[jira] [Commented] (CASSANDRA-17848) LIST PERMISSION can display incorrect resource name
[ https://issues.apache.org/jira/browse/CASSANDRA-17848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17639808#comment-17639808 ] Berenguer Blasi commented on CASSANDRA-17848: - I have been looking at this one also. I would only add we'd need to run j11 CI as well, j8 is already green, but +1 otherwise. > LIST PERMISSION can display incorrect resource name > --- > > Key: CASSANDRA-17848 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17848 > Project: Cassandra > Issue Type: Bug > Components: CQL/Interpreter >Reporter: Yifan Cai >Assignee: Yifan Cai >Priority: Normal > > When producing the resource name, it seems to assume that the content in the > `[]` is the function's input type, where it could also be part of the > function name, as long as it is quoted. Here is an example to reproduce. In > cqlsh, > {code:java} > > CREATE FUNCTION > > test."admin_created_udf[org.apache.cassandra.db.marshal.LongType]"(input > > int) RETURNS NULL ON NULL INPUT RETURNS int LANGUAGE java AS 'return 42;'; > > LIST EXECUTE OF user; > role | username | resource| permission > ---+--+-+ > user |user | |EXECUTE > (1 rows) > {code} > The input should be "int", but in the output, it says "long". > If the content enclosed by "[]" is not a valid class, the LIST PERMISSION > request always fails for the user with "ConfigurationException: Unable to > find abstract-type class". > The bug is discovered by Piotr Sarna. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-17848) LIST PERMISSION can display incorrect resource name
[ https://issues.apache.org/jira/browse/CASSANDRA-17848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17638687#comment-17638687 ] Sam Tunnicliffe commented on CASSANDRA-17848: - +1 modulo a typo in the tests (I left a comment on the PR). We should backport as far as 3.0, though I think that will be trivial. > LIST PERMISSION can display incorrect resource name > --- > > Key: CASSANDRA-17848 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17848 > Project: Cassandra > Issue Type: Bug > Components: CQL/Interpreter >Reporter: Yifan Cai >Assignee: Yifan Cai >Priority: Normal > > When producing the resource name, it seems to assume that the content in the > `[]` is the function's input type, where it could also be part of the > function name, as long as it is quoted. Here is an example to reproduce. In > cqlsh, > {code:java} > > CREATE FUNCTION > > test."admin_created_udf[org.apache.cassandra.db.marshal.LongType]"(input > > int) RETURNS NULL ON NULL INPUT RETURNS int LANGUAGE java AS 'return 42;'; > > LIST EXECUTE OF user; > role | username | resource| permission > ---+--+-+ > user |user | |EXECUTE > (1 rows) > {code} > The input should be "int", but in the output, it says "long". > If the content enclosed by "[]" is not a valid class, the LIST PERMISSION > request always fails for the user with "ConfigurationException: Unable to > find abstract-type class". > The bug is discovered by Piotr Sarna. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-17848) LIST PERMISSION can display incorrect resource name
[ https://issues.apache.org/jira/browse/CASSANDRA-17848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17635671#comment-17635671 ] Berenguer Blasi commented on CASSANDRA-17848: - [~yifanc] I looked into it when you posted the PRs and at the first pass It looked ok. But I am busy atm with some perf testing. I have not forgotten, I am just doing other suff but will come back. > LIST PERMISSION can display incorrect resource name > --- > > Key: CASSANDRA-17848 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17848 > Project: Cassandra > Issue Type: Bug > Components: CQL/Interpreter >Reporter: Yifan Cai >Assignee: Yifan Cai >Priority: Normal > > When producing the resource name, it seems to assume that the content in the > `[]` is the function's input type, where it could also be part of the > function name, as long as it is quoted. Here is an example to reproduce. In > cqlsh, > {code:java} > > CREATE FUNCTION > > test."admin_created_udf[org.apache.cassandra.db.marshal.LongType]"(input > > int) RETURNS NULL ON NULL INPUT RETURNS int LANGUAGE java AS 'return 42;'; > > LIST EXECUTE OF user; > role | username | resource| permission > ---+--+-+ > user |user | |EXECUTE > (1 rows) > {code} > The input should be "int", but in the output, it says "long". > If the content enclosed by "[]" is not a valid class, the LIST PERMISSION > request always fails for the user with "ConfigurationException: Unable to > find abstract-type class". > The bug is discovered by Piotr Sarna. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-17848) LIST PERMISSION can display incorrect resource name
