Uploaded image for project: 'Cassandra'
  1. Cassandra
  2. CASSANDRA-9889

Disable scripted UDFs by default

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Low
    • Resolution: Fixed
    • Fix Version/s: 3.0 beta 1
    • Component/s: None
    • Labels:
      None

      Description

      (Follow-up to CASSANDRA-9402)

      TL;DR this ticket is about to add an other config option to enable scripted UDFs.

      Securing Java-UDFs is much easier than scripted UDFs.

      The secure execution of scripted UDFs heavily relies on "how secure" a particular script provider implementation is. Nashorn is probably pretty good at this - but (as discussed offline with [~iamaleksey]) we are not certain. This becomes worse with other JSR-223 providers (which need to be installed by the user anyway).

      E.g.:

      # Enables use of scripted UDFs.
      # Java UDFs are always enabled, if enable_user_defined_functions is true.
      # Enable this option to be able to use UDFs with "language javascript" or any custom JSR-223 provider.
      enable_scripted_user_defined_functions: false
      

      TBH: I would feel more comfortable to have this one. But we should review this along with enable_user_defined_functions for 4.0.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                snazy Robert Stupp
                Reporter:
                snazy Robert Stupp
                Authors:
                Robert Stupp
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: