[jira] [Commented] (CASSANDRA-15005) Configurable whilelist for UDFs

Thu, 30 Sep 2021 11:01:27 -0700 


    [ 
https://issues.apache.org/jira/browse/CASSANDRA-15005?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17422947#comment-17422947
 ] 

Josh McKenzie commented on CASSANDRA-15005:
-------------------------------------------

ping [~ajs6f] - did you end up using this in production in the interim? And 
would you like to pick this back up for a possible 4.1 release? I'm happy to 
take on review of this for you; just let me know.

> Configurable whilelist for UDFs
> -------------------------------
>
>                 Key: CASSANDRA-15005
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-15005
>             Project: Cassandra
>          Issue Type: Improvement
>          Components: CQL/Interpreter
>            Reporter: Adam Soroka
>            Priority: Low
>
> I would like to use the UDF system to distribute some simple calculations on 
> values. For some use cases, this would require access only to some Java API 
> classes that aren't on the (hardcoded) whitelist (e.g. 
> {{java.security.MessageDigest}}). In other cases, it would require access to 
> a little non-C* library code, pre-distributed to nodes by out-of-band means.
> As I understand the situation now, the whitelist for types UDFs can use is 
> hardcoded in java in 
> [UDFunction|[https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/cql3/functions/UDFunction.java#L99].]
> This ticket, then, is a request for a facility that would allow that list to 
> be extended via some kind of deployment-time configuration. I realize that 
> serious security concerns immediately arise for this kind of functionality, 
> but I hope that by restricting it (only used during startup, no exposing the 
> whitelist for introspection, etc.) it could be quite practical.
> I'd like very much to assist with this ticket if it is accepted. (I believe I 
> have sufficient Java skill to do that, but no real familiarity with C*'s 
> codebase, yet. :) )



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to