The property you are setting permits some kinds of privilege escalation, but by default classes outside of those pre-defined by the whitelist are not permitted. This is imposed here: https://github.com/apache/cassandra/blob/210793f943dc522161fd26b6192f38a5c83fa131/src/java/org/apache/cassandra/cql3/functions/UDFunction.java#L168
You will need to modify the source code to e.g. add additional allowedPatterns, or perhaps to permit additional patterns to be configured at startup. From: Sébastien Rebecchi <srebec...@kameleoon.com> Date: Wednesday, 6 April 2022 at 15:15 To: dev@cassandra.apache.org <dev@cassandra.apache.org>, e.dimitr...@gmail.com <e.dimitr...@gmail.com> Cc: ble...@apache.org <ble...@apache.org> Subject: Re: UDF: adding custom jar to classpath Hi Ekaterina, I use 4.0.1. But as I said I added a jar in classpath (/usr/share/cassandra/lib/ folder on every node) and I see that the jar is loaded in the classpath from the Cassandra command line. And I have "enable_user_defined_functions: true" and "enable_user_defined_functions_threads: false" in cassandra.yaml. So I don't see what is missing or not done properly. Best regards, Sébastien. Le mer. 6 avr. 2022 à 16:03, Ekaterina Dimitrova <e.dimitr...@gmail.com<mailto:e.dimitr...@gmail.com>> a écrit : Hi Sebastian, Do you use the latest 4.0.3 version? Those options were added in 4.0.2 I believe, so if you try them with an earlier version - below message is what you would get as they didn’t exist. Best regards, Ekaterina On Wed, 6 Apr 2022 at 9:53, Sébastien Rebecchi <srebec...@kameleoon.com<mailto:srebec...@kameleoon.com>> wrote: Hi Benjamin, Hi everybody, I found in the documentation that we should add "allow_insecure_udfs: true" and optionally "allow_extra_insecure_udfs: true" so that "enable_user_defined_functions_threads: false" is really taken into account (I understood like that). That would explain why my UDF still does not run even with "enable_user_defined_functions_threads: false". Found in https://github.com/apache/cassandra/blob/cassandra-4.0/NEWS.txt So I tried to add "allow_insecure_udfs: true" and "allow_extra_insecure_udfs: true" in cassandra.yaml, but then Cassandra failed to restart and I got that error in logs "Exception (org.apache.cassandra.exceptions.ConfigurationException) encountered during startup: Invalid yaml. Please remove properties [allow_insecure_udfs, allow_extra_insecure_udfs] from your cassandra.yaml". Should I understand that we can activate that 2 extra confs only by changing source code? That would be really disappointing :( And if no, then how to activate all UDF possibilities from cassandra.yaml please? Thanks in advance, Sébastien. Le mar. 5 avr. 2022 à 10:36, Benjamin Lerer <ble...@apache.org<mailto:ble...@apache.org>> a écrit : Unfortunately, I do not have much time for doing some digging. Sorry for that :-( You should look at JavaBasedUDFunction and UDFExecutorServic. Le lun. 4 avr. 2022 à 17:25, Sébastien Rebecchi <srebec...@kameleoon.com<mailto:srebec...@kameleoon.com>> a écrit : Hi! Do you have any more ideas for me? Cordially, Sébastien. Le lun. 28 mars 2022 à 16:39, Sébastien Rebecchi <srebec...@kameleoon.com<mailto:srebec...@kameleoon.com>> a écrit : Unfortunately, it is not working even with "enable_user_defined_functions_threads: false" in cassandra.yaml :/ Is there any way to check the running configuration? Le lun. 28 mars 2022 à 15:35, Benjamin Lerer <ble...@apache.org<mailto:ble...@apache.org>> a écrit : I do not think that allowing to customize UDF classes whitelist has been discussed before. Feel free to open a JIRA ticket :-) I have some plans to revisit how we securise UDFs as the current threading approach has some impact in terms of latency. That can be a good opportunity to look into providing more flexibility. Le lun. 28 mars 2022 à 15:00, Sébastien Rebecchi <srebec...@kameleoon.com<mailto:srebec...@kameleoon.com>> a écrit : Thanks you very much! I will try that. As you know, would it be a long-terms solution? Or is there any plan to add the possibility to customize UDF classes whitelist? Le lun. 28 mars 2022 à 14:31, Benjamin Lerer <ble...@apache.org<mailto:ble...@apache.org>> a écrit : Is there a way to customize that default behaviour? Looking at JavaBasedUDFunction quickly it seems that the ClassLoader is only used when you use the UDFExecutorService to execute your UDFs. You can try to disable it using "enable_user_defined_functions_threads: false" and see if it works. Now that also means that you have to ensure that only trusted persons can create UDF or UDA as it removes all safety mechanisms. Le lun. 28 mars 2022 à 13:23, Sébastien Rebecchi <srebec...@kameleoon.com<mailto:srebec...@kameleoon.com>> a écrit : Hi Benjamin, Thanks for the answer. Is there a way to customize that default behaviour? If no, could you indicate where to find this class loader in the github of Cassandra please? Le lun. 28 mars 2022 à 12:40, Benjamin Lerer <ble...@apache.org<mailto:ble...@apache.org>> a écrit : Hi Sébastien, Cassandra uses a special classloader for UDFs that limit which classes can be used. You cannot rely on non-JDK classes for UDFs and some of the JDK packages like the IO package for example cannot be used. The goal is simply to ensure that UDFs cannot compromise the server security. Le lun. 28 mars 2022 à 11:31, Sébastien Rebecchi <srebec...@kameleoon.com<mailto:srebec...@kameleoon.com>> a écrit : Hello, I am trying to create a UDF based on custom methods. So I set enable_user_defined_functions to true and added a jar in "/usr/share/cassandra/lib/" folder on every node, restarted the nodes and I can see from the command line that the jar is indeed used (in the classpath with -cp). But when i create the UDF I got that error: CREATE OR REPLACE FUNCTION blobToJson (input blob) RETURNS NULL ON NULL INPUT RETURNS text LANGUAGE java AS 'return com.kameleoon.visit.Visit.writeToJson(com.kameleoon.visit.Visit.readFromByteBuffer(input));'; InvalidRequest: Error from server: code=2200 [Invalid query] message="Java source compilation failed: Line 1: com.kameleoon.visit.Visit cannot be resolved to a type Line 1: com.kameleoon.visit.Visit cannot be resolved to a type Of course the class com.kameleoon.visit.Visit does exist in the jar and the jar has read rights to every user (chmod 444). So I can not find the reason. versions are: [cqlsh 6.0.0 | Cassandra 4.0.1 | CQL spec 3.4.5 | Native protocol v5] Any help would be appreciated! Thanks! Sébastien.
