You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cassandra.apache.org by Sébastien Rebecchi <sr...@kameleoon.com> on 2022/04/04 15:24:28 UTC
Re: UDF: adding custom jar to classpath
Hi!
Do you have any more ideas for me?
Cordially,
Sébastien.
Le lun. 28 mars 2022 à 16:39, Sébastien Rebecchi <sr...@kameleoon.com>
a écrit :
> Unfortunately, it is not working even with
> "enable_user_defined_functions_threads: false" in cassandra.yaml :/
> Is there any way to check the running configuration?
>
> Le lun. 28 mars 2022 à 15:35, Benjamin Lerer <bl...@apache.org> a écrit :
>
>> I do not think that allowing to customize UDF classes whitelist has been
>> discussed before. Feel free to open a JIRA ticket :-)
>> I have some plans to revisit how we securise UDFs as the current
>> threading approach has some impact in terms of latency. That can be a good
>> opportunity to look into providing more flexibility.
>>
>> Le lun. 28 mars 2022 à 15:00, Sébastien Rebecchi <sr...@kameleoon.com>
>> a écrit :
>>
>>> Thanks you very much! I will try that.
>>> As you know, would it be a long-terms solution? Or is there any plan to
>>> add the possibility to customize UDF classes whitelist?
>>>
>>> Le lun. 28 mars 2022 à 14:31, Benjamin Lerer <bl...@apache.org> a
>>> écrit :
>>>
>>>> Is there a way to customize that default behaviour?
>>>>
>>>>
>>>> Looking at JavaBasedUDFunction quickly it seems that the ClassLoader
>>>> is only used when you use the UDFExecutorService to execute your UDFs.
>>>> You can try to disable it using "enable_user_defined_functions_threads:
>>>> false" and see if it works.
>>>> Now that also means that you have to ensure that only trusted persons
>>>> can create UDF or UDA as it removes all safety mechanisms.
>>>>
>>>> Le lun. 28 mars 2022 à 13:23, Sébastien Rebecchi <
>>>> srebecchi@kameleoon.com> a écrit :
>>>>
>>>>> Hi Benjamin,
>>>>>
>>>>> Thanks for the answer.
>>>>> Is there a way to customize that default behaviour? If no, could you
>>>>> indicate where to find this class loader in the github of Cassandra please?
>>>>>
>>>>> Le lun. 28 mars 2022 à 12:40, Benjamin Lerer <bl...@apache.org> a
>>>>> écrit :
>>>>>
>>>>>> Hi Sébastien,
>>>>>>
>>>>>> Cassandra uses a special classloader for UDFs that limit which
>>>>>> classes can be used.
>>>>>> You cannot rely on non-JDK classes for UDFs and some of the JDK
>>>>>> packages like the IO package for example cannot be used.
>>>>>> The goal is simply to ensure that UDFs cannot compromise the server
>>>>>> security.
>>>>>>
>>>>>> Le lun. 28 mars 2022 à 11:31, Sébastien Rebecchi <
>>>>>> srebecchi@kameleoon.com> a écrit :
>>>>>>
>>>>>>> Hello,
>>>>>>>
>>>>>>> I am trying to create a UDF based on custom methods.
>>>>>>> So I set enable_user_defined_functions to true and added a jar in
>>>>>>> "/usr/share/cassandra/lib/" folder on every node, restarted the nodes and I
>>>>>>> can see from the command line that the jar is indeed used (in the classpath
>>>>>>> with -cp).
>>>>>>>
>>>>>>> But when i create the UDF I got that error:
>>>>>>>
>>>>>>> CREATE OR REPLACE FUNCTION blobToJson (input blob) RETURNS NULL ON
>>>>>>> NULL INPUT RETURNS text LANGUAGE java AS 'return
>>>>>>> com.kameleoon.visit.Visit.writeToJson(com.kameleoon.visit.Visit.readFromByteBuffer(input));';
>>>>>>> InvalidRequest: Error from server: code=2200 [Invalid query]
>>>>>>> message="Java source compilation failed:
>>>>>>> Line 1: com.kameleoon.visit.Visit cannot be resolved to a type
>>>>>>> Line 1: com.kameleoon.visit.Visit cannot be resolved to a type
>>>>>>>
>>>>>>> Of course the class com.kameleoon.visit.Visit does exist in the jar
>>>>>>> and the jar has read rights to every user (chmod 444). So I can not find
>>>>>>> the reason.
>>>>>>>
>>>>>>> versions are: [cqlsh 6.0.0 | Cassandra 4.0.1 | CQL spec 3.4.5 |
>>>>>>> Native protocol v5]
>>>>>>>
>>>>>>> Any help would be appreciated!
>>>>>>>
>>>>>>> Thanks!
>>>>>>>
>>>>>>> Sébastien.
>>>>>>>
>>>>>>
Re: UDF: adding custom jar to classpath
Posted by Sébastien Rebecchi <sr...@kameleoon.com>.
Sorry, I found that allow_insecure_udfs and allow_extra_insecure_udfs have
been introduced in 4.0.2 but I run 4.0.1, so that explains the error.
So for 4.0.1 "enable_user_defined_functions_threads: false" should be
enough, no advance on that I still don't know why my UDF does not compile
then
Le mer. 6 avr. 2022 à 15:52, Sébastien Rebecchi <sr...@kameleoon.com> a
écrit :
> Hi Benjamin, Hi everybody,
>
> I found in the documentation that we should add "allow_insecure_udfs:
> true" and optionally "allow_extra_insecure_udfs: true" so that
> "enable_user_defined_functions_threads: false" is really taken into account
> (I understood like that). That would explain why my UDF still does not run
> even with "enable_user_defined_functions_threads: false". Found in
> https://github.com/apache/cassandra/blob/cassandra-4.0/NEWS.txt
>
> So I tried to add "allow_insecure_udfs: true" and
> "allow_extra_insecure_udfs: true" in cassandra.yaml, but then Cassandra
> failed to restart and I got that error in logs "Exception
> (org.apache.cassandra.exceptions.ConfigurationException) encountered during
> startup: Invalid yaml. Please remove properties [allow_insecure_udfs,
> allow_extra_insecure_udfs] from your cassandra.yaml".
>
> Should I understand that we can activate that 2 extra confs only by
> changing source code? That would be really disappointing :( And if no, then
> how to activate all UDF possibilities from cassandra.yaml please?
>
> Thanks in advance,
>
> Sébastien.
>
>
> Le mar. 5 avr. 2022 à 10:36, Benjamin Lerer <bl...@apache.org> a écrit :
>
>> Unfortunately, I do not have much time for doing some digging. Sorry for
>> that :-(
>> You should look at JavaBasedUDFunction and UDFExecutorServic.
>>
>> Le lun. 4 avr. 2022 à 17:25, Sébastien Rebecchi <sr...@kameleoon.com>
>> a écrit :
>>
>>> Hi!
>>> Do you have any more ideas for me?
>>> Cordially,
>>> Sébastien.
>>>
>>> Le lun. 28 mars 2022 à 16:39, Sébastien Rebecchi <
>>> srebecchi@kameleoon.com> a écrit :
>>>
>>>> Unfortunately, it is not working even with
>>>> "enable_user_defined_functions_threads: false" in cassandra.yaml :/
>>>> Is there any way to check the running configuration?
>>>>
>>>> Le lun. 28 mars 2022 à 15:35, Benjamin Lerer <bl...@apache.org> a
>>>> écrit :
>>>>
>>>>> I do not think that allowing to customize UDF classes whitelist has
>>>>> been discussed before. Feel free to open a JIRA ticket :-)
>>>>> I have some plans to revisit how we securise UDFs as the current
>>>>> threading approach has some impact in terms of latency. That can be a good
>>>>> opportunity to look into providing more flexibility.
>>>>>
>>>>> Le lun. 28 mars 2022 à 15:00, Sébastien Rebecchi <
>>>>> srebecchi@kameleoon.com> a écrit :
>>>>>
>>>>>> Thanks you very much! I will try that.
>>>>>> As you know, would it be a long-terms solution? Or is there any plan
>>>>>> to add the possibility to customize UDF classes whitelist?
>>>>>>
>>>>>> Le lun. 28 mars 2022 à 14:31, Benjamin Lerer <bl...@apache.org> a
>>>>>> écrit :
>>>>>>
>>>>>>> Is there a way to customize that default behaviour?
>>>>>>>
>>>>>>>
>>>>>>> Looking at JavaBasedUDFunction quickly it seems that the
>>>>>>> ClassLoader is only used when you use the UDFExecutorService to
>>>>>>> execute your UDFs. You can try to disable it using
>>>>>>> "enable_user_defined_functions_threads: false" and see if it works.
>>>>>>> Now that also means that you have to ensure that only trusted
>>>>>>> persons can create UDF or UDA as it removes all safety mechanisms.
>>>>>>>
>>>>>>> Le lun. 28 mars 2022 à 13:23, Sébastien Rebecchi <
>>>>>>> srebecchi@kameleoon.com> a écrit :
>>>>>>>
>>>>>>>> Hi Benjamin,
>>>>>>>>
>>>>>>>> Thanks for the answer.
>>>>>>>> Is there a way to customize that default behaviour? If no, could
>>>>>>>> you indicate where to find this class loader in the github of Cassandra
>>>>>>>> please?
>>>>>>>>
>>>>>>>> Le lun. 28 mars 2022 à 12:40, Benjamin Lerer <bl...@apache.org> a
>>>>>>>> écrit :
>>>>>>>>
>>>>>>>>> Hi Sébastien,
>>>>>>>>>
>>>>>>>>> Cassandra uses a special classloader for UDFs that limit which
>>>>>>>>> classes can be used.
>>>>>>>>> You cannot rely on non-JDK classes for UDFs and some of the JDK
>>>>>>>>> packages like the IO package for example cannot be used.
>>>>>>>>> The goal is simply to ensure that UDFs cannot compromise the
>>>>>>>>> server security.
>>>>>>>>>
>>>>>>>>> Le lun. 28 mars 2022 à 11:31, Sébastien Rebecchi <
>>>>>>>>> srebecchi@kameleoon.com> a écrit :
>>>>>>>>>
>>>>>>>>>> Hello,
>>>>>>>>>>
>>>>>>>>>> I am trying to create a UDF based on custom methods.
>>>>>>>>>> So I set enable_user_defined_functions to true and added a jar in
>>>>>>>>>> "/usr/share/cassandra/lib/" folder on every node, restarted the nodes and I
>>>>>>>>>> can see from the command line that the jar is indeed used (in the classpath
>>>>>>>>>> with -cp).
>>>>>>>>>>
>>>>>>>>>> But when i create the UDF I got that error:
>>>>>>>>>>
>>>>>>>>>> CREATE OR REPLACE FUNCTION blobToJson (input blob) RETURNS NULL
>>>>>>>>>> ON NULL INPUT RETURNS text LANGUAGE java AS 'return
>>>>>>>>>> com.kameleoon.visit.Visit.writeToJson(com.kameleoon.visit.Visit.readFromByteBuffer(input));';
>>>>>>>>>> InvalidRequest: Error from server: code=2200 [Invalid query]
>>>>>>>>>> message="Java source compilation failed:
>>>>>>>>>> Line 1: com.kameleoon.visit.Visit cannot be resolved to a type
>>>>>>>>>> Line 1: com.kameleoon.visit.Visit cannot be resolved to a type
>>>>>>>>>>
>>>>>>>>>> Of course the class com.kameleoon.visit.Visit does exist in the
>>>>>>>>>> jar and the jar has read rights to every user (chmod 444). So I can not
>>>>>>>>>> find the reason.
>>>>>>>>>>
>>>>>>>>>> versions are: [cqlsh 6.0.0 | Cassandra 4.0.1 | CQL spec 3.4.5 |
>>>>>>>>>> Native protocol v5]
>>>>>>>>>>
>>>>>>>>>> Any help would be appreciated!
>>>>>>>>>>
>>>>>>>>>> Thanks!
>>>>>>>>>>
>>>>>>>>>> Sébastien.
>>>>>>>>>>
>>>>>>>>>
Re: UDF: adding custom jar to classpath
Posted by Sébastien Rebecchi <sr...@kameleoon.com>.
OK, that seems clear now :)
I understood from our conversations
that "enable_user_defined_functions_threads: false" would disable the UDF'
specific class loader but it seems I understood wrongly, so the only way to
use custom packages in UDF is to modify source code.
Many thanks!
Le mer. 6 avr. 2022 à 16:35, benedict@apache.org <be...@apache.org> a
écrit :
> The property you are setting permits some kinds of privilege escalation,
> but by default classes outside of those pre-defined by the whitelist are
> not permitted. This is imposed here:
> https://github.com/apache/cassandra/blob/210793f943dc522161fd26b6192f38a5c83fa131/src/java/org/apache/cassandra/cql3/functions/UDFunction.java#L168
>
>
>
> You will need to modify the source code to e.g. add additional
> allowedPatterns, or perhaps to permit additional patterns to be configured
> at startup.
>
>
>
> *From: *Sébastien Rebecchi <sr...@kameleoon.com>
> *Date: *Wednesday, 6 April 2022 at 15:15
> *To: *dev@cassandra.apache.org <de...@cassandra.apache.org>,
> e.dimitrova@gmail.com <e....@gmail.com>
> *Cc: *blerer@apache.org <bl...@apache.org>
> *Subject: *Re: UDF: adding custom jar to classpath
>
> Hi Ekaterina,
>
>
>
> I use 4.0.1.
