Return-Path: <user-return-57422-archive-asf-public=cust-asf.ponee.io@cassandra.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id E5E6C200CCF
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Mon, 10 Jul 2017 01:59:05 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id E449C167C80; Sun,  9 Jul 2017 23:59:05 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 0D7B6167C7C
	for <archive-asf-public@cust-asf.ponee.io>; Mon, 10 Jul 2017 01:59:04 +0200 (CEST)
Received: (qmail 77885 invoked by uid 500); 9 Jul 2017 23:59:03 -0000
Mailing-List: contact user-help@cassandra.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:user-help@cassandra.apache.org>
List-Unsubscribe: <mailto:user-unsubscribe@cassandra.apache.org>
List-Post: <mailto:user@cassandra.apache.org>
List-Id: <user.cassandra.apache.org>
Reply-To: user@cassandra.apache.org
Delivered-To: mailing list user@cassandra.apache.org
Received: (qmail 77875 invoked by uid 99); 9 Jul 2017 23:59:03 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 09 Jul 2017 23:59:03 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id C946218580E
	for <user@cassandra.apache.org>; Sun,  9 Jul 2017 23:59:02 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: 1.789
X-Spam-Level: *
X-Spam-Status: No, score=1.789 tagged_above=-999 required=6.31
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=2,
	RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01,
	RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001,
	T_REMOTE_IMAGE=0.01] autolearn=disabled
Authentication-Results: spamd3-us-west.apache.org (amavisd-new);
	dkim=pass (2048-bit key)
	header.d=instaclustr-com.20150623.gappssmtp.com
Received: from mx1-lw-eu.apache.org ([10.40.0.8])
	by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024)
	with ESMTP id 2bfs2Y_7xGNW for <user@cassandra.apache.org>;
	Sun,  9 Jul 2017 23:58:56 +0000 (UTC)
Received: from mail-it0-f50.google.com (mail-it0-f50.google.com [209.85.214.50])
	by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id D5E8A623E4
	for <user@cassandra.apache.org>; Sun,  9 Jul 2017 23:40:04 +0000 (UTC)
Received: by mail-it0-f50.google.com with SMTP id k192so22774774ith.1
        for <user@cassandra.apache.org>; Sun, 09 Jul 2017 16:40:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=instaclustr-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=qGprKK0p6+eiZLObGcM0dQITFFHMSTZsnNzIjwqCiwM=;
        b=fK4txXCGVJtssA5lxLkZouLdK3UmIWoEge9pv/fp5XUmbYKpGzgIw6bUqqvhYm87pc
         LND9yeeep+WwDzxrY5LBrForJXby34wYODyTcgky71dArx9Ks8vFv3jhXbbTb9JhsNM7
         /9jm8z7HLiSvOw7EH1QqUat04bSy5FX7XDyrR0VMgw/JEucGO6pJHHKe1zPRSNxuCwbI
         ZKxmHmQ77NxHMoB/bCnQqmKmLtmGJf5krm343qAHQQw61l+dPHGwaw0LC+J9pZIVjC9Q
         aw/2F91tNZydbwOtFVsNn1IKZHtI+BWbmH4n/TV5HB0HKB+kwt+4AxcIIlQqah7JdNWk
         /n5w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=qGprKK0p6+eiZLObGcM0dQITFFHMSTZsnNzIjwqCiwM=;
        b=NUHvkyHMM3mcFZ8QcFv80PNfoEc2sNcALnZTDFO55etE709U0KPEfZQwkwaGp4gwmJ
         XlyVzXDqIdbiTX+eRul5X2LNrc6FgKyod3Pyh0YJxRsNp8Es1UCXijLaJTsp6wnE32D+
         l4OGaFsZm8CHJeTvhOMVcv52vBdE4fQ4JlixH3ZC6J7CXls5OMplRLrjT2zXdB6o4Yys
         f/I+xHM0emuqkGlG4PSrzZkcr1ujog1MIUupT18zrq/Rf1IlFfAU0W6RaHAYhxkasIgi
         FHQNMRBLAShq7Gr0B09t7y8+JOuaQPeYUGPpGNE+R+3Byr5EdA2Vgnmp7/baY3KJ+l1c
         Lj8w==
X-Gm-Message-State: AIVw112AiWnb2tGO93Amyp+jGMdDFEjPvH4r6ZLAPNjeoxNG0YfNA5cC
	uER46KglEB62Nk0l6q8QC375EUHz3QW8DuU=
X-Received: by 10.107.10.168 with SMTP id 40mr958157iok.210.1499643603222;
 Sun, 09 Jul 2017 16:40:03 -0700 (PDT)
MIME-Version: 1.0
References: <2017061415110873550525@zjqunshuo.com> <CACACo5QGEO=rQeTeVEQkhFOs2_7vaLLCB1+63C0V-yqyMPYyXQ@mail.gmail.com>
 <2017061416460359144628@zjqunshuo.com> <CACACo5RThNVhMjB0MwLi9qPvP=t4J1=Czqt2bm0e1__vmsNH-Q@mail.gmail.com>
 <2017061417162383413533@zjqunshuo.com> <FA98E342-954B-474C-BE0A-A1FF63F96DC9@cisco.com>
 <CACACo5T73O65=NEzL80h80xo+2L_PM+Mjckjw2t6y7vsth0+Eg@mail.gmail.com>
In-Reply-To: <CACACo5T73O65=NEzL80h80xo+2L_PM+Mjckjw2t6y7vsth0+Eg@mail.gmail.com>
From: Justin Cameron <justin@instaclustr.com>
Date: Sun, 09 Jul 2017 23:39:52 +0000
Message-ID: <CAJGFm2VTxo5003zGA36Phuivx0hxavBN3G-g9Bwu602Np6+9TA@mail.gmail.com>
Subject: Re: Cannot achieve consistency level LOCAL_ONE
To: user@cassandra.apache.org,
	"Charulata Sharma (charshar)" <charshar@cisco.com>
Cc: "wxn002@zjqunshuo.com" <wxn002@zjqunshuo.com>
Content-Type: multipart/alternative; boundary="001a113f96fe42bb120553eafcf1"
archived-at: Sun, 09 Jul 2017 23:59:06 -0000

