CASSANDRA-21139 - Feature/guardrail for misprepare statements by omniCoder77 · Pull Request #4596 · apache/cassandra

omniCoder77 · 2026-01-30T20:57:12Z

Validation is posted on Jira Ticket

Feature suggestion:
Guardrail for miss-prepared statements

Description:

We have hundreds of application teams and several dozen of them miss-prepare statements by using literals instead of bind markers.

I.e.,

// wrong 
session.prepare("select * from users where ID = 996");
session.prepare("select * from users where ID = 997");
session.prepare("select * from users where ID = 998");
session.prepare("select * from users where ID = 999");

// correct
session.prepare("select * from users where ID = ?");

The problem causes the prepared statement cache to constantly overflow, and will print a prepared statements discarded WARN message in the Cassandra log. At present, we use a wack-a-mole approach to discuss the problem with each development team individually, and hope they fix it and train the entire team on how to prepare statements correctly.

Also, finding the root cause of the issue today requires having the knowledge and access to look at the system.prepared_statements table.

Guardrails would seem a good approach here, where the guard could WARN or REJECT when a statement was prepared using a WHERE clause and no bind markers.

Note, this should not prevent users from creating prepared statements without a WHERE clause or with one or more literal values so long as there was at least one bind marker. Thus, the following would remain valid:

session.prepare("select * from users");
session.prepare("select * from users where TYPE=5 and ID = ?");

Approach:
Introduced a boolean flag prepared_statements_require_parameters_enabled (which can be configured from cassandra.yaml) whose default value is false (backward compatibility) and added functions to StorageServiceMBean to enable dynamic runtime configuration.
Added test cases to validate changes in parseAndPrepare function.

smiklosovic

more comments

omniCoder77 · 2026-02-02T09:23:44Z

@smiklosovic
I have addressed above comments and

Added new test cases verifying warning behaviour (warn only when misprepared_statements_enabled is true) and to bypass misprepare guardrail for system keyspaces.

Centralized onMisprepare logic to Guardrails.java

Refined test case to extract repeating statements to a function, increase readability.

omniCoder77 · 2026-02-04T11:07:18Z

In my test cases I have tested

System keyspaces, internal calls and super users are exempted from this guardrail check
Confirmed literals in the SELECT clause are allowed as long as the WHERE clause is prepared.
Verified use is warned if and only if misprepared_statement_use is set to true and statement is misprepared
Verified no warning when guardrail is violated, instead GuardrailViolationException
Verified blocks for literals in WHERE clauses, IN clauses, LWT IF conditions, and JSON inserts.
Confirmed that blocked queries do not enter the statement cache
Exempts super user and internal call from this guardrail

…ardrail

smiklosovic · 2026-04-17T11:07:29Z

+# When true, warns on the usage of misprepared statements
+# When false, misprepared statements will result in an error
+prepared_statements_require_parameters_warn: true
+prepared_statements_require_parameters_fail: false


could you comment it all out? Just comment it out but keep true / false there. It is on defaults like that in Config.java, same in _latest.

You should also reflect these two guardrails in the above documentation. It is not aligned anymore too much.

smiklosovic · 2026-04-17T11:08:47Z

please revert this change, if nothing was changed, no reason to "pollute" the commit like this.

smiklosovic · 2026-04-17T11:11:42Z

        }
    }

+    @Override


remove, just for the sake of it. we would be doing this endlessly ...

smiklosovic · 2026-04-17T11:36:25Z

    public static final String MBEAN_NAME = "org.apache.cassandra.db:type=Guardrails";

    public static final GuardrailsConfigProvider CONFIG_PROVIDER = GuardrailsConfigProvider.instance;
+


no need to have new line here, revert

… logic and include table/keyspace metadata in warnings and errors.

smiklosovic · 2026-04-17T12:00:09Z

+                statement.validatePrepare(state);
+            }
+            // if one of the statement is misprepared and we must fail, stop the loop
+            catch (GuardrailViolatedException e)


this is not necessary, no? you want this method to throw GuardrailViolatedException. If validatePrepare throws, that break is not necessary. You escape for loop already and it is propagated up.

…emoving try ... catch block

…ore descriptive error and warning message when a query lacks bind markers.