>
> But as I said I added a jar in classpath (/usr/share/cassandra/lib/ folder
> on every node) and I see that the jar is loaded in the classpath from the
> Cassandra command line. And I have "enable_user_defined_functions: true"
> and "enable_user_defined_functions_threads: false" in cassandra.yaml.
>
> So I don't see what is missing or not done properly.
>
>
>
> Best regards,
>
> Sébastien.
>
>
>
> Le mer. 6 avr. 2022 à 16:03, Ekaterina Dimitrova <e....@gmail.com>
> a écrit :
>
> Hi Sebastian,
>
> Do you use the latest 4.0.3 version? Those options were added in 4.0.2 I
> believe, so if you try them with an earlier version - below message is what
> you would get as they didn’t exist.
>
>
>
> Best regards,
>
> Ekaterina
>
>
>
> On Wed, 6 Apr 2022 at 9:53, Sébastien Rebecchi <sr...@kameleoon.com>
> wrote:
>
> Hi Benjamin, Hi everybody,
>
>
>
> I found in the documentation that we should add "allow_insecure_udfs:
> true" and optionally "allow_extra_insecure_udfs: true" so that
> "enable_user_defined_functions_threads: false" is really taken into account
> (I understood like that). That would explain why my UDF still does not run
> even with "enable_user_defined_functions_threads: false". Found in
> https://github.com/apache/cassandra/blob/cassandra-4.0/NEWS.txt
>
>
>
> So I tried to add "allow_insecure_udfs: true" and
> "allow_extra_insecure_udfs: true" in cassandra.yaml, but then Cassandra
> failed to restart and I got that error in logs "Exception
> (org.apache.cassandra.exceptions.ConfigurationException) encountered during
> startup: Invalid yaml. Please remove properties [allow_insecure_udfs,
> allow_extra_insecure_udfs] from your cassandra.yaml".
>
>
>
> Should I understand that we can activate that 2 extra confs only by
> changing source code? That would be really disappointing :( And if no, then
> how to activate all UDF possibilities from cassandra.yaml please?
>
>
>
> Thanks in advance,
>
>
>
> Sébastien.
>
>
>
>
>
> Le mar. 5 avr. 2022 à 10:36, Benjamin Lerer <bl...@apache.org> a écrit :
>
> Unfortunately, I do not have much time for doing some digging. Sorry for
> that :-(
>
> You should look at JavaBasedUDFunction and UDFExecutorServic.
>
>
>
> Le lun. 4 avr. 2022 à 17:25, Sébastien Rebecchi <sr...@kameleoon.com>
> a écrit :
>
> Hi!
>
> Do you have any more ideas for me?
>
> Cordially,
>
> Sébastien.
>
>
>
> Le lun. 28 mars 2022 à 16:39, Sébastien Rebecchi <sr...@kameleoon.com>
> a écrit :
>
> Unfortunately, it is not working even with
> "enable_user_defined_functions_threads: false" in cassandra.yaml :/
>
> Is there any way to check the running configuration?
>
>
>
> Le lun. 28 mars 2022 à 15:35, Benjamin Lerer <bl...@apache.org> a écrit :
>
> I do not think that allowing to customize UDF classes whitelist has been
> discussed before. Feel free to open a JIRA ticket :-)
>
> I have some plans to revisit how we securise UDFs as the current threading
> approach has some impact in terms of latency. That can be a good
> opportunity to look into providing more flexibility.
>
>
>
> Le lun. 28 mars 2022 à 15:00, Sébastien Rebecchi <sr...@kameleoon.com>
> a écrit :
>
> Thanks you very much! I will try that.
>
> As you know, would it be a long-terms solution? Or is there any plan to
> add the possibility to customize UDF classes whitelist?
>
>
>
> Le lun. 28 mars 2022 à 14:31, Benjamin Lerer <bl...@apache.org> a écrit :
>
> Is there a way to customize that default behaviour?
>
>
>
> Looking at JavaBasedUDFunction quickly it seems that the ClassLoader is
> only used when you use the UDFExecutorService to execute your UDFs. You can
> try to disable it using "enable_user_defined_functions_threads: false" and
> see if it works.
>
> Now that also means that you have to ensure that only trusted persons can
> create UDF or UDA as it removes all safety mechanisms.
>
>
>
> Le lun. 28 mars 2022 à 13:23, Sébastien Rebecchi <sr...@kameleoon.com>
> a écrit :
>
> Hi Benjamin,
>
>
>
> Thanks for the answer.
>
> Is there a way to customize that default behaviour? If no, could you
> indicate where to find this class loader in the github of Cassandra please?
>
>
>
> Le lun. 28 mars 2022 à 12:40, Benjamin Lerer <bl...@apache.org> a écrit :
>
> Hi Sébastien,
>
>
>
> Cassandra uses a special classloader for UDFs that limit which classes can
> be used.
>
> You cannot rely on non-JDK classes for UDFs and some of the JDK packages
> like the IO package for example cannot be used.
>
> The goal is simply to ensure that UDFs cannot compromise the server
> security.
>
>
>
> Le lun. 28 mars 2022 à 11:31, Sébastien Rebecchi <sr...@kameleoon.com>
> a écrit :
>
> Hello,
>
> I am trying to create a UDF based on custom methods.
> So I set enable_user_defined_functions to true and added a jar in
> "/usr/share/cassandra/lib/" folder on every node, restarted the nodes and I
> can see from the command line that the jar is indeed used (in the classpath
> with -cp).
>
> But when i create the UDF I got that error:
>
> CREATE OR REPLACE FUNCTION blobToJson (input blob) RETURNS NULL ON NULL
> INPUT RETURNS text LANGUAGE java AS 'return
> com.kameleoon.visit.Visit.writeToJson(com.kameleoon.visit.Visit.readFromByteBuffer(input));';
> InvalidRequest: Error from server: code=2200 [Invalid query] message="Java
> source compilation failed:
> Line 1: com.kameleoon.visit.Visit cannot be resolved to a type
> Line 1: com.kameleoon.visit.Visit cannot be resolved to a type
>
> Of course the class com.kameleoon.visit.Visit does exist in the jar and
> the jar has read rights to every user (chmod 444). So I can not find the
> reason.
>
> versions are: [cqlsh 6.0.0 | Cassandra 4.0.1 | CQL spec 3.4.5 | Native
> protocol v5]
>
> Any help would be appreciated!
>
> Thanks!
>
> Sébastien.
>
>
Re: UDF: adding custom jar to classpath
Posted by "benedict@apache.org" <be...@apache.org>.
The property you are setting permits some kinds of privilege escalation, but by default classes outside of those pre-defined by the whitelist are not permitted. This is imposed here: https://github.com/apache/cassandra/blob/210793f943dc522161fd26b6192f38a5c83fa131/src/java/org/apache/cassandra/cql3/functions/UDFunction.java#L168
You will need to modify the source code to e.g. add additional allowedPatterns, or perhaps to permit additional patterns to be configured at startup.
From: Sébastien Rebecchi <sr...@kameleoon.com>
Date: Wednesday, 6 April 2022 at 15:15
To: dev@cassandra.apache.org <de...@cassandra.apache.org>, e.dimitrova@gmail.com <e....@gmail.com>
Cc: blerer@apache.org <bl...@apache.org>
Subject: Re: UDF: adding custom jar to classpath
Hi Ekaterina,
I use 4.0.1.
But as I said I added a jar in classpath (/usr/share/cassandra/lib/ folder on every node) and I see that the jar is loaded in the classpath from the Cassandra command line. And I have "enable_user_defined_functions: true" and "enable_user_defined_functions_threads: false" in cassandra.yaml.
So I don't see what is missing or not done properly.
Best regards,
Sébastien.
Le mer. 6 avr. 2022 à 16:03, Ekaterina Dimitrova <e....@gmail.com>> a écrit :
Hi Sebastian,
Do you use the latest 4.0.3 version? Those options were added in 4.0.2 I believe, so if you try them with an earlier version - below message is what you would get as they didn’t exist.
Best regards,
Ekaterina
On Wed, 6 Apr 2022 at 9:53, Sébastien Rebecchi <sr...@kameleoon.com>> wrote:
Hi Benjamin, Hi everybody,
I found in the documentation that we should add "allow_insecure_udfs: true" and optionally "allow_extra_insecure_udfs: true" so that "enable_user_defined_functions_threads: false" is really taken into account (I understood like that). That would explain why my UDF still does not run even with "enable_user_defined_functions_threads: false". Found in https://github.com/apache/cassandra/blob/cassandra-4.0/NEWS.txt
So I tried to add "allow_insecure_udfs: true" and "allow_extra_insecure_udfs: true" in cassandra.yaml, but then Cassandra failed to restart and I got that error in logs "Exception (org.apache.cassandra.exceptions.ConfigurationException) encountered during startup: Invalid yaml. Please remove properties [allow_insecure_udfs, allow_extra_insecure_udfs] from your cassandra.yaml".
Should I understand that we can activate that 2 extra confs only by changing source code? That would be really disappointing :( And if no, then how to activate all UDF possibilities from cassandra.yaml please?
Thanks in advance,
Sébastien.
Le mar. 5 avr. 2022 à 10:36, Benjamin Lerer <bl...@apache.org>> a écrit :
Unfortunately, I do not have much time for doing some digging. Sorry for that :-(
You should look at JavaBasedUDFunction and UDFExecutorServic.
Le lun. 4 avr. 2022 à 17:25, Sébastien Rebecchi <sr...@kameleoon.com>> a écrit :
Hi!
Do you have any more ideas for me?
Cordially,
Sébastien.
Le lun. 28 mars 2022 à 16:39, Sébastien Rebecchi <sr...@kameleoon.com>> a écrit :
Unfortunately, it is not working even with "enable_user_defined_functions_threads: false" in cassandra.yaml :/
Is there any way to check the running configuration?
Le lun. 28 mars 2022 à 15:35, Benjamin Lerer <bl...@apache.org>> a écrit :
I do not think that allowing to customize UDF classes whitelist has been discussed before. Feel free to open a JIRA ticket :-)
I have some plans to revisit how we securise UDFs as the current threading approach has some impact in terms of latency. That can be a good opportunity to look into providing more flexibility.
Le lun. 28 mars 2022 à 15:00, Sébastien Rebecchi <sr...@kameleoon.com>> a écrit :
Thanks you very much! I will try that.
As you know, would it be a long-terms solution? Or is there any plan to add the possibility to customize UDF classes whitelist?
Le lun. 28 mars 2022 à 14:31, Benjamin Lerer <bl...@apache.org>> a écrit :
Is there a way to customize that default behaviour?
Looking at JavaBasedUDFunction quickly it seems that the ClassLoader is only used when you use the UDFExecutorService to execute your UDFs. You can try to disable it using "enable_user_defined_functions_threads: false" and see if it works.
Now that also means that you have to ensure that only trusted persons can create UDF or UDA as it removes all safety mechanisms.
Le lun. 28 mars 2022 à 13:23, Sébastien Rebecchi <sr...@kameleoon.com>> a écrit :
Hi Benjamin,
Thanks for the answer.
Is there a way to customize that default behaviour? If no, could you indicate where to find this class loader in the github of Cassandra please?
Le lun. 28 mars 2022 à 12:40, Benjamin Lerer <bl...@apache.org>> a écrit :
Hi Sébastien,
Cassandra uses a special classloader for UDFs that limit which classes can be used.
You cannot rely on non-JDK classes for UDFs and some of the JDK packages like the IO package for example cannot be used.
The goal is simply to ensure that UDFs cannot compromise the server security.
Le lun. 28 mars 2022 à 11:31, Sébastien Rebecchi <sr...@kameleoon.com>> a écrit :
Hello,
I am trying to create a UDF based on custom methods.
So I set enable_user_defined_functions to true and added a jar in "/usr/share/cassandra/lib/" folder on every node, restarted the nodes and I can see from the command line that the jar is indeed used (in the classpath with -cp).
But when i create the UDF I got that error:
CREATE OR REPLACE FUNCTION blobToJson (input blob) RETURNS NULL ON NULL INPUT RETURNS text LANGUAGE java AS 'return com.kameleoon.visit.Visit.writeToJson(com.kameleoon.visit.Visit.readFromByteBuffer(input));';
InvalidRequest: Error from server: code=2200 [Invalid query] message="Java source compilation failed:
Line 1: com.kameleoon.visit.Visit cannot be resolved to a type
Line 1: com.kameleoon.visit.Visit cannot be resolved to a type
Of course the class com.kameleoon.visit.Visit does exist in the jar and the jar has read rights to every user (chmod 444). So I can not find the reason.
versions are: [cqlsh 6.0.0 | Cassandra 4.0.1 | CQL spec 3.4.5 | Native protocol v5]
Any help would be appreciated!
Thanks!
Sébastien.
Re: UDF: adding custom jar to classpath
Posted by Sébastien Rebecchi <sr...@kameleoon.com>.
Hi Ekaterina,
I use 4.0.1.
But as I said I added a jar in classpath (/usr/share/cassandra/lib/ folder
on every node) and I see that the jar is loaded in the classpath from the
Cassandra command line. And I have "enable_user_defined_functions: true"
and "enable_user_defined_functions_threads: false" in cassandra.yaml.
