[jira] [Commented] (CASSANDRA-9402) Implement proper sandboxing for UDFs

Tue, 26 May 2015 08:58:40 -0700 

    [ 
https://issues.apache.org/jira/browse/CASSANDRA-9402?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14559291#comment-14559291
 ] 

 Brian Hess commented on CASSANDRA-9402:
----------------------------------------

There is another alternative - FENCED UDFs.  DB2 and Netezza had these options. 
 Essentially, the UDF will run in a separate process when it is registered as 
FENCED, and run in-process when it is registered as UNFENCED.

This doesn't necessarily remove all the issues, but it does help mitigate 
them/some - especially since it would (optionally) run as another user.

This could look like the following with Cassandra:
- FENCED is a GRANTable privilege
- In cassandra.yaml you can specify the user to use when launching the separate 
process (so that it is *not* the same user that is running the database - or 
optionally is)
  - This is good so that the UDF can't stop the database, delete database 
files, etc.
- For FENCED UDFs, IPC would be used to transfer rows to the UDF and to return 
results.  We could use CQL rows for the data.  This could be shared memory or 
sockets (Unux or  TPC - slight preference for sockets for some follow-on ideas).
- Ideally, switching from FENCED to UNFENCED would be just a DDL change.  That 
is, the API would work such that a simple "ALTER FUNCTION myFunction(DOUBLE, 
DOUBLE) UNFENCED" would change it.
- If you wanted, because this is a separate process you could use a separate 
class loader.

> Implement proper sandboxing for UDFs
> ------------------------------------
>
>                 Key: CASSANDRA-9402
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-9402
>             Project: Cassandra
>          Issue Type: Task
>            Reporter: T Jake Luciani
>            Assignee: Robert Stupp
>            Priority: Critical
>              Labels: doc-impacting, security
>             Fix For: 2.2.0 rc1
>
>
> We want to avoid a security exploit for our users.  We need to make sure we 
> ship 2.2 UDFs with good defaults so someone exposing it to the internet 
> accidentally doesn't open themselves up to having arbitrary code run.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to