Configure cache settings

By default, Hyper-Converged Database (HCD) caches the login user’s roles and corresponding permissions. Caching allows multiple connection requests to occur within the specified period without repeating the entire authorization process (querying the system_auth tables) for every action.

Security-related cache settings

  1. Locate the cassandra.yaml file. The location of this file depends on your installation type.

    • Package installations

    • Tarball installations

    /etc/hcd/cassandra/cassandra.yaml
    INSTALLATION_LOCATION/resources/cassandra/conf/cassandra.yaml

  2. Adjust settings in the cassandra.yaml file:

    roles_update_interval_in_ms

    Refresh interval for roles cache. After this interval, cache entries become eligible for refresh. On next access, the database schedules an async reload, and returns the old value until the reload completes. If roles_validity_in_ms is non-zero, then this value must also be non-zero. When not set, the default is the same value as roles_validity_in_ms or 120000 (2 minutes).

    roles_validity_in_ms

    Validity period for roles cache in milliseconds. Determines how long to cache the list of roles assigned to the user; users may have several roles, either through direct assignment or inheritance (a role that has been granted to another role). Adjust this setting based on the complexity of your role hierarchy, tolerance for role changes, the number of nodes in your environment, and activity level of the cluster.

    Fetching permissions can be an expensive operation, so this setting allows flexibility. Granted roles are cached for authenticated sessions in AuthenticatedUser. After the specified time elapses, role validity is rechecked. Disabled automatically when internal authentication is not enabled when using HcdAuthenticator.

    • 0: Disable role caching

    • Number greater than 0: A number of milliseconds representing the duration to cache the list of roles assigned to the user

    • Default: 120000 (2 minutes)

    permissions_validity_in_ms

    How long permissions in cache remain valid to manage performance impact of permissions queries.

    Fetching permissions can be resource intensive. Set the cache validity period to your security tolerances. The cache is used for the standard authentication. The cache is quite effective at small durations.

    • 0: Disable permissions cache.

    • Number greater than 0: A number of milliseconds representing the time that permissions in cache remain valid.

    • Default: 120000 (2 minutes)

      REVOKE does not automatically invalidate cached permissions. Permissions are invalidated the next time they are refreshed.
    permissions_update_interval_in_ms*

    Refresh interval for the standard authentication cache. After this interval, cache entries become eligible for refresh. On next access, the database schedules an async reload and returns the old value until the reload completes. If permissions_validity_in_ms is non-zero, the value for roles_update_interval_in_ms must also be non-zero. When not set, the default is the same value as permissions_validity_in_ms.

    Default: 2000

    permissions_cache_max_entries

    The maximum number of entries that are held by the standard authentication cache.

    Default: 1000 (The standard authentication cache can have up to 1000 entries)

    If this option is not present in cassandra.yaml, manually enter it to use a value other than 1000.

    See Enable HCD Unified Authentication.

Disable authentication and authorization caching

To disable configuration of authorization caches (for roles and permissions), uncomment the following line in the jvm-server.options file:

-Dcassandra.disable_auth_caches_remote_configuration=true

After setting this option, cache options can be set only in the cassandra.yaml file. To make the new setting take effect, restart HCD.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2025 DataStax, an IBM Company | Privacy policy | Terms of use | Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com