You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "Jeremiah Jordan (JIRA)" <ji...@apache.org> on 2016/12/09 18:22:58 UTC

[jira] [Comment Edited] (CASSANDRA-12883) Remove support for non-JavaScript UDFs

    [ https://issues.apache.org/jira/browse/CASSANDRA-12883?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15735954#comment-15735954 ] 

Jeremiah Jordan edited comment on CASSANDRA-12883 at 12/9/16 6:22 PM:
----------------------------------------------------------------------

Also if these are actually broken in 3.0 right now, then should we make that explicit?
Where ever we remove these, we should add a startup warning to the previous release if we detect them being used and to NEWS.txt stating that non JavaScript UDF's are deprecated, along with the NEWS.txt in the release we patch this to saying they are not supported.


was (Author: jjordan):
Also if these are actually broken in 3.0 right now, then should we make that explicit?
Where ever we remove these, we should add a startup warning to the previous release and to NEWS.txt stating that non JavaScript UDF's are deprecated, along with the NEWS.txt in the release we patch this to saying they are not supported.

> Remove support for non-JavaScript UDFs
> --------------------------------------
>
>                 Key: CASSANDRA-12883
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-12883
>             Project: Cassandra
>          Issue Type: Improvement
>          Components: CQL
>            Reporter: Robert Stupp
>            Assignee: Robert Stupp
>            Priority: Minor
>             Fix For: 4.0
>
>
> As recently reported in the user mailing list, JSR-223 languages other than JavaScript no longer work since version 3.0.
> The reason is that the sandbox implemented in CASSANDRA-9402 restricts the use of "evil" packages, classes and functions. Unfortunately, even "non-evil" packages from JSR-223 providers are blocked.
> In order to get a JSR-223 provider working fine, we need to allow JSR-223 provider specific packages and also allow specific runtime permissions.
> The fact that "arbitrary" JSR-223 providers no longer work since 3.0 has just been reported recently, means that this functionality (i.e. non-JavaSCript JSR-223 UDFs) is obviously not used.
> Therefore I propose to remove support for UDFs that do not use Java or JavaScript in 4.0. This will also allow to specialize scripted UDFs on Nashorn and allow to use its security features, although these are limited, more extensively. (Clarification: this ticket is just about to remove that support)
> Also want to point out that we never "officially" supported UDFs that are not Java or JavaScript.
> Sample error message:
> {code}
> Traceback (most recent call last):
>   File "/usr/bin/cqlsh.py", line 1264, in perform_simple_statement
>     result = future.result()
>   File "/usr/share/cassandra/lib/cassandra-driver-internal-only-3.5.0.post0-d8d0456.zip/cassandra-driver-3.5.0.post0-d8d0456/cassandra/cluster.py", line 3650, in result
>     raise self._final_exception
> FunctionFailure: Error from server: code=1400 [User Defined Function failure] message="execution of 'e.test123[bigint]' failed: java.security.AccessControlException: access denied: ("java.lang.RuntimePermission" "accessClassInPackage.org.python.jline.console")
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)