dmagda commented on a change in pull request #8237:
URL: https://github.com/apache/ignite/pull/8237#discussion_r493882213
##########
File path: docs/_docs/security/sandbox.adoc
##########
@@ -0,0 +1,80 @@
+= The Ignite Sandbox
+
+== Overview
+Ignite allows using a user-defined code that can be a compute job, event
filter, message listener, etc.
Review comment:
How about this version for the opening paragraph?
Ignite allows executing custom logic via various APIs including compute
tasks, event filters, message listeners. This user-defined logic can utilize
Java APIs to get access to host resources. For example, it can
create/update/delete files or system properties, open network connections, use
reflection and other APIs to get full control of the host environment. Ignite
Sandbox is based on the [Java Sandbox
model](https://docs.oracle.com/en/java/javase/11/security/java-se-platform-security-architecture.html#GUID-C203D80F-C730-45C3-AB95-D4E61FD6D89C)
and allows you to restrict the scope of user-defined logic executed via Ignite
APIs.
##########
File path: docs/_docs/security/sandbox.adoc
##########
@@ -0,0 +1,80 @@
+= The Ignite Sandbox
+
+== Overview
+Ignite allows using a user-defined code that can be a compute job, event
filter, message listener, etc.
+This user-defined code can utilize Java features to get access to host
resources.
+For example, it can create/update/delete files; create sockets;
read/update/delete system properties; use reflection API and so on.
+To restrict user-defined code options you may use the Ignite Sandbox based on
the Java Sandbox model.
+
+You can read about the Java Sandbox model
link:https://docs.oracle.com/en/java/javase/11/security/java-se-platform-security-architecture.html#GUID-C203D80F-C730-45C3-AB95-D4E61FD6D89C[here,window=_blank].
+
+== Ignite Sandbox activation
+
+There are some conditions to activate the Ignite Sandbox.
+
+- The first condition is _the SecurityManager must be installed_.
Review comment:
Just say - "Install the SecurityManager ..."
##########
File path: docs/_docs/security/sandbox.adoc
##########
@@ -0,0 +1,80 @@
+= The Ignite Sandbox
+
+== Overview
+Ignite allows using a user-defined code that can be a compute job, event
filter, message listener, etc.
+This user-defined code can utilize Java features to get access to host
resources.
+For example, it can create/update/delete files; create sockets;
read/update/delete system properties; use reflection API and so on.
+To restrict user-defined code options you may use the Ignite Sandbox based on
the Java Sandbox model.
+
+You can read about the Java Sandbox model
link:https://docs.oracle.com/en/java/javase/11/security/java-se-platform-security-architecture.html#GUID-C203D80F-C730-45C3-AB95-D4E61FD6D89C[here,window=_blank].
+
+== Ignite Sandbox activation
+
+There are some conditions to activate the Ignite Sandbox.
Review comment:
I would say it this way:
* Use the following procedure to activate Ignite Sandbox or
* Follow the steps below to activate Ignite Sandbox
##########
File path: docs/_docs/security/sandbox.adoc
##########
@@ -0,0 +1,80 @@
+= The Ignite Sandbox
+
+== Overview
+Ignite allows using a user-defined code that can be a compute job, event
filter, message listener, etc.
+This user-defined code can utilize Java features to get access to host
resources.
+For example, it can create/update/delete files; create sockets;
read/update/delete system properties; use reflection API and so on.
+To restrict user-defined code options you may use the Ignite Sandbox based on
the Java Sandbox model.
+
+You can read about the Java Sandbox model
link:https://docs.oracle.com/en/java/javase/11/security/java-se-platform-security-architecture.html#GUID-C203D80F-C730-45C3-AB95-D4E61FD6D89C[here,window=_blank].
+
+== Ignite Sandbox activation
Review comment:
Ignite Sandbox activation => Ignite Sandbox Activation
All the letters have to be capitalized (the rule doesn't apply to
prepositions and articles)
##########
File path: docs/_docs/security/sandbox.adoc
##########
@@ -0,0 +1,80 @@
+= The Ignite Sandbox
+
+== Overview
+Ignite allows using a user-defined code that can be a compute job, event
filter, message listener, etc.
+This user-defined code can utilize Java features to get access to host
resources.
+For example, it can create/update/delete files; create sockets;
read/update/delete system properties; use reflection API and so on.
+To restrict user-defined code options you may use the Ignite Sandbox based on
the Java Sandbox model.
+
+You can read about the Java Sandbox model
link:https://docs.oracle.com/en/java/javase/11/security/java-se-platform-security-architecture.html#GUID-C203D80F-C730-45C3-AB95-D4E61FD6D89C[here,window=_blank].
+
+== Ignite Sandbox activation
+
+There are some conditions to activate the Ignite Sandbox.
+
+- The first condition is _the SecurityManager must be installed_.
+
+Due to the fact, that Ignite Sandbox is based on the Java Sandbox model, and
the SecurityManager is an important part of that model, you need to have it
installed.
+The SecurityManager is responsible for checking, which security policy is
currently in effect. It also performs access control checks.
+The security manager is not automatically installed when an application is
running. If you run Ignite as a separate application,
+you must invoke the Java Virtual Machine with the `-Djava.security.manager`
command-line argument (which sets the value of the `java.security.manager
property`).
+There is also a -Djava.security.policy command-line argument, defining, which
policy files are utilized.
+If you don't include `-Djava.security.policy` into the command line, then the
policy files specified in the security properties file will be used.
+
+You can read more about Security Management
link:https://docs.oracle.com/javase/8/docs/technotes/guides/security/spec/security-spec.doc6.html#a19349[here,window=_blank].
+
+NOTE: It may be convenient adding the security manager and the policy
command-line arguments to `{IGNITE-HOME}/bin/ignite.sh|ignite.bat` script.
+Read more about link:/quick-start/java#starting_a_node[starting a node].
+
+NOTE: Ignite should have enough permissions to work correctly.
+You may apply the most straightforward way that is granting to Ignite the
`java.security.AllPermission` permission,
+but you should remember the "giving permissions as low as possible" security
principle.
+
+- The second condition to activate the Ignite Sandbox is _an implementation of
the `GridSecurityProcessor` interface must be installed_.
Review comment:
Just say "Provide an implementation of the GridSecurityProcessor...."
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
