Security issues with distributed execution
See bug 3071. basically, the issues are that arbitrary code can be executed on the slaves so the utmost care needs to be take wrt security. kar files need to be signed, workflows should also possibly be signed. the command line and scripting actors might need additional security built into them. This basically breaks the java sandbox.
#1 Updated by Christopher Brooks about 13 years ago
Ptolemy is reasonably well set up to use the Java sandbox, see $PTII/doc/sandbox.htm for details.
The sandbox has fairly fine granularity, by default the execution
of subprocesses is probably disabled.
See $PTII/bin/sandbox.policy for what is enabled.
Perhaps remote kepler processes should be started up in a sandbox in the default,
with the command line and scripting actors defacto disabled?
#2 Updated by Matt Jones about 13 years ago
Its the ability to use the command line actor (for access to various custom simulation models) and the scripting actors like the RExpression actor (to do various custom data processing tasks) that would make distributed execution useful. Eliminating these from the actors available essentially eliminates a vast majority of workflows that a scientist would want to run in a distributed environment. This is a major security/capability dilemma.
#3 Updated by jianwu jianwu about 11 years ago
It can be configured by permission policy file at slave side. Users who start slave will know their requirements and do the corresponding configuration. How to change policy file to permit and forbid ExternalExe and Python actor has been tested. Matlab and R scripting actors are also being tested.
#4 Updated by jianwu jianwu almost 11 years ago
It is fixed at version 24539. When a slave is started using startWithExecutionPolicy command, it will use master-slave.policy file to run in a secure sandbox.
By default, it will not allow 'External Execution', 'Python', 'Matlab', 'R'
actors to be executed at the slave side, since there may be malicious codes embedded in these actors.
By configuration this file, the allowance for the above actors can be configured.