[
https://issues.apache.org/jira/browse/CASSANDRA-21227?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
C. Scott Andreas updated CASSANDRA-21227:
-----------------------------------------
Resolution: Not A Bug
Status: Resolved (was: Triage Needed)
> Lack of heap quotas and compilation boundaries in Java UDFs leads to severe
> Daemon stability risks
> --------------------------------------------------------------------------------------------------
>
> Key: CASSANDRA-21227
> URL: https://issues.apache.org/jira/browse/CASSANDRA-21227
> Project: Apache Cassandra
> Issue Type: Bug
> Reporter: Cyl
> Priority: Normal
>
> Hi team,
> While user_defined_functions_enabled is disabled by default for security
> reasons, enabling it introduces severe stability risks that are currently
> unguarded, even for authorized users with CREATE FUNCTION permissions:
> 1. Compilation Thread Pool Exhaustion: Synchronous compilation of large Java
> internal bodies via ECJ runs squarely on Dispatcher.requestExecutor.
> Submitting multiple complex UDF creations concurrently stalls the node's
> standard query capabilities (CPU exhaustion).
> 2. Heap Memory Exhaustion (OOM): While execution time is guarded (default
> 500ms), heap usage is not. A UDF that allocates massive arrays (e.g.,
> multi-gigabyte byte[]) can easily force the Cassandra JVM to OOM and crash
> the Daemon entirely in just a few seconds, long before the execution timeout
> is triggered.
> Suggestions for improvement:
> - Introduce a per-invocation UDF heap allocation tracker or quota.
> - Rate-limit CREATE FUNCTION validations and strictly offload compilation
> payloads away from the requestExecutor pool (so malicious multi-thousand line
> submissions won't lock user traffic).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
