Tuning encrypted Search indexes
Steps to tune DSE Search index encryption.
dse.yaml
The location of the dse.yaml file depends on the type of installation:Package installations | /etc/dse/dse.yaml |
Tarball installations | installation_location/resources/dse/conf/dse.yaml |
Procedure
-
In the dse.yaml file on each node, adjust the index
encryption options:
# solr_encryption_options: # decryption_cache_offheap_allocation: true # decryption_cache_size_in_mb: 256
-
decryption_cache_offheap_allocation
- Specify whether to allocate search decryption cache off JVM heap. -
decryption_cache_size_in_mb
- Sets the maximum size of shared search decryption cache, in megabytes (MB).
-
-
Additional properties in the are available
to tune encryption, although DataStax recommends using the default
settings:
<directoryFactory name="DirectoryFactory" class="solr.EncryptedFSDirectoryFactory"> <bool name="solr.crypto.cache.enabled">true</bool> <int name="solr.crypto.encryption.workers">2</int> <int name="solr.crypto.encryption.bufferpool.sizeinbytes">10240</int> </directoryFactory>
-
To monitor the decryption cache, use JMX and the Solr Admin UI to view the
Apache Solr metrics that are provided for Block Cache.
For tuning purposes, review the hitratio metric. If hitratio is below 1.00, the cache is too small to fit entire decrypted index into memory.
-
To verify which files are encrypted, use this command to
list all DSE Search index files for the specified search core on the local
node:
dsetool list_index_files keyspace_name.table_name [--index directory]
where--index directory
specifies the data directory that contains the search index files. When not specified, the default directory is inferred from the search core name.