--001a113f96fe42bb120553eafcf1
Content-Type: text/plain; charset="UTF-8"

It's best-practice to disable the default user ("cassandra" user) after
enabling password authentication on your cluster. The default user reads
with a CL.QUORUM when authenticating, while other users use CL.LOCAL_ONE.
This means it's more likely you could experience authentication issues,
even if you increase the replication factor of your system_auth keyspace.
See the docs for more info:
http://cassandra.apache.org/doc/latest/operating/security.html#enabling-password-authentication

Also, accessing Cassandra via a load-balancer is considered an
anti-pattern. The Cassandra drivers load-balance requests to the cluster
transparently, so the only thing you get by adding a load balancer to the
mix is potentially increased query latency.

Cheers,
Justin


On Fri, 7 Jul 2017 at 21:42 Oleksandr Shulgin <oleksandr.shulgin@zalando.de>
wrote:

> On Thu, Jul 6, 2017 at 6:58 PM, Charulata Sharma (charshar) <
> charshar@cisco.com> wrote:
>
>> Hi,
>>
>> I am facing similar issues with SYSTEM_AUTH keyspace and wanted to know
>> the implication of disabling the "*cassandra*" superuser.
>>
>
> Unless you have scheduled any tasks that require the user with that name
> to be there, there are no implications.  This user is not used by Cassandra
> tools or the server process internally, so nothing really depends on it.
>
> Of course, in order to drop a superuser account, you need to create
> another superuser, so in the end you still have superuser access to your
> cluster.
>
> Cheers,
> --
> Alex
>
> --


*Justin Cameron*Senior Software Engineer


<https://www.instaclustr.com/>


This email has been sent on behalf of Instaclustr Pty. Limited (Australia)
and Instaclustr Inc (USA).