So I don't see what is missing or not done properly.
Best regards,
Sébastien.
Le mer. 6 avr. 2022 à 16:03, Ekaterina Dimitrova <e....@gmail.com> a
écrit :
> Hi Sebastian,
> Do you use the latest 4.0.3 version? Those options were added in 4.0.2 I
> believe, so if you try them with an earlier version - below message is what
> you would get as they didn’t exist.
>
> Best regards,
> Ekaterina
>
> On Wed, 6 Apr 2022 at 9:53, Sébastien Rebecchi <sr...@kameleoon.com>
> wrote:
>
>> Hi Benjamin, Hi everybody,
>>
>> I found in the documentation that we should add "allow_insecure_udfs:
>> true" and optionally "allow_extra_insecure_udfs: true" so that
>> "enable_user_defined_functions_threads: false" is really taken into account
>> (I understood like that). That would explain why my UDF still does not run
>> even with "enable_user_defined_functions_threads: false". Found in
>> https://github.com/apache/cassandra/blob/cassandra-4.0/NEWS.txt
>>
>> So I tried to add "allow_insecure_udfs: true" and
>> "allow_extra_insecure_udfs: true" in cassandra.yaml, but then Cassandra
>> failed to restart and I got that error in logs "Exception
>> (org.apache.cassandra.exceptions.ConfigurationException) encountered during
>> startup: Invalid yaml. Please remove properties [allow_insecure_udfs,
>> allow_extra_insecure_udfs] from your cassandra.yaml".
>>
>> Should I understand that we can activate that 2 extra confs only by
>> changing source code? That would be really disappointing :( And if no, then
>> how to activate all UDF possibilities from cassandra.yaml please?
>>
>> Thanks in advance,
>>
>> Sébastien.
>>
>>
>> Le mar. 5 avr. 2022 à 10:36, Benjamin Lerer <bl...@apache.org> a écrit :
>>
>>> Unfortunately, I do not have much time for doing some digging. Sorry for
>>> that :-(
>>> You should look at JavaBasedUDFunction and UDFExecutorServic.
>>>
>>> Le lun. 4 avr. 2022 à 17:25, Sébastien Rebecchi <sr...@kameleoon.com>
>>> a écrit :
>>>
>>>> Hi!
>>>> Do you have any more ideas for me?
>>>> Cordially,
>>>> Sébastien.
>>>>
>>>> Le lun. 28 mars 2022 à 16:39, Sébastien Rebecchi <
>>>> srebecchi@kameleoon.com> a écrit :
>>>>
>>>>> Unfortunately, it is not working even with
>>>>> "enable_user_defined_functions_threads: false" in cassandra.yaml :/
>>>>> Is there any way to check the running configuration?
>>>>>
>>>>> Le lun. 28 mars 2022 à 15:35, Benjamin Lerer <bl...@apache.org> a
>>>>> écrit :
>>>>>
>>>>>> I do not think that allowing to customize UDF classes whitelist has
>>>>>> been discussed before. Feel free to open a JIRA ticket :-)
>>>>>> I have some plans to revisit how we securise UDFs as the current
>>>>>> threading approach has some impact in terms of latency. That can be a good
>>>>>> opportunity to look into providing more flexibility.
>>>>>>
>>>>>> Le lun. 28 mars 2022 à 15:00, Sébastien Rebecchi <
>>>>>> srebecchi@kameleoon.com> a écrit :
>>>>>>
>>>>>>> Thanks you very much! I will try that.
>>>>>>> As you know, would it be a long-terms solution? Or is there any plan
>>>>>>> to add the possibility to customize UDF classes whitelist?
>>>>>>>
>>>>>>> Le lun. 28 mars 2022 à 14:31, Benjamin Lerer <bl...@apache.org> a
>>>>>>> écrit :
>>>>>>>
>>>>>>>> Is there a way to customize that default behaviour?
>>>>>>>>
>>>>>>>>
>>>>>>>> Looking at JavaBasedUDFunction quickly it seems that the
>>>>>>>> ClassLoader is only used when you use the UDFExecutorService to
>>>>>>>> execute your UDFs. You can try to disable it using
>>>>>>>> "enable_user_defined_functions_threads: false" and see if it works.
>>>>>>>> Now that also means that you have to ensure that only trusted
>>>>>>>> persons can create UDF or UDA as it removes all safety mechanisms.
>>>>>>>>
>>>>>>>>
>>>>>>>> Le lun. 28 mars 2022 à 13:23, Sébastien Rebecchi <
>>>>>>>> srebecchi@kameleoon.com> a écrit :
>>>>>>>>
>>>>>>>>> Hi Benjamin,
>>>>>>>>>
>>>>>>>>> Thanks for the answer.
>>>>>>>>> Is there a way to customize that default behaviour? If no, could
>>>>>>>>> you indicate where to find this class loader in the github of Cassandra
>>>>>>>>> please?
>>>>>>>>>
>>>>>>>>> Le lun. 28 mars 2022 à 12:40, Benjamin Lerer <bl...@apache.org>
>>>>>>>>> a écrit :
>>>>>>>>>
>>>>>>>>>> Hi Sébastien,
>>>>>>>>>>
>>>>>>>>>> Cassandra uses a special classloader for UDFs that limit which
>>>>>>>>>> classes can be used.
>>>>>>>>>> You cannot rely on non-JDK classes for UDFs and some of the JDK
>>>>>>>>>> packages like the IO package for example cannot be used.
>>>>>>>>>> The goal is simply to ensure that UDFs cannot compromise the
>>>>>>>>>> server security.
>>>>>>>>>>
>>>>>>>>>> Le lun. 28 mars 2022 à 11:31, Sébastien Rebecchi <
>>>>>>>>>> srebecchi@kameleoon.com> a écrit :
>>>>>>>>>>
>>>>>>>>>>> Hello,
>>>>>>>>>>>
>>>>>>>>>>> I am trying to create a UDF based on custom methods.
>>>>>>>>>>> So I set enable_user_defined_functions to true and added a jar
>>>>>>>>>>> in "/usr/share/cassandra/lib/" folder on every node, restarted the nodes
>>>>>>>>>>> and I can see from the command line that the jar is indeed used (in the
>>>>>>>>>>> classpath with -cp).
