Kepler

Ptolemy is reasonably well set up to use the Java sandbox, see $PTII/doc/sandbox.htm for details.

The sandbox has fairly fine granularity, by default the execution
of subprocesses is probably disabled.

See $PTII/bin/sandbox.policy for what is enabled.

Perhaps remote kepler processes should be started up in a sandbox in the default,
with the command line and scripting actors defacto disabled?

Its the ability to use the command line actor (for access to various custom simulation models) and the scripting actors like the RExpression actor (to do various custom data processing tasks) that would make distributed execution useful. Eliminating these from the actors available essentially eliminates a vast majority of workflows that a scientist would want to run in a distributed environment. This is a major security/capability dilemma.

It can be configured by permission policy file at slave side. Users who start slave will know their requirements and do the corresponding configuration. How to change policy file to permit and forbid ExternalExe and Python actor has been tested. Matlab and R scripting actors are also being tested.

It is fixed at version 24539. When a slave is started using startWithExecutionPolicy command, it will use master-slave.policy file to run in a secure sandbox.

By default, it will not allow 'External Execution', 'Python', 'Matlab', 'R'
actors to be executed at the slave side, since there may be malicious codes embedded in these actors.

By configuration this file, the allowance for the above actors can be configured.

Original Bugzilla ID was 3072