[jira] [Commented] (CASSANDRA-9402) Implement proper sandboxing for UDFs

Thu, 28 May 2015 16:12:55 -0700 

    [ 
https://issues.apache.org/jira/browse/CASSANDRA-9402?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14563860#comment-14563860
 ] 

Robert Stupp commented on CASSANDRA-9402:
-----------------------------------------

bq. So we can't use it to stop UDF from opening sockets and writing to files, 
without restricting the rest of C* too.

No. Class loaders associate a {{ProtectionDomain}} to each class via 
{{java.lang.ClassLoader#defineClass(..., ProtectionDomain)}}.
At runtime (in {{AccessController.checkPermission}}) a stack of these 
{{ProtectionDomain}}s is used to verify permissions.
Assigning {{AllPermission}} to all jars in {{lib}} + {{build/classes}} and 
essentially no permissions to UDFs works.

UDF classes are defined via the UDF class loader - and the UDF class loader is 
also used for the thread via {{Thread.setContextClassLoader()}}.

The pain-point with a {{SecurityManager}} is the performance regression of 1% 
to 3% just because "it's there". I want to experiment with a {{ThreadLocal}} in 
a custom SM to speed that up.

Another option is probably to spin-off separate threads for UDF execution. 
These threads could get a complete separate class loader hierarchy. I think 
doing that in separate threads would cost "only" the time for a context switch. 
But we could monitor UDF runtime and basically kill a _dead_ UDF.
We already have serialization effort to convert from and to {{ByteBuffer}}s 
(arguments and return types).

(Hope, I expressed it clearly)

> Implement proper sandboxing for UDFs
> ------------------------------------
>
>                 Key: CASSANDRA-9402
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-9402
>             Project: Cassandra
>          Issue Type: Task
>            Reporter: T Jake Luciani
>            Assignee: Robert Stupp
>            Priority: Critical
>              Labels: doc-impacting, security
>             Fix For: 3.0 beta 1
>
>         Attachments: 9402-warning.txt
>
>
> We want to avoid a security exploit for our users.  We need to make sure we 
> ship 2.2 UDFs with good defaults so someone exposing it to the internet 
> accidentally doesn't open themselves up to having arbitrary code run.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to