>>>>>>>>>>>
>>>>>>>>>>> But when i create the UDF I got that error:
>>>>>>>>>>>
>>>>>>>>>>> CREATE OR REPLACE FUNCTION blobToJson (input blob) RETURNS NULL
>>>>>>>>>>> ON NULL INPUT RETURNS text LANGUAGE java AS 'return
>>>>>>>>>>> com.kameleoon.visit.Visit.writeToJson(com.kameleoon.visit.Visit.readFromByteBuffer(input));';
>>>>>>>>>>> InvalidRequest: Error from server: code=2200 [Invalid query]
>>>>>>>>>>> message="Java source compilation failed:
>>>>>>>>>>> Line 1: com.kameleoon.visit.Visit cannot be resolved to a type
>>>>>>>>>>> Line 1: com.kameleoon.visit.Visit cannot be resolved to a type
>>>>>>>>>>>
>>>>>>>>>>> Of course the class com.kameleoon.visit.Visit does exist in the
>>>>>>>>>>> jar and the jar has read rights to every user (chmod 444). So I can not
>>>>>>>>>>> find the reason.
>>>>>>>>>>>
>>>>>>>>>>> versions are: [cqlsh 6.0.0 | Cassandra 4.0.1 | CQL spec 3.4.5 |
>>>>>>>>>>> Native protocol v5]
>>>>>>>>>>>
>>>>>>>>>>> Any help would be appreciated!
>>>>>>>>>>>
>>>>>>>>>>> Thanks!
>>>>>>>>>>>
>>>>>>>>>>> Sébastien.
>>>>>>>>>>>
>>>>>>>>>>
Re: UDF: adding custom jar to classpath
Posted by Ekaterina Dimitrova <e....@gmail.com>.
Hi Sebastian,
Do you use the latest 4.0.3 version? Those options were added in 4.0.2 I
believe, so if you try them with an earlier version - below message is what
you would get as they didn’t exist.
Best regards,
Ekaterina
On Wed, 6 Apr 2022 at 9:53, Sébastien Rebecchi <sr...@kameleoon.com>
wrote:
> Hi Benjamin, Hi everybody,
>
> I found in the documentation that we should add "allow_insecure_udfs:
> true" and optionally "allow_extra_insecure_udfs: true" so that
> "enable_user_defined_functions_threads: false" is really taken into account
> (I understood like that). That would explain why my UDF still does not run
> even with "enable_user_defined_functions_threads: false". Found in
> https://github.com/apache/cassandra/blob/cassandra-4.0/NEWS.txt
>
> So I tried to add "allow_insecure_udfs: true" and
> "allow_extra_insecure_udfs: true" in cassandra.yaml, but then Cassandra
> failed to restart and I got that error in logs "Exception
> (org.apache.cassandra.exceptions.ConfigurationException) encountered during
> startup: Invalid yaml. Please remove properties [allow_insecure_udfs,
> allow_extra_insecure_udfs] from your cassandra.yaml".
>
> Should I understand that we can activate that 2 extra confs only by
> changing source code? That would be really disappointing :( And if no, then
> how to activate all UDF possibilities from cassandra.yaml please?
>
> Thanks in advance,
>
> Sébastien.
>
>
> Le mar. 5 avr. 2022 à 10:36, Benjamin Lerer <bl...@apache.org> a écrit :
>
>> Unfortunately, I do not have much time for doing some digging. Sorry for
>> that :-(
>> You should look at JavaBasedUDFunction and UDFExecutorServic.
>>
>> Le lun. 4 avr. 2022 à 17:25, Sébastien Rebecchi <sr...@kameleoon.com>
>> a écrit :
>>
>>> Hi!
>>> Do you have any more ideas for me?
>>> Cordially,
>>> Sébastien.
>>>
>>> Le lun. 28 mars 2022 à 16:39, Sébastien Rebecchi <
>>> srebecchi@kameleoon.com> a écrit :
>>>
>>>> Unfortunately, it is not working even with
>>>> "enable_user_defined_functions_threads: false" in cassandra.yaml :/
>>>> Is there any way to check the running configuration?
>>>>
>>>> Le lun. 28 mars 2022 à 15:35, Benjamin Lerer <bl...@apache.org> a
>>>> écrit :
>>>>
>>>>> I do not think that allowing to customize UDF classes whitelist has
>>>>> been discussed before. Feel free to open a JIRA ticket :-)
>>>>> I have some plans to revisit how we securise UDFs as the current
>>>>> threading approach has some impact in terms of latency. That can be a good
>>>>> opportunity to look into providing more flexibility.
>>>>>
>>>>> Le lun. 28 mars 2022 à 15:00, Sébastien Rebecchi <
>>>>> srebecchi@kameleoon.com> a écrit :
>>>>>
>>>>>> Thanks you very much! I will try that.
>>>>>> As you know, would it be a long-terms solution? Or is there any plan
>>>>>> to add the possibility to customize UDF classes whitelist?
>>>>>>
>>>>>> Le lun. 28 mars 2022 à 14:31, Benjamin Lerer <bl...@apache.org> a
>>>>>> écrit :
>>>>>>
>>>>>>> Is there a way to customize that default behaviour?
>>>>>>>
>>>>>>>
>>>>>>> Looking at JavaBasedUDFunction quickly it seems that the
>>>>>>> ClassLoader is only used when you use the UDFExecutorService to
>>>>>>> execute your UDFs. You can try to disable it using
>>>>>>> "enable_user_defined_functions_threads: false" and see if it works.
>>>>>>> Now that also means that you have to ensure that only trusted
>>>>>>> persons can create UDF or UDA as it removes all safety mechanisms.
>>>>>>>
>>>>>>> Le lun. 28 mars 2022 à 13:23, Sébastien Rebecchi <
>>>>>>> srebecchi@kameleoon.com> a écrit :
>>>>>>>
>>>>>>>> Hi Benjamin,
>>>>>>>>
>>>>>>>> Thanks for the answer.
>>>>>>>> Is there a way to customize that default behaviour? If no, could
>>>>>>>> you indicate where to find this class loader in the github of Cassandra
>>>>>>>> please?
>>>>>>>>
>>>>>>>> Le lun. 28 mars 2022 à 12:40, Benjamin Lerer <bl...@apache.org> a
>>>>>>>> écrit :
>>>>>>>>
>>>>>>>>> Hi Sébastien,
>>>>>>>>>
>>>>>>>>> Cassandra uses a special classloader for UDFs that limit which
>>>>>>>>> classes can be used.
>>>>>>>>> You cannot rely on non-JDK classes for UDFs and some of the JDK
>>>>>>>>> packages like the IO package for example cannot be used.
>>>>>>>>> The goal is simply to ensure that UDFs cannot compromise the
>>>>>>>>> server security.
>>>>>>>>>
>>>>>>>>> Le lun. 28 mars 2022 à 11:31, Sébastien Rebecchi <
>>>>>>>>> srebecchi@kameleoon.com> a écrit :
>>>>>>>>>
>>>>>>>>>> Hello,
>>>>>>>>>>
>>>>>>>>>> I am trying to create a UDF based on custom methods.
