[jira] [Commented] (CASSANDRA-19532) Allow operators to disable the execution of triggers

Tue, 09 Apr 2024 14:11:04 -0700 


    [ 
https://issues.apache.org/jira/browse/CASSANDRA-19532?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17835536#comment-17835536
 ] 

Abe Ratnofsky commented on CASSANDRA-19532:
-------------------------------------------

One of the goals here is to add another layer of defense for users that don't 
use triggers but want to block their execution in case someone gets write 
access to conf/triggers. I initially had support for a JMX endpoint to change 
TriggersPolicy but felt (along with [~samt]) that it added another attack 
vector rather than strengthening the security of the system.

As far as Guardrails - I see what you mean. I could convert 
TriggersPolicy.disabled to warn and TriggersPolicy.forbidden to fail, and guard 
in TriggerExecutor#loadTriggerInstance where I throw TriggersDisabledException. 
I do want to execute the query but not the triggers on "warn", I'm not sure if 
that's an intuitive use of Guardrails or stretching the definition too far 
though.

Is there anything I'm missing that Guardrails gets us?

 

> Allow operators to disable the execution of triggers
> ----------------------------------------------------
>
>                 Key: CASSANDRA-19532
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-19532
>             Project: Cassandra
>          Issue Type: Improvement
>          Components: Local/Other
>            Reporter: Abe Ratnofsky
>            Assignee: Abe Ratnofsky
>            Priority: Normal
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> Currently, triggers are discouraged but there's no explicit way to disable 
> them. Similar configuration already exists to disable other features, such as 
> "conf.materialized_views_enabled". There should be a means for operators to 
> gracefully disable the creation and execution of triggers.
>  
> I have a patch ready for this, getting a first review now and will push it 
> shortly.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to