This email and any attachments may contain confidential and legally
privileged information.  If you are not the intended recipient, do not copy
or disclose its content, but please reply to this email immediately and
highlight the error to the sender and then immediately delete the message.

--001a113f96fe42bb120553eafcf1
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">It&#39;s best-practice to disable the default user (&quot;=
cassandra&quot; user) after enabling password authentication on your cluste=
r. The default user reads with a CL.QUORUM when authenticating, while other=
 users use CL.LOCAL_ONE. This means it&#39;s more likely you could experien=
ce authentication issues, even if you increase the replication factor of yo=
ur system_auth keyspace.<div>See the docs for more info:=C2=A0<a href=3D"ht=
tp://cassandra.apache.org/doc/latest/operating/security.html#enabling-passw=
ord-authentication">http://cassandra.apache.org/doc/latest/operating/securi=
ty.html#enabling-password-authentication</a><br></div><div><br></div><div>A=
lso, accessing Cassandra via a load-balancer is considered an anti-pattern.=
 The Cassandra drivers load-balance requests to the cluster transparently, =
so the only thing you get by adding a load balancer to the mix is potential=
ly increased query latency.</div><div><br></div><div>Cheers,</div><div>Just=
in</div><div><br></div></div><br><div class=3D"gmail_quote"><div dir=3D"ltr=
">On Fri, 7 Jul 2017 at 21:42 Oleksandr Shulgin &lt;<a href=3D"mailto:oleks=
andr.shulgin@zalando.de">oleksandr.shulgin@zalando.de</a>&gt; wrote:<br></d=
iv><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left=
:1px #ccc solid;padding-left:1ex"><div dir=3D"ltr"><div class=3D"gmail_extr=
a"><div class=3D"gmail_quote">On Thu, Jul 6, 2017 at 6:58 PM, Charulata Sha=
rma (charshar) <span dir=3D"ltr">&lt;<a href=3D"mailto:charshar@cisco.com" =
target=3D"_blank">charshar@cisco.com</a>&gt;</span> wrote:<br><blockquote c=
lass=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;=
padding-left:1ex">