>>>>>>>>>> So I set enable_user_defined_functions to true and added a jar in
>>>>>>>>>> "/usr/share/cassandra/lib/" folder on every node, restarted the nodes and I
>>>>>>>>>> can see from the command line that the jar is indeed used (in the classpath
>>>>>>>>>> with -cp).
>>>>>>>>>>
>>>>>>>>>> But when i create the UDF I got that error:
>>>>>>>>>>
>>>>>>>>>> CREATE OR REPLACE FUNCTION blobToJson (input blob) RETURNS NULL
>>>>>>>>>> ON NULL INPUT RETURNS text LANGUAGE java AS 'return
>>>>>>>>>> com.kameleoon.visit.Visit.writeToJson(com.kameleoon.visit.Visit.readFromByteBuffer(input));';
>>>>>>>>>> InvalidRequest: Error from server: code=2200 [Invalid query]
>>>>>>>>>> message="Java source compilation failed:
>>>>>>>>>> Line 1: com.kameleoon.visit.Visit cannot be resolved to a type
>>>>>>>>>> Line 1: com.kameleoon.visit.Visit cannot be resolved to a type
>>>>>>>>>>
>>>>>>>>>> Of course the class com.kameleoon.visit.Visit does exist in the
>>>>>>>>>> jar and the jar has read rights to every user (chmod 444). So I can not
>>>>>>>>>> find the reason.
>>>>>>>>>>
>>>>>>>>>> versions are: [cqlsh 6.0.0 | Cassandra 4.0.1 | CQL spec 3.4.5 |
>>>>>>>>>> Native protocol v5]
>>>>>>>>>>
>>>>>>>>>> Any help would be appreciated!
>>>>>>>>>>
>>>>>>>>>> Thanks!
>>>>>>>>>>
>>>>>>>>>> Sébastien.
>>>>>>>>>>
>>>>>>>>>
Re: UDF: adding custom jar to classpath
Posted by Sébastien Rebecchi <sr...@kameleoon.com>.
Hi Benjamin, Hi everybody,
I found in the documentation that we should add "allow_insecure_udfs: true"
and optionally "allow_extra_insecure_udfs: true" so that
"enable_user_defined_functions_threads: false" is really taken into account
(I understood like that). That would explain why my UDF still does not run
even with "enable_user_defined_functions_threads: false". Found in
https://github.com/apache/cassandra/blob/cassandra-4.0/NEWS.txt
So I tried to add "allow_insecure_udfs: true" and
"allow_extra_insecure_udfs: true" in cassandra.yaml, but then Cassandra
failed to restart and I got that error in logs "Exception
(org.apache.cassandra.exceptions.ConfigurationException) encountered during
startup: Invalid yaml. Please remove properties [allow_insecure_udfs,
allow_extra_insecure_udfs] from your cassandra.yaml".
Should I understand that we can activate that 2 extra confs only by
changing source code? That would be really disappointing :( And if no, then
how to activate all UDF possibilities from cassandra.yaml please?
Thanks in advance,
Sébastien.
Le mar. 5 avr. 2022 à 10:36, Benjamin Lerer <bl...@apache.org> a écrit :
> Unfortunately, I do not have much time for doing some digging. Sorry for
> that :-(
> You should look at JavaBasedUDFunction and UDFExecutorServic.
>
> Le lun. 4 avr. 2022 à 17:25, Sébastien Rebecchi <sr...@kameleoon.com>
> a écrit :
>
>> Hi!
>> Do you have any more ideas for me?
>> Cordially,
>> Sébastien.
>>
>> Le lun. 28 mars 2022 à 16:39, Sébastien Rebecchi <sr...@kameleoon.com>
>> a écrit :
>>
>>> Unfortunately, it is not working even with
>>> "enable_user_defined_functions_threads: false" in cassandra.yaml :/
>>> Is there any way to check the running configuration?
>>>
>>> Le lun. 28 mars 2022 à 15:35, Benjamin Lerer <bl...@apache.org> a
>>> écrit :
>>>
>>>> I do not think that allowing to customize UDF classes whitelist has
>>>> been discussed before. Feel free to open a JIRA ticket :-)
>>>> I have some plans to revisit how we securise UDFs as the current
>>>> threading approach has some impact in terms of latency. That can be a good
>>>> opportunity to look into providing more flexibility.
>>>>
>>>> Le lun. 28 mars 2022 à 15:00, Sébastien Rebecchi <
>>>> srebecchi@kameleoon.com> a écrit :
>>>>
>>>>> Thanks you very much! I will try that.
>>>>> As you know, would it be a long-terms solution? Or is there any plan
>>>>> to add the possibility to customize UDF classes whitelist?
>>>>>
>>>>> Le lun. 28 mars 2022 à 14:31, Benjamin Lerer <bl...@apache.org> a
>>>>> écrit :
>>>>>
>>>>>> Is there a way to customize that default behaviour?
>>>>>>
>>>>>>
>>>>>> Looking at JavaBasedUDFunction quickly it seems that the ClassLoader
>>>>>> is only used when you use the UDFExecutorService to execute your
>>>>>> UDFs. You can try to disable it using
>>>>>> "enable_user_defined_functions_threads: false" and see if it works.
>>>>>> Now that also means that you have to ensure that only trusted persons
>>>>>> can create UDF or UDA as it removes all safety mechanisms.
>>>>>>
>>>>>> Le lun. 28 mars 2022 à 13:23, Sébastien Rebecchi <
>>>>>> srebecchi@kameleoon.com> a écrit :
>>>>>>
>>>>>>> Hi Benjamin,
>>>>>>>
>>>>>>> Thanks for the answer.
>>>>>>> Is there a way to customize that default behaviour? If no, could you
>>>>>>> indicate where to find this class loader in the github of Cassandra please?
>>>>>>>
>>>>>>> Le lun. 28 mars 2022 à 12:40, Benjamin Lerer <bl...@apache.org> a
>>>>>>> écrit :
>>>>>>>
>>>>>>>> Hi Sébastien,
>>>>>>>>
>>>>>>>> Cassandra uses a special classloader for UDFs that limit which
>>>>>>>> classes can be used.
>>>>>>>> You cannot rely on non-JDK classes for UDFs and some of the JDK
>>>>>>>> packages like the IO package for example cannot be used.
>>>>>>>> The goal is simply to ensure that UDFs cannot compromise the server
>>>>>>>> security.
>>>>>>>>
>>>>>>>> Le lun. 28 mars 2022 à 11:31, Sébastien Rebecchi <
>>>>>>>> srebecchi@kameleoon.com> a écrit :
>>>>>>>>
>>>>>>>>> Hello,
>>>>>>>>>
>>>>>>>>> I am trying to create a UDF based on custom methods.
>>>>>>>>> So I set enable_user_defined_functions to true and added a jar in
>>>>>>>>> "/usr/share/cassandra/lib/" folder on every node, restarted the nodes and I
>>>>>>>>> can see from the command line that the jar is indeed used (in the classpath
>>>>>>>>> with -cp).
