個類型的同名成員,您必須執行以下動作:To enable a member of one type but deny a member with the same name for a different type, you must do the following:

  • 針對此成員名稱新增 <Deny> 項目。Add a <Deny> element for the member name.

  • 針對您想要啟用的成員,在自訂組件的某個類別上建立另一個名稱的 Proxy 成員。Create a proxy member with a different name on a class in a custom assembly for the member that you want to enable.

  • 將這個新類別加入至允許清單。Add that new class to the allow list.

若要將 Visual BasicVisual Basic .NET Framework 函數加入允許清單,請將 Microsoft.VisualBasic 命名空間中的對應類型加入允許清單。To add Visual BasicVisual Basic .NET Framework functions to the allow list, add the corresponding types from the Microsoft.VisualBasic namespace to the allow list.

若要將 Visual BasicVisual Basic .NET Framework 類型關鍵字加入至允許清單,請將對應的 CLR 類型加入至允許清單。To add Visual BasicVisual Basic .NET Framework type keywords to the allow list, add the corresponding CLR type to the allow list. 例如,若要使用Visual BasicVisual Basic.NET Framework 關鍵字Integer,將下列 XML 片段来加入 <RDLSandboxing > 項目:For example, to use the Visual BasicVisual Basic .NET Framework keyword Integer, add the following XML fragment to the <RDLSandboxing> element:

<Allow Namespace="System">Int32</Allow>  

若要將一般或 Visual BasicVisual Basic .NET Framework 可為 Null 的類型加入至允許清單,您必須執行以下動作:To add a generic or a Visual BasicVisual Basic .NET Framework nullable type to the allow list, you must do the following:

  • 針對一般或 Visual BasicVisual Basic .NET Framework 可為 Null 的類型建立 Proxy 類型。Create a proxy type for the generic or Visual BasicVisual Basic .NET Framework nullable type.

  • 將 Proxy 類型加入至允許清單。Add the proxy type to the allow list.

將自訂組件中的類型加入至允許清單並不會以隱含方式授與此組件的執行權限。Adding a type from a custom assembly to the allow list does not implicitly grant execute permission on the assembly. 您必須特別修改程式碼存取安全性檔案,並提供組件的執行權限。You must specifically modify the code access security file and provide execute permission to your assembly. 如需詳細資訊,請參閱 Code Access Security in Reporting Services(Reporting Services 中的程式碼存取安全性)。For more information, see Code Access Security in Reporting Services.

維護<拒絕 > 清單中的成員Maintaining the <Deny> List of Members

當您將新的類型加入至允許清單時,請使用下列清單來判斷何時可能需要更新成員的封鎖清單:When you add a new type to the allow list, use the following list to determine when you might have to update the block list of members:

  • 當您使用導入新類型的版本來更新自訂組件時。When you update a custom assembly with a version that introduces new types.

  • 當您將成員加入至允許清單中的類型時。When you add members to the types in the allow list.

  • 當您在報表伺服器上更新 .NET Framework.NET Framework 時。When you update the .NET Framework.NET Framework on the report server.

  • 當您將報表伺服器升級到更新版本的 Reporting ServicesReporting Services時。When you upgrade the report server to a later version of Reporting ServicesReporting Services.

  • 當您因為新的成員可能已加入至 RDL 類型,而更新報表伺服器來處理較新的 RDL 結構描述時。When you update a report server to handle a later RDL schema, because new members might have been added to RDL types.

使用運算子及 NewWorking with Operators and New

根據預設,一定會允許 Visual BasicVisual Basic .NET Framework 語言運算子,但是 New 除外。By default, Visual BasicVisual Basic .NET Framework language operators, except for New, are always allowed. New運算子會受到AllowNew屬性上 <允許 > 項目。The New operator is controlled by the AllowNew attribute on the <Allow> element. 其他語言運算子,例如預設集合存取子運算子!Visual BasicVisual Basic.NET Framework 轉換巨集的這類CInt,一律允許。Other language operators, such as the default collection accessor operator ! and Visual BasicVisual Basic .NET Framework cast macros such as CInt, are always allowed.

不支援將運算子加入至封鎖清單中,包括自訂運算子。Adding operators to a block list, including custom operators, is not supported. 若要排除某個類型的運算子,您必須執行下列動作:To exclude operators for a type, you must do the following:

  • 建立 Proxy 類型,此類型不會實作您想要排除的運算子。Create a proxy type that does not implement the operators that you want to exclude.

  • 將 Proxy 類型加入至允許清單。Add the proxy type to the allow list.

若要在 RDL 運算式中建立新的陣列,請在您定義之類別上的方法中建立此陣列,並將該類別加入至允許清單。To create a new array in an RDL expression, create the array in a method on a class that you define, and add that class to the allow list.

若要在 RDL 運算式中建立新的陣列,您必須執行下列動作:To create a new array in an RDL expression, you must do the following:

  • 定義新的類別,並在該類別上的方法中建立此陣列。Define a new class and create the array in a method on that class.

  • 將此類別加入至允許清單。Add the class to the allow list.

另請參閱See Also

RSReportServer 組態檔 RSReportServer Configuration File
報表伺服器服務追蹤記錄Report Server Service Trace Log