[ https://issues.apache.org/jira/browse/CASSANDRA-9402?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14557692#comment-14557692 ]
Robert Stupp commented on CASSANDRA-9402: ----------------------------------------- I ran a standard [perf test on cstar|http://cstar.datastax.com/graph?stats=18a419f0-019c-11e5-af5c-42010af0688f&metric=op_rate&operation=1_write&smoothing=1&show_aggregates=true&xmin=0&xmax=216.37&ymin=0&ymax=133049.4] to compare "pure C*" against "C* with a security manager w/ just {{AllPermission}}. Performance regression for writes is about 3% and for 1% for writes. Background: unfortunately it's only possible to use one "monolithic" {{SecurityManager}} in the whole VM. I found no way to use a security manager just during the execution of UDFs. The additional "critical paths" traveled for checking permissions is {{java.security.AccessController#checkPermission}} and {{java.security.AccessControlContext#checkPermission}}. (Permissions ({{ProtectionDomain}}) are "attached" to classes not to threads.) > Implement proper sandboxing for UDFs > ------------------------------------ > > Key: CASSANDRA-9402 > URL: https://issues.apache.org/jira/browse/CASSANDRA-9402 > Project: Cassandra > Issue Type: Task > Reporter: T Jake Luciani > Assignee: Robert Stupp > Priority: Critical > Fix For: 2.2.0 rc1 > > > We want to avoid a security exploit for our users. We need to make sure we > ship 2.2 UDFs with good defaults so someone exposing it to the internet > accidentally doesn't open themselves up to having arbitrary code run. -- This message was sent by Atlassian JIRA (v6.3.4#6332)