>>>>>>>>>
>>>>>>>>> But when i create the UDF I got that error:
>>>>>>>>>
>>>>>>>>> CREATE OR REPLACE FUNCTION blobToJson (input blob) RETURNS NULL ON
>>>>>>>>> NULL INPUT RETURNS text LANGUAGE java AS 'return
>>>>>>>>> com.kameleoon.visit.Visit.writeToJson(com.kameleoon.visit.Visit.readFromByteBuffer(input));';
>>>>>>>>> InvalidRequest: Error from server: code=2200 [Invalid query]
>>>>>>>>> message="Java source compilation failed:
>>>>>>>>> Line 1: com.kameleoon.visit.Visit cannot be resolved to a type
>>>>>>>>> Line 1: com.kameleoon.visit.Visit cannot be resolved to a type
>>>>>>>>>
>>>>>>>>> Of course the class com.kameleoon.visit.Visit does exist in the
>>>>>>>>> jar and the jar has read rights to every user (chmod 444). So I can not
>>>>>>>>> find the reason.
>>>>>>>>>
>>>>>>>>> versions are: [cqlsh 6.0.0 | Cassandra 4.0.1 | CQL spec 3.4.5 |
>>>>>>>>> Native protocol v5]
>>>>>>>>>
>>>>>>>>> Any help would be appreciated!
>>>>>>>>>
>>>>>>>>> Thanks!
>>>>>>>>>
>>>>>>>>> Sébastien.
>>>>>>>>>
>>>>>>>>
Re: UDF: adding custom jar to classpath
Posted by Benjamin Lerer <bl...@apache.org>.
Unfortunately, I do not have much time for doing some digging. Sorry for
that :-(
You should look at JavaBasedUDFunction and UDFExecutorServic.
Le lun. 4 avr. 2022 à 17:25, Sébastien Rebecchi <sr...@kameleoon.com> a
écrit :
> Hi!
> Do you have any more ideas for me?
> Cordially,
> Sébastien.
>
> Le lun. 28 mars 2022 à 16:39, Sébastien Rebecchi <sr...@kameleoon.com>
> a écrit :
>
>> Unfortunately, it is not working even with
>> "enable_user_defined_functions_threads: false" in cassandra.yaml :/
>> Is there any way to check the running configuration?
>>
>> Le lun. 28 mars 2022 à 15:35, Benjamin Lerer <bl...@apache.org> a
>> écrit :
>>
>>> I do not think that allowing to customize UDF classes whitelist has been
>>> discussed before. Feel free to open a JIRA ticket :-)
>>> I have some plans to revisit how we securise UDFs as the current
>>> threading approach has some impact in terms of latency. That can be a good
>>> opportunity to look into providing more flexibility.
>>>
>>> Le lun. 28 mars 2022 à 15:00, Sébastien Rebecchi <
>>> srebecchi@kameleoon.com> a écrit :
>>>
>>>> Thanks you very much! I will try that.
>>>> As you know, would it be a long-terms solution? Or is there any plan to
>>>> add the possibility to customize UDF classes whitelist?
>>>>
>>>> Le lun. 28 mars 2022 à 14:31, Benjamin Lerer <bl...@apache.org> a
>>>> écrit :
>>>>
>>>>> Is there a way to customize that default behaviour?
>>>>>
>>>>>
>>>>> Looking at JavaBasedUDFunction quickly it seems that the ClassLoader
>>>>> is only used when you use the UDFExecutorService to execute your
>>>>> UDFs. You can try to disable it using
>>>>> "enable_user_defined_functions_threads: false" and see if it works.
>>>>> Now that also means that you have to ensure that only trusted persons
>>>>> can create UDF or UDA as it removes all safety mechanisms.
>>>>>
>>>>> Le lun. 28 mars 2022 à 13:23, Sébastien Rebecchi <
>>>>> srebecchi@kameleoon.com> a écrit :
>>>>>
>>>>>> Hi Benjamin,
>>>>>>
>>>>>> Thanks for the answer.
>>>>>> Is there a way to customize that default behaviour? If no, could you
>>>>>> indicate where to find this class loader in the github of Cassandra please?
>>>>>>
>>>>>> Le lun. 28 mars 2022 à 12:40, Benjamin Lerer <bl...@apache.org> a
>>>>>> écrit :
>>>>>>
>>>>>>> Hi Sébastien,
>>>>>>>
>>>>>>> Cassandra uses a special classloader for UDFs that limit which
>>>>>>> classes can be used.
>>>>>>> You cannot rely on non-JDK classes for UDFs and some of the JDK
>>>>>>> packages like the IO package for example cannot be used.
>>>>>>> The goal is simply to ensure that UDFs cannot compromise the server
>>>>>>> security.
>>>>>>>
>>>>>>> Le lun. 28 mars 2022 à 11:31, Sébastien Rebecchi <
>>>>>>> srebecchi@kameleoon.com> a écrit :
>>>>>>>
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>> I am trying to create a UDF based on custom methods.
>>>>>>>> So I set enable_user_defined_functions to true and added a jar in
>>>>>>>> "/usr/share/cassandra/lib/" folder on every node, restarted the nodes and I
>>>>>>>> can see from the command line that the jar is indeed used (in the classpath
>>>>>>>> with -cp).
>>>>>>>>
>>>>>>>> But when i create the UDF I got that error:
>>>>>>>>
>>>>>>>> CREATE OR REPLACE FUNCTION blobToJson (input blob) RETURNS NULL ON
>>>>>>>> NULL INPUT RETURNS text LANGUAGE java AS 'return
>>>>>>>> com.kameleoon.visit.Visit.writeToJson(com.kameleoon.visit.Visit.readFromByteBuffer(input));';
>>>>>>>> InvalidRequest: Error from server: code=2200 [Invalid query]
>>>>>>>> message="Java source compilation failed:
>>>>>>>> Line 1: com.kameleoon.visit.Visit cannot be resolved to a type
>>>>>>>> Line 1: com.kameleoon.visit.Visit cannot be resolved to a type
>>>>>>>>
>>>>>>>> Of course the class com.kameleoon.visit.Visit does exist in the jar
>>>>>>>> and the jar has read rights to every user (chmod 444). So I can not find
>>>>>>>> the reason.
>>>>>>>>
>>>>>>>> versions are: [cqlsh 6.0.0 | Cassandra 4.0.1 | CQL spec 3.4.5 |
>>>>>>>> Native protocol v5]
>>>>>>>>
>>>>>>>> Any help would be appreciated!
>>>>>>>>
>>>>>>>> Thanks!
>>>>>>>>
>>>>>>>> Sébastien.
>>>>>>>>
>>>>>>>