[ https://issues.apache.org/jira/browse/CASSANDRA-17848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17635567#comment-17635567 ] Yifan Cai commented on CASSANDRA-17848: --- Hi [~samt] and [~bereng] , can either of you review? > LIST PERMISSION can display incorrect resource name > --- > > Key: CASSANDRA-17848 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17848 > Project: Cassandra > Issue Type: Bug > Components: CQL/Interpreter >Reporter: Yifan Cai >Assignee: Yifan Cai >Priority: Normal > > When producing the resource name, it seems to assume that the content in the > `[]` is the function's input type, where it could also be part of the > function name, as long as it is quoted. Here is an example to reproduce. In > cqlsh, > {code:java} > > CREATE FUNCTION > > test."admin_created_udf[org.apache.cassandra.db.marshal.LongType]"(input > > int) RETURNS NULL ON NULL INPUT RETURNS int LANGUAGE java AS 'return 42;'; > > LIST EXECUTE OF user; > role | username | resource| permission > ---+--+-+ > user |user | |EXECUTE > (1 rows) > {code} > The input should be "int", but in the output, it says "long". > If the content enclosed by "[]" is not a valid class, the LIST PERMISSION > request always fails for the user with "ConfigurationException: Unable to > find abstract-type class". > The bug is discovered by Piotr Sarna. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-17848) LIST PERMISSION can display incorrect resource name
[ https://issues.apache.org/jira/browse/CASSANDRA-17848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17631893#comment-17631893 ] Yifan Cai commented on CASSANDRA-17848: --- I originally wanted to only post the patch. Here is the link to CI. [https://app.circleci.com/pipelines/github/yifan-c/cassandra?branch=CASSANDRA-17848%2Ftrunk] > LIST PERMISSION can display incorrect resource name > --- > > Key: CASSANDRA-17848 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17848 > Project: Cassandra > Issue Type: Bug > Components: CQL/Interpreter >Reporter: Yifan Cai >Assignee: Yifan Cai >Priority: Normal > > When producing the resource name, it seems to assume that the content in the > `[]` is the function's input type, where it could also be part of the > function name, as long as it is quoted. Here is an example to reproduce. In > cqlsh, > {code:java} > > CREATE FUNCTION > > test."admin_created_udf[org.apache.cassandra.db.marshal.LongType]"(input > > int) RETURNS NULL ON NULL INPUT RETURNS int LANGUAGE java AS 'return 42;'; > > LIST EXECUTE OF user; > role | username | resource| permission > ---+--+-+ > user |user | |EXECUTE > (1 rows) > {code} > The input should be "int", but in the output, it says "long". > If the content enclosed by "[]" is not a valid class, the LIST PERMISSION > request always fails for the user with "ConfigurationException: Unable to > find abstract-type class". > The bug is discovered by Piotr Sarna. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-17848) LIST PERMISSION can display incorrect resource name
[ https://issues.apache.org/jira/browse/CASSANDRA-17848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17631529#comment-17631529 ] Berenguer Blasi commented on CASSANDRA-17848: - I see you mentioned CI but maybe forgot to add the link to the run? > LIST PERMISSION can display incorrect resource name > --- > > Key: CASSANDRA-17848 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17848 > Project: Cassandra > Issue Type: Bug > Components: CQL/Interpreter >Reporter: Yifan Cai >Assignee: Yifan Cai >Priority: Normal > > When producing the resource name, it seems to assume that the content in the > `[]` is the function's input type, where it could also be part of the > function name, as long as it is quoted. Here is an example to reproduce. In > cqlsh, > {code:java} > > CREATE FUNCTION > > test."admin_created_udf[org.apache.cassandra.db.marshal.LongType]"(input > > int) RETURNS NULL ON NULL INPUT RETURNS int LANGUAGE java AS 'return 42;'; > > LIST EXECUTE OF user; > role | username | resource| permission > ---+--+-+ > user |user | |EXECUTE > (1 rows) > {code} > The input should be "int", but in the output, it says "long". > If the content enclosed by "[]" is not a valid class, the LIST PERMISSION > request always fails for the user with "ConfigurationException: Unable to > find abstract-type class". > The bug is discovered by Piotr Sarna. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-17848) LIST PERMISSION can display incorrect resource name
