Uploaded image for project: 'Apache Cassandra'
  1. Apache Cassandra
  2. CASSANDRA-9889

Disable scripted UDFs by default

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Low
    • Resolution: Fixed
    • 3.0 beta 1
    • None
    • None

    Description

      (Follow-up to CASSANDRA-9402)

      TL;DR this ticket is about to add an other config option to enable scripted UDFs.

      Securing Java-UDFs is much easier than scripted UDFs.

      The secure execution of scripted UDFs heavily relies on "how secure" a particular script provider implementation is. Nashorn is probably pretty good at this - but (as discussed offline with iamaleksey) we are not certain. This becomes worse with other JSR-223 providers (which need to be installed by the user anyway).

      E.g.:

      # Enables use of scripted UDFs.
# Java UDFs are always enabled, if enable_user_defined_functions is true.
# Enable this option to be able to use UDFs with "language javascript" or any custom JSR-223 provider.
enable_scripted_user_defined_functions: false

      TBH: I would feel more comfortable to have this one. But we should review this along with enable_user_defined_functions for 4.0.

      Attachments

        Issue Links

          links to

          Web Link dtest PR

          Web Link Git branch

          Activity

            People

              snazy Robert Stupp
              snazy Robert Stupp
              Robert Stupp
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: