Hi Sebastian, Do you use the latest 4.0.3 version? Those options were added in 4.0.2 I believe, so if you try them with an earlier version - below message is what you would get as they didn’t exist.
Best regards, Ekaterina On Wed, 6 Apr 2022 at 9:53, Sébastien Rebecchi <srebec...@kameleoon.com> wrote: > Hi Benjamin, Hi everybody, > > I found in the documentation that we should add "allow_insecure_udfs: > true" and optionally "allow_extra_insecure_udfs: true" so that > "enable_user_defined_functions_threads: false" is really taken into account > (I understood like that). That would explain why my UDF still does not run > even with "enable_user_defined_functions_threads: false". Found in > https://github.com/apache/cassandra/blob/cassandra-4.0/NEWS.txt > > So I tried to add "allow_insecure_udfs: true" and > "allow_extra_insecure_udfs: true" in cassandra.yaml, but then Cassandra > failed to restart and I got that error in logs "Exception > (org.apache.cassandra.exceptions.ConfigurationException) encountered during > startup: Invalid yaml. Please remove properties [allow_insecure_udfs, > allow_extra_insecure_udfs] from your cassandra.yaml". > > Should I understand that we can activate that 2 extra confs only by > changing source code? That would be really disappointing :( And if no, then > how to activate all UDF possibilities from cassandra.yaml please? > > Thanks in advance, > > Sébastien. > > > Le mar. 5 avr. 2022 à 10:36, Benjamin Lerer <ble...@apache.org> a écrit : > >> Unfortunately, I do not have much time for doing some digging. Sorry for >> that :-( >> You should look at JavaBasedUDFunction and UDFExecutorServic. >> >> Le lun. 4 avr. 2022 à 17:25, Sébastien Rebecchi <srebec...@kameleoon.com> >> a écrit : >> >>> Hi! >>> Do you have any more ideas for me? >>> Cordially, >>> Sébastien. >>> >>> Le lun. 28 mars 2022 à 16:39, Sébastien Rebecchi < >>> srebec...@kameleoon.com> a écrit : >>> >>>> Unfortunately, it is not working even with >>>> "enable_user_defined_functions_threads: false" in cassandra.yaml :/ >>>> Is there any way to check the running configuration? >>>> >>>> Le lun. 28 mars 2022 à 15:35, Benjamin Lerer <ble...@apache.org> a >>>> écrit : >>>> >>>>> I do not think that allowing to customize UDF classes whitelist has >>>>> been discussed before. Feel free to open a JIRA ticket :-) >>>>> I have some plans to revisit how we securise UDFs as the current >>>>> threading approach has some impact in terms of latency. That can be a good >>>>> opportunity to look into providing more flexibility. >>>>> >>>>> Le lun. 28 mars 2022 à 15:00, Sébastien Rebecchi < >>>>> srebec...@kameleoon.com> a écrit : >>>>> >>>>>> Thanks you very much! I will try that. >>>>>> As you know, would it be a long-terms solution? Or is there any plan >>>>>> to add the possibility to customize UDF classes whitelist? >>>>>> >>>>>> Le lun. 28 mars 2022 à 14:31, Benjamin Lerer <ble...@apache.org> a >>>>>> écrit : >>>>>> >>>>>>> Is there a way to customize that default behaviour? >>>>>>> >>>>>>> >>>>>>> Looking at JavaBasedUDFunction quickly it seems that the >>>>>>> ClassLoader is only used when you use the UDFExecutorService to >>>>>>> execute your UDFs. You can try to disable it using >>>>>>> "enable_user_defined_functions_threads: false" and see if it works. >>>>>>> Now that also means that you have to ensure that only trusted >>>>>>> persons can create UDF or UDA as it removes all safety mechanisms. >>>>>>> >>>>>>> Le lun. 28 mars 2022 à 13:23, Sébastien Rebecchi < >>>>>>> srebec...@kameleoon.com> a écrit : >>>>>>> >>>>>>>> Hi Benjamin, >>>>>>>> >>>>>>>> Thanks for the answer. >>>>>>>> Is there a way to customize that default behaviour? If no, could >>>>>>>> you indicate where to find this class loader in the github of Cassandra >>>>>>>> please? >>>>>>>> >>>>>>>> Le lun. 28 mars 2022 à 12:40, Benjamin Lerer <ble...@apache.org> a >>>>>>>> écrit : >>>>>>>> >>>>>>>>> Hi Sébastien, >>>>>>>>> >>>>>>>>> Cassandra uses a special classloader for UDFs that limit which >>>>>>>>> classes can be used. >>>>>>>>> You cannot rely on non-JDK classes for UDFs and some of the JDK >>>>>>>>> packages like the IO package for example cannot be used. >>>>>>>>> The goal is simply to ensure that UDFs cannot compromise the >>>>>>>>> server security. >>>>>>>>> >>>>>>>>> Le lun. 28 mars 2022 à 11:31, Sébastien Rebecchi < >>>>>>>>> srebec...@kameleoon.com> a écrit : >>>>>>>>> >>>>>>>>>> Hello, >>>>>>>>>> >>>>>>>>>> I am trying to create a UDF based on custom methods. >>>>>>>>>> So I set enable_user_defined_functions to true and added a jar in >>>>>>>>>> "/usr/share/cassandra/lib/" folder on every node, restarted the >>>>>>>>>> nodes and I >>>>>>>>>> can see from the command line that the jar is indeed used (in the >>>>>>>>>> classpath >>>>>>>>>> with -cp). >>>>>>>>>> >>>>>>>>>> But when i create the UDF I got that error: >>>>>>>>>> >>>>>>>>>> CREATE OR REPLACE FUNCTION blobToJson (input blob) RETURNS NULL >>>>>>>>>> ON NULL INPUT RETURNS text LANGUAGE java AS 'return >>>>>>>>>> com.kameleoon.visit.Visit.writeToJson(com.kameleoon.visit.Visit.readFromByteBuffer(input));'; >>>>>>>>>> InvalidRequest: Error from server: code=2200 [Invalid query] >>>>>>>>>> message="Java source compilation failed: >>>>>>>>>> Line 1: com.kameleoon.visit.Visit cannot be resolved to a type >>>>>>>>>> Line 1: com.kameleoon.visit.Visit cannot be resolved to a type >>>>>>>>>> >>>>>>>>>> Of course the class com.kameleoon.visit.Visit does exist in the >>>>>>>>>> jar and the jar has read rights to every user (chmod 444). So I can >>>>>>>>>> not >>>>>>>>>> find the reason. >>>>>>>>>> >>>>>>>>>> versions are: [cqlsh 6.0.0 | Cassandra 4.0.1 | CQL spec 3.4.5 | >>>>>>>>>> Native protocol v5] >>>>>>>>>> >>>>>>>>>> Any help would be appreciated! >>>>>>>>>> >>>>>>>>>> Thanks! >>>>>>>>>> >>>>>>>>>> Sébastien. >>>>>>>>>> >>>>>>>>>