[ https://issues.apache.org/jira/browse/CASSANDRA-17848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17631210#comment-17631210 ] Yifan Cai commented on CASSANDRA-17848: --- The issue is on listing the permissions only. It either parses the stored function name incorrectly or fails to parse. Invoking/using those functions are allowed. For example, the below SELECT statement runs just fine (and returns 42 as defined in the function body). {code:java} SELECT a, b, cql_test_keyspace."admin_created_udf[org.apache.cassandra.db.marshal.LongType]"(a, b) FROM cql_test_keyspace.tbl WHERE a = 1; {code} If Cassandra no longer permits creating function with the disallowed characters, the existing function should not be affected. They can still be used like the above example. However, it does not fix the broken output form listing permissions. So, as Sam said, we need to do both #1 and #2. bq. perhaps we can localise a custom parsing implementation to `ListPermissionsStatement`, leave `FunctionResource#fromName` as it is and tighten up the naming rules going forward? I think `FunctionResource#fromName` is the right place to have the parsing logic. Maybe I am missing something? > LIST PERMISSION can display incorrect resource name > --- > > Key: CASSANDRA-17848 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17848 > Project: Cassandra > Issue Type: Bug > Components: CQL/Interpreter >Reporter: Yifan Cai >Assignee: Yifan Cai >Priority: Normal > > When producing the resource name, it seems to assume that the content in the > `[]` is the function's input type, where it could also be part of the > function name, as long as it is quoted. Here is an example to reproduce. In > cqlsh, > {code:java} > > CREATE FUNCTION > > test."admin_created_udf[org.apache.cassandra.db.marshal.LongType]"(input > > int) RETURNS NULL ON NULL INPUT RETURNS int LANGUAGE java AS 'return 42;'; > > LIST EXECUTE OF user; > role | username | resource| permission > ---+--+-+ > user |user | |EXECUTE > (1 rows) > {code} > The input should be "int", but in the output, it says "long". > If the content enclosed by "[]" is not a valid class, the LIST PERMISSION > request always fails for the user with "ConfigurationException: Unable to > find abstract-type class". > The bug is discovered by Piotr Sarna. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-17848) LIST PERMISSION can display incorrect resource name
[ https://issues.apache.org/jira/browse/CASSANDRA-17848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17630853#comment-17630853 ] Sam Tunnicliffe commented on CASSANDRA-17848: - I agree, we should apply more strict validation when creating functions/aggregates to prevent this from happening. Unfortunately though, I'm afraid we also have to handle existing cases in the wild, so we may need to do (some of) both #1 and #2. If actually using functions with these problematic names works, perhaps we can localise a custom parsing implementation to `ListPermissionsStatement`, leave `FunctionResource#fromName` as it is and tighten up the naming rules going forward? On the other hand, if functions named this way are completely unusable, then backwards compatibility is not such an issue and #1 alone is probably sufficient. > LIST PERMISSION can display incorrect resource name > --- > > Key: CASSANDRA-17848 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17848 > Project: Cassandra > Issue Type: Bug > Components: CQL/Interpreter >Reporter: Yifan Cai >Assignee: Yifan Cai >Priority: Normal > > When producing the resource name, it seems to assume that the content in the > `[]` is the function's input type, where it could also be part of the > function name, as long as it is quoted. Here is an example to reproduce. In > cqlsh, > {code:java} > > CREATE FUNCTION > > test."admin_created_udf[org.apache.cassandra.db.marshal.LongType]"(input > > int) RETURNS NULL ON NULL INPUT RETURNS int LANGUAGE java AS 'return 42;'; > > LIST EXECUTE OF user; > role | username | resource| permission > ---+--+-+ > user |user | |EXECUTE > (1 rows) > {code} > The input should be "int", but in the output, it says "long". > If the content enclosed by "[]" is not a valid class, the LIST PERMISSION > request always fails for the user with "ConfigurationException: Unable to > find abstract-type class". > The bug is discovered by Piotr Sarna. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-17848) LIST PERMISSION can display incorrect resource name
[ https://issues.apache.org/jira/browse/CASSANDRA-17848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17630762#comment-17630762 ] Berenguer Blasi commented on CASSANDRA-17848: - #1 is the obvious preference. The problem is going to be with backwards compatibility. I think we can safely and reasonably argue this is a bug and an accident waiting to happen that needs fixing. It might impact some users obviously but then again, it's a bug in my eyes. Happy to hear more opinions. > LIST PERMISSION can display incorrect resource name > --- > > Key: CASSANDRA-17848 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17848 > Project: Cassandra > Issue Type: Bug > Components: CQL/Interpreter >Reporter: Yifan Cai >Assignee: Yifan Cai >Priority: Normal > > When producing the resource name, it seems to assume that the content in the > `[]` is the function's input type, where it could also be part of the > function name, as long as it is quoted. Here is an example to reproduce. In > cqlsh, > {code:java} > > CREATE FUNCTION > > test."admin_created_udf[org.apache.cassandra.db.marshal.LongType]"(input > > int) RETURNS NULL ON NULL INPUT RETURNS int LANGUAGE java AS 'return 42;'; > > LIST EXECUTE OF user; > role | username | resource| permission > ---+--+-+ > user |user | |EXECUTE > (1 rows) > {code} > The input should be "int", but in the output, it says "long". > If the content enclosed by "[]" is not a valid class, the LIST PERMISSION > request always fails for the user with "ConfigurationException: Unable to > find abstract-type class". > The bug is discovered by Piotr Sarna. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-17848) LIST PERMISSION can display incorrect resource name
[ https://issues.apache.org/jira/browse/CASSANDRA-17848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17630674#comment-17630674 ] Yifan Cai commented on CASSANDRA-17848: --- Basically there are 2 possible solutions. 1. Reject at the UDF creation when its name contains any of the special character '/', '[' and ']'. Those characters should be rarely needed as part of the function names. It requires to update the disallowed characters list when a new special character is introduced in the future. 2. Patch the {{FunctionResource#fromName}} implementation to first locate the last `[...]` segment (as the function's argument list) and treat whatever appears before it as the function name. Sounds error-prone. I'd lean towards the approach 1. [~samt] and [~bereng], wondering what is your preference since you both have touched the method in question. > LIST PERMISSION can display incorrect resource name > --- > > Key: CASSANDRA-17848 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17848 > Project: Cassandra > Issue Type: Bug > Components: CQL/Interpreter >Reporter: Yifan Cai >Assignee: Yifan Cai >Priority: Normal > > When producing the resource name, it seems to assume that the content in the > `[]` is the function's input type, where it could also be part of the > function name, as long as it is quoted. Here is an example to reproduce. In > cqlsh, > {code:java} > > CREATE FUNCTION > > test."admin_created_udf[org.apache.cassandra.db.marshal.LongType]"(input > > int) RETURNS NULL ON NULL INPUT RETURNS int LANGUAGE java AS 'return 42;'; > > LIST EXECUTE OF user; > role | username | resource| permission > ---+--+-+ > user |user | |EXECUTE > (1 rows) > {code} > The input should be "int", but in the output, it says "long". > If the content enclosed by "[]" is not a valid class, the LIST PERMISSION > request always fails for the user with "ConfigurationException: Unable to > find abstract-type class". > The bug is discovered by Piotr Sarna. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-17848) LIST PERMISSION can display incorrect resource name
[ https://issues.apache.org/jira/browse/CASSANDRA-17848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17630665#comment-17630665 ] Yifan Cai commented on CASSANDRA-17848: --- The root cause of the confusing value for the {{resource}} column is located at {{org.apache.cassandra.auth.FunctionResource#fromName}}. The implementation assumes the special characters (i.e. /, [ and ]) are not used in the function name, and uses those characters to parse the encoded function name string read from role_permissions table. However, quoted text is allowed as function names. It is permitted to have those characters in the function names, which breaks the parsing logic. In addition to the example in the description, it is allowed to create a function with `/` in the name, as long as it is quoted. {code:java} CREATE FUNCTION cql_test_keyspace."my/amazing/udf"(input int) RETURNS NULL ON NULL INPUT RETURNS int LANGUAGE java AS 'return 42;'; {code} Once the UDF is created, listing permission on the role breaks since `/` is used to determine if a resource is valid or not. > LIST PERMISSION can display incorrect resource name > --- > > Key: CASSANDRA-17848 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17848 > Project: Cassandra > Issue Type: Bug > Components: CQL/Interpreter >Reporter: Yifan Cai >Assignee: Yifan Cai >Priority: Normal > > When producing the resource name, it seems to assume that the content in the > `[]` is the function's input type, where it could also be part of the > function name, as long as it is quoted. Here is an example to reproduce. In > cqlsh, > {code:java} > > CREATE FUNCTION > > test."admin_created_udf[org.apache.cassandra.db.marshal.LongType]"(input > > int) RETURNS NULL ON NULL INPUT RETURNS int LANGUAGE java AS 'return 42;'; > > LIST EXECUTE OF user; > role | username | resource| permission > ---+--+-+ > user |user | |EXECUTE > (1 rows) > {code} > The input should be "int", but in the output, it says "long". > If the content enclosed by "[]" is not a valid class, the LIST PERMISSION > request always fails for the user with "ConfigurationException: Unable to > find abstract-type class". > The bug is discovered by Piotr Sarna. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org