cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From " Brian Hess (JIRA)" <>
Subject [jira] [Commented] (CASSANDRA-9402) Implement proper sandboxing for UDFs
Date Tue, 26 May 2015 15:58:18 GMT


 Brian Hess commented on CASSANDRA-9402:

There is another alternative - FENCED UDFs.  DB2 and Netezza had these options.  Essentially,
the UDF will run in a separate process when it is registered as FENCED, and run in-process
when it is registered as UNFENCED.

This doesn't necessarily remove all the issues, but it does help mitigate them/some - especially
since it would (optionally) run as another user.

This could look like the following with Cassandra:
- FENCED is a GRANTable privilege
- In cassandra.yaml you can specify the user to use when launching the separate process (so
that it is *not* the same user that is running the database - or optionally is)
  - This is good so that the UDF can't stop the database, delete database files, etc.
- For FENCED UDFs, IPC would be used to transfer rows to the UDF and to return results.  We
could use CQL rows for the data.  This could be shared memory or sockets (Unux or  TPC - slight
preference for sockets for some follow-on ideas).
- Ideally, switching from FENCED to UNFENCED would be just a DDL change.  That is, the API
would work such that a simple "ALTER FUNCTION myFunction(DOUBLE, DOUBLE) UNFENCED" would change
- If you wanted, because this is a separate process you could use a separate class loader.

> Implement proper sandboxing for UDFs
> ------------------------------------
>                 Key: CASSANDRA-9402
>                 URL:
>             Project: Cassandra
>          Issue Type: Task
>            Reporter: T Jake Luciani
>            Assignee: Robert Stupp
>            Priority: Critical
>              Labels: doc-impacting, security
>             Fix For: 2.2.0 rc1
> We want to avoid a security exploit for our users.  We need to make sure we ship 2.2
UDFs with good defaults so someone exposing it to the internet accidentally doesn't open themselves
up to having arbitrary code run.

This message was sent by Atlassian JIRA

View raw message