Return-Path: X-Original-To: apmail-cassandra-user-archive@www.apache.org Delivered-To: apmail-cassandra-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id F304B91E5 for ; Mon, 4 Mar 2013 18:35:05 +0000 (UTC) Received: (qmail 19676 invoked by uid 500); 4 Mar 2013 18:35:03 -0000 Delivered-To: apmail-cassandra-user-archive@cassandra.apache.org Received: (qmail 19640 invoked by uid 500); 4 Mar 2013 18:35:03 -0000 Mailing-List: contact user-help@cassandra.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@cassandra.apache.org Delivered-To: mailing list user@cassandra.apache.org Received: (qmail 19632 invoked by uid 99); 4 Mar 2013 18:35:03 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 04 Mar 2013 18:35:03 +0000 X-ASF-Spam-Status: No, hits=1.7 required=5.0 tests=FREEMAIL_ENVFROM_END_DIGIT,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of jaluce06@gmail.com designates 209.85.128.170 as permitted sender) Received: from [209.85.128.170] (HELO mail-ve0-f170.google.com) (209.85.128.170) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 04 Mar 2013 18:34:58 +0000 Received: by mail-ve0-f170.google.com with SMTP id 14so5019343vea.1 for ; Mon, 04 Mar 2013 10:34:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:content-type; bh=01NJrZNlbikHde/nVxgVMb0lu2SIPGZzvS/eTZySEfU=; b=mVVEqX9xyalz4RFW8ywR8LXb5cmz6Ez7Nro7Ip+GSnVNXCNAJ/E+/vgA3N3m0wkwEh OWZT59VRhYLx0s+LqVArImZgKt3w2W2jf7PBvIZkJU5t5FAzGbkGOzQzd5i1Zx9wPXJh OID71j0wjMa925SRpOZSAtcUAQdPyrIoE+/PwuTnz9DBEGlCst615woqHQFw+R6QlDcq /NNZwjl31iytwwKsye+RbLXy++a86NU8QCnvS3xh6Xhj0f4phU4vOFWb4UXqVlAuBqAX 6hJ/xssf/i25nF8M3O+/tiEgAykpsivOVFi+hcEoMWIrsrSlac67yT5IN7bBee8K+uUj Thpg== MIME-Version: 1.0 X-Received: by 10.58.188.48 with SMTP id fx16mr8438216vec.22.1362422077728; Mon, 04 Mar 2013 10:34:37 -0800 (PST) Received: by 10.58.69.2 with HTTP; Mon, 4 Mar 2013 10:34:37 -0800 (PST) In-Reply-To: References: Date: Mon, 4 Mar 2013 19:34:37 +0100 Message-ID: Subject: Re: Consistency level for system_auth keyspace From: Jean-Armel Luce To: user@cassandra.apache.org Content-Type: multipart/alternative; boundary=089e01229cb6fa653004d71d9bb5 X-Virus-Checked: Checked by ClamAV on apache.org --089e01229cb6fa653004d71d9bb5 Content-Type: text/plain; charset=ISO-8859-1 Hi Dean, The new authentication modules currently uses a QUORUM consistency level when checking the user. That is the reason why it doesn't work in version 1.2.2. I thing that using LOCAL_QUORUM or ONE CL instead of QUORUM should solve this problem. But I didn't see any option in 1.2.2. Regards. Jean Armel 2013/3/4 Hiller, Dean > I thought there was already a LOCAL_QUOROM option so things continue to > work when you get data center split. > > There was also TWO I think as well which allowed 4 nodes(2 in each data > center) so you can continue to write when data center splits. > > Dean > > From: Jean-Armel Luce > > Reply-To: "user@cassandra.apache.org" < > user@cassandra.apache.org> > Date: Monday, March 4, 2013 9:12 AM > To: "user@cassandra.apache.org" < > user@cassandra.apache.org> > Subject: Re: Consistency level for system_auth keyspace > > Hi Aaron, > > I have open a ticket in Jira : > https://issues.apache.org/jira/browse/CASSANDRA-5310 > Reading the user using the QUORUM consistency level means that in case of > network outage, you are unable to open a connection, and all your data > become unavailable. > > Regards. > > Jean Armel > > 2013/3/4 aaron morton aaron@thelastpickle.com>> > In this case, it means that if there is a network split between the 2 > datacenters, it is impossible to get the quorum, and all connections will > be rejected. > Yes. > > Is there a reason why Cassandra uses the Quorum consistency level ? > I would guess to ensure there is a single, cluster wide, set of > permissions. > > Using LOCAL or one could result in some requests that are rejected being > allowed on other nodes. > > Cheers > > > ----------------- > Aaron Morton > Freelance Cassandra Developer > New Zealand > > @aaronmorton > http://www.thelastpickle.com > > On 1/03/2013, at 6:40 AM, Jean-Armel Luce jaluce06@gmail.com>> wrote: > > Hi, > > > I am using Cassandra 1.2.2. > There are 16 nodes in my cluster in 2 datacenters (8 nodes in each > datacenter). > I am using NetworkTopologyStrategy. > > For information, I set a RF = 6 (3 replicas in each datacenter) > > With 1.2.2, I am using the new authentication backend > PasswordAuthenticator with the authorizer CassandraAuthorizer. > > In the documentation ( > http://www.datastax.com/docs/1.2/security/security_keyspace_replication#security-keyspace-replication), > it is written that for all system_auth-related queries, Cassandra uses the > QUORUM consistency level. > > In this case, it means that if there is a network split between the 2 > datacenters, it is impossible to get the quorum, and all connections will > be rejected. > > Is there a reason why Cassandra uses the Quorum consistency level ? > Maybe a local_quorum conssitency level (or a one consistency level) could > do the job ? > > Regards > Jean Armel > > > --089e01229cb6fa653004d71d9bb5 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hi Dean,

The new authentication modules currently uses a QUORUM cons= istency level when checking the user.
That is the reason why it doesn= 9;t work in version 1.2.2.

I thing that using LOCAL_QUORUM or ONE CL= instead of QUORUM should solve this problem. But I didn't see any opti= on in 1.2.2.

Regards.

Jean Armel

2013/3/4 H= iller, Dean <Dean.Hiller@nrel.gov>
I thought there was already a LOCAL_QUOROM option so things continue to wor= k when you get =A0data center split.

There was also TWO I think as well which allowed 4 nodes(2 in each data cen= ter) so you can continue to write when data center splits.

Dean

From: Jean-Armel Luce <jaluce06@gm= ail.com<mailto:jaluce06@gmail.= com>>
Reply-To: "user@cassandra= .apache.org<mailto:user= @cassandra.apache.org>" <user@cassandra.apache.org<mailto:user@cassandra.apache.org>>
Date: Monday, March 4, 2013 9:12 AM
To: "user@cassandra.apach= e.org<mailto:user@cassa= ndra.apache.org>" <user@cassandra.apache.org<mailto:user@cassandra.apache.org>>
Subject: Re: Consistency level for system_auth keyspace

Hi Aaron,

I have open a ticket in Jira : https://issues.apache.org/jira/brows= e/CASSANDRA-5310
Reading the user using the QUORUM consistency level means that in case of n= etwork outage, you are unable to open a connection, and all your data becom= e unavailable.

Regards.

Jean Armel

2013/3/4 aaron morton <= aaron@thelastpