[jira] [Commented] (CASSANDRA-15005) Configurable whilelist for UDFs

Sun, 14 Nov 2021 09:12:12 -0800 


    [ 
https://issues.apache.org/jira/browse/CASSANDRA-15005?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17443392#comment-17443392
 ] 

Adam Soroka commented on CASSANDRA-15005:
-----------------------------------------

Far from using this in production, I'm afraid I'm not even involved with that 
project very much any more. It has been more than two years, after all. 
Nevertheless, I'm happy to try to respond to review comments, just to get some 
closure on this.

> Configurable whilelist for UDFs
> -------------------------------
>
>                 Key: CASSANDRA-15005
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-15005
>             Project: Cassandra
>          Issue Type: Improvement
>          Components: CQL/Interpreter
>            Reporter: Adam Soroka
>            Priority: Low
>
> I would like to use the UDF system to distribute some simple calculations on 
> values. For some use cases, this would require access only to some Java API 
> classes that aren't on the (hardcoded) whitelist (e.g. 
> {{java.security.MessageDigest}}). In other cases, it would require access to 
> a little non-C* library code, pre-distributed to nodes by out-of-band means.
> As I understand the situation now, the whitelist for types UDFs can use is 
> hardcoded in java in 
> [UDFunction|[https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/cql3/functions/UDFunction.java#L99].]
> This ticket, then, is a request for a facility that would allow that list to 
> be extended via some kind of deployment-time configuration. I realize that 
> serious security concerns immediately arise for this kind of functionality, 
> but I hope that by restricting it (only used during startup, no exposing the 
> whitelist for introspection, etc.) it could be quite practical.
> I'd like very much to assist with this ticket if it is accepted. (I believe I 
> have sufficient Java skill to do that, but no real familiarity with C*'s 
> codebase, yet. :) )



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to