Managing credentials, role, and permissions cache settings

By default, DataStax Enterprise (DSE) caches user credentials, role, and permissions. Caching allows multiple connection requests to occur within the specified period without repeating the entire authenticating process and issue multiple requests without querying the system_auth table for every action.

Security-related cache settings

Adjust settings in the cassandra.yaml file:

roles_validity_in_ms

Default: 2000. Validity period for roles cache; set to 0 to disable. Determines how long to cache the list of roles assigned to the user; users may have several roles, either through direct assignment or inheritance (a role that has been granted to another role). Adjust this setting based on the complexity of your role hierarchy, tolerance for role changes, the number of nodes in your environment, and activity level of the cluster.

Fetching permissions can be an expensive operation, so this setting allows flexibility. Granted roles are cached for authenticated sessions in AuthenticatedUser. After the specified time elapses, role validity is rechecked. Disabled automatically when internal authentication is not enabled when using DseAuthenticator.

roles_update_interval_in_ms

Default: 2000. Enable to refresh interval for roles cache. Defaults to the same value as roles_validity_in_ms. After this interval, cache entries become eligible for refresh. On next access, the database schedules an async reload, and returns the old value until the reload completes. If roles_validity_in_ms is non-zero, then this must be also.

credentials_validity_in_ms

Default: 2000. How many milliseconds credentials in the cache remain valid. This cache is tightly coupled to the provided PasswordAuthenticator implementation of IAuthenticator in cassandra.yaml. If another IAuthenticator implementation is configured, the database does not use this cache, and these settings have no effect.

Credentials are cached in encrypted form. This may cause a performance penalty that offsets the reduction in latency gained by caching.

Cache credentials and permissions are not automatically invalidated after issuing a REVOKE statement.

This setting is disabled when set to 0.

credentials_update_interval_in_ms

Default: same value as credentials_validity_in_ms. After this interval, cache entries become eligible for refresh. The next time the cache is accessed, the system schedules an asynchronous reload of the cache. Until this cache reload is complete, the cache returns the old values.

If credentials_validity_in_ms is nonzero, this property must also be nonzero.

permissions_validity_in_ms

Default: 2000. Fetching permissions can be resource intensive. Define how many milliseconds permissions in cache remain valid to manage performance impact of permissions queries. Set the cache validity period to your security tolerances. The cache is used for the standard authentication and the row-level access control (RLAC) cache. The cache is quite effective at small durations.

Cache credentials and permissions are not automatically invalidated after issuing a REVOKE statement.

This setting is disabled when set to 0.

permissions_update_interval_in_ms

Default: same value as permissions_validity_in_ms in cassandra.yaml. Sets refresh interval for the standard authentication cache and the row-level access control (RLAC) cache. After this interval, cache entries become eligible for refresh. On next access, the database schedules an async reload and returns the old value until the reload completes. If permissions_validity_in_ms is nonzero, roles_update_interval_in_ms must also be non-zero.

permissions_cache_max_entries

Default: 1000. The maximum number of entries that are held by the standard authentication cache and row-level access control (RLAC) cache. With the default value of 1000, the RLAC permissions cache can have up to 1000 entries in it, and the standard authentication cache can have up to 1000 entries. This single option applies to both caches. To size the permissions cache for use with Setting row-level permissions, use this formula:

numRlacUsers * numRlacTables + 100

If this option is not present in cassandra.yaml, manually enter it. See Enabling DSE Unified Authentication.

Row-level permissions cache

Configure the RLAC cache to manage performance impact of permissions queries when using row-level permissions. A properly configured RLAC cache can reduce performance impact on a node with only a minor latency penalty, but at the cost of more CPU consumption.

Disabling Authentication and Authorization caching

To disable configuration of authentication and authorization caches (credentials, roles, and permissions) via JMX, uncomment the following line in the jvm.options file:

-Dcassandra.disable_auth_caches_remote_configuration=true

After setting this option, cache options can be set only in the cassandra.yaml file. To make the new setting take effect, restart Cassandra.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com