Configuring cache settings
Change the amount of time and refresh rate for the role and permissions cache.
system_auth
tables) for every action. cassandra.yaml
The location of the cassandra.yaml file depends on the type of installation:Package installations | /etc/dse/cassandra/cassandra.yaml |
Tarball installations | installation_location/resources/cassandra/conf/cassandra.yaml |
Security-related cache settings
Adjust settings in the cassandra.yaml file:
- roles_validity_in_ms
- Validity period for roles cache in milliseconds.
Determines how long to cache the list of roles
assigned to the user; users may have several roles,
either through direct assignment or inheritance (a
role that has been granted to another role). Adjust
this setting based on the complexity of your role
hierarchy, tolerance for role changes, the number of
nodes in your environment, and activity level of the
cluster. Fetching permissions can be an expensive operation, so this setting allows flexibility. Granted roles are cached for authenticated sessions in
AuthenticatedUser
. After the specified time elapses, role validity is rechecked. Disabled automatically when internal authentication is not enabled when using DseAuthenticator.- 0 - disable role caching
- milliseconds - how long to cache the list of roles assigned to the user
Default:
120000
(2 minutes) - roles_update_interval_in_ms
- Refresh interval for roles cache. After this interval,
cache entries become eligible for refresh. On next
access, the database schedules an async reload, and
returns the old value until the reload completes. If
roles_validity_in_ms
is non-zero, then this value must also be non-zero. When not set, the default is the same value as roles_validity_in_ms.Default: commented out (
120000
) - permissions_validity_in_ms
- How long permissions in cache remain valid to manage
performance impact of permissions queries. Fetching
permissions can be resource intensive. Set the cache
validity period to your security tolerances. The
cache is used for the standard authentication and
the row-level access control (RLAC) cache. The cache
is quite effective at small durations.
- 0 - disable permissions cache
- milliseconds - time, in milliseconds
CAUTION: does not automatically invalidate cached permissions. Permissions are invalidated the next time they are refreshed.Default:
120000
(2 minutes) - permissions_update_interval_in_ms
- Sets refresh interval for the standard authentication
cache and the row-level access control (RLAC) cache.
After this interval, cache entries become eligible
for refresh. On next access, the database schedules
an async reload and returns the old value until the
reload completes. If permissions_validity_in_ms is
non-zero, the value for roles_update_interval_in_ms
must also be non-zero. When not set, the default is
the same value as permissions_validity_in_ms.
Default: commented out (
2000
) - permissions_cache_max_entries
- The maximum number of entries that are held by the
standard authentication cache and row-level access
control (RLAC) cache. With the default value of
1000, the RLAC permissions cache can have up to 1000
entries in it, and the standard authentication cache
can have up to 1000 entries. This single option
applies to both caches. To size the permissions
cache for use with Setting up Row Level Access Control (RLAC), use
this formula:
If this option is not present in cassandra.yaml, manually enter it to use a value other than 1000. See Enabling DSE Unified Authentication.numRlacUsers * numRlacTables + 100
Default: not set (1000)
Disabling Authentication and Authorization caching
To disable configuration of authorization caches (for roles and permissions), uncomment the following line in the jvm.options file:
-Dcassandra.disable_auth_caches_remote_configuration=true
After setting this option, cache options can be set only in the cassandra.yaml file. To make the new setting take effect, restart Cassandra.