<div style=3D"word-wrap:break-word;color:rgb(0,0,0);font-size:14px;font-fam=
ily:Calibri,sans-serif">
<div>
<div>Hi,</div>
<div>=C2=A0 =C2=A0 =C2=A0</div>
<div>I am facing similar issues with SYSTEM_AUTH keyspace and wanted to kno=
w the implication of disabling the &quot;<b>cassandra</b>&quot; superuser.<=
/div></div></div></blockquote><div><br></div></div></div></div><div dir=3D"=
ltr"><div class=3D"gmail_extra"><div class=3D"gmail_quote"><div>Unless you =
have scheduled any tasks that require the user with that name to be there, =
there are no implications.=C2=A0 This user is not used by Cassandra tools o=
r the server process internally, so nothing really depends on it.</div><div=
><br></div><div>Of course, in order to drop a superuser account, you need t=
o create another superuser, so in the end you still have superuser access t=
o your cluster.</div><div><br></div><div>Cheers,</div><div>--</div><div>Ale=
x</div><div><br></div></div>
</div></div>
</blockquote></div><div dir=3D"ltr">-- <br></div><div data-smartmail=3D"gma=
il_signature"><div dir=3D"ltr"><div style=3D"color:rgb(34,34,34);font-famil=
y:arial,sans-serif;font-size:12.8px;line-height:normal"><div><div dir=3D"lt=
r" style=3D"margin-left:0pt"><p class=3D"MsoNormal gmail_msg" style=3D"colo=
r:rgb(33,33,33);font-family:sans-serif;font-size:13px"><strong class=3D"gma=
il_msg" style=3D"color:rgb(0,0,0);font-family:&quot;helvetica neue&quot;,he=
lvetica,arial,sans-serif"><span class=3D"gmail_msg" style=3D"font-size:9.5p=
t;font-family:tahoma;color:rgb(34,34,34);background-image:initial;backgroun=
d-position:initial;background-size:initial;background-repeat:initial;backgr=
ound-origin:initial;background-clip:initial"><span class=3D"inbox-inbox-inb=
ox-inbox-inbox-inbox-inbox-inbox-inbox-inbox-m_9077253482498772142gmail-il =
gmail_msg">Justin Cameron</span><br class=3D"gmail_msg"></span></strong><sp=
an class=3D"gmail_msg" style=3D"color:rgb(0,0,0);font-family:&quot;helvetic=
a neue&quot;,helvetica,arial,sans-serif"><span class=3D"gmail_msg" style=3D=
"font-size:9.5pt;font-family:tahoma;color:rgb(34,34,34);background-image:in=
itial;background-position:initial;background-size:initial;background-repeat=
:initial;background-origin:initial;background-clip:initial">Senior Software=
 Engineer</span></span></p><p class=3D"MsoNormal gmail_msg" style=3D"color:=
rgb(33,33,33);font-family:sans-serif;font-size:13px"><span class=3D"gmail_m=
sg" style=3D"color:rgb(0,0,0);font-family:&quot;helvetica neue&quot;,helvet=
ica,arial,sans-serif"><span class=3D"gmail_msg" style=3D"font-size:9.5pt;fo=
nt-family:tahoma;color:rgb(34,34,34);background-image:initial;background-po=
sition:initial;background-size:initial;background-repeat:initial;background=
-origin:initial;background-clip:initial"><br></span></span></p><p class=3D"=
MsoNormal gmail_msg" style=3D"color:rgb(33,33,33);font-family:sans-serif;fo=
nt-size:13px"><span class=3D"gmail_msg" style=3D"color:rgb(0,0,0);font-fami=
ly:&quot;helvetica neue&quot;,helvetica,arial,sans-serif"><span class=3D"gm=
ail_msg" style=3D"font-size:9.5pt;font-family:tahoma;color:rgb(34,34,34);ba=
ckground-image:initial;background-position:initial;background-size:initial;=
background-repeat:initial;background-origin:initial;background-clip:initial=
"><a href=3D"https://www.instaclustr.com/" class=3D"gmail_msg" target=3D"_b=
lank" style=3D"font-family:arial,sans-serif;font-size:14px"><img width=3D"2=
00" height=3D"31" class=3D"gmail_msg" src=3D"https://cdn2.hubspot.net/hubfs=
/2549680/Instaclustr-Navy-logo-new.png"></a></span></span></p><p class=3D"M=
soNormal gmail_msg" style=3D"color:rgb(33,33,33);font-family:sans-serif;fon=
t-size:13px"><br class=3D"gmail_msg" style=3D"color:rgb(0,0,0);font-family:=
tahoma,sans-serif;font-size:12.8px"><span class=3D"gmail_msg" style=3D"colo=
r:rgb(0,0,0);font-family:tahoma,sans-serif;font-size:12.8px">This email has=
 been sent on behalf of=C2=A0Instaclustr Pty. Limited (Australia) and=C2=A0=
Instaclustr Inc (USA).</span><br class=3D"gmail_msg" style=3D"color:rgb(0,0=
,0);font-family:tahoma,sans-serif;font-size:12.8px"><br class=3D"gmail_msg"=
 style=3D"color:rgb(0,0,0);font-family:tahoma,sans-serif;font-size:12.8px">=
<span class=3D"gmail_msg" style=3D"color:rgb(0,0,0);font-family:tahoma,sans=
-serif;font-size:12.8px">This email and any attachments may=C2=A0contain co=
nfidential and legally privileged=C2=A0information.=C2=A0 If you are not th=
e intended=C2=A0recipient, do not copy or disclose its=C2=A0content, but pl=
ease reply to this email=C2=A0immediately and highlight the error to the=C2=
=A0sender and then immediately delete the=C2=A0message.</span></p></div></d=
iv></div>
</div></div>

--001a113f96fe42bb120553eafcf1--