[
https://issues.apache.org/jira/browse/CASSANDRA-9402?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14557692#comment-14557692
]
Robert Stupp commented on CASSANDRA-9402:
-----------------------------------------
I ran a standard [perf test on
cstar|http://cstar.datastax.com/graph?stats=18a419f0-019c-11e5-af5c-42010af0688f&metric=op_rate&operation=1_write&smoothing=1&show_aggregates=true&xmin=0&xmax=216.37&ymin=0&ymax=133049.4]
to compare "pure C*" against "C* with a security manager w/ just
{{AllPermission}}.
Performance regression for writes is about 3% and for 1% for writes.
Background: unfortunately it's only possible to use one "monolithic"
{{SecurityManager}} in the whole VM. I found no way to use a security manager
just during the execution of UDFs. The additional "critical paths" traveled for
checking permissions is {{java.security.AccessController#checkPermission}} and
{{java.security.AccessControlContext#checkPermission}}. (Permissions
({{ProtectionDomain}}) are "attached" to classes not to threads.)
> Implement proper sandboxing for UDFs
> ------------------------------------
>
> Key: CASSANDRA-9402
> URL: https://issues.apache.org/jira/browse/CASSANDRA-9402
> Project: Cassandra
> Issue Type: Task
> Reporter: T Jake Luciani
> Assignee: Robert Stupp
> Priority: Critical
> Fix For: 2.2.0 rc1
>
>
> We want to avoid a security exploit for our users. We need to make sure we
> ship 2.2 UDFs with good defaults so someone exposing it to the internet
> accidentally doesn't open themselves up to having arbitrary code run.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
