cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sam Tunnicliffe (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CASSANDRA-7715) Add a credentials cache to the PasswordAuthenticator
Date Wed, 10 Feb 2016 16:44:18 GMT

    [ https://issues.apache.org/jira/browse/CASSANDRA-7715?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15141124#comment-15141124
] 

Sam Tunnicliffe commented on CASSANDRA-7715:
--------------------------------------------

bq. I'm not sure about being able to modify cache settings via JMX. This seems like an attack
vector to me. 
So as not to change existing behaviour, configuration via JMX is enabled by default but I've
added the option to disable it (for all auth caches) via the {{cassandra.disable_auth_caches_remote_configuration}}
system property.
bq. I think that the cache should be be cleared for a user if the authentication fails.
As this is more of a requirement for CASSANDRA-11022, I'd rather defer it until we come to
that. It won't really buy us much yet given we'll still be doing the BCrypt checking on every
attempt.
bq. Could we have a method to invalidate the cache for a specific user?
Done
bq. In cassandra.yaml the credentials_update_interval_in_ms value (although commented out)
ought to be the same value as credentials_validity_in_ms.
This is cosmetic, but I've changed it for consistency (also the equivalents for permissions
and roles caches). 
bq. It would be nice if MBEAN_NAME_BASE was (somehow) overridable by concrete implementations.

Done

I've also rebased and kicked off another CI run.


> Add a credentials cache to the PasswordAuthenticator
> ----------------------------------------------------
>
>                 Key: CASSANDRA-7715
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-7715
>             Project: Cassandra
>          Issue Type: New Feature
>          Components: CQL
>            Reporter: Mike Adamson
>            Assignee: Sam Tunnicliffe
>            Priority: Minor
>             Fix For: 3.x
>
>
> If the PasswordAuthenticator cached credentials for a short time it would reduce the
overhead of user journeys when they need to do multiple authentications in quick succession.
> This cache should work in the same way as the cache in CassandraAuthorizer in that if
it's TTL is set to 0 the cache will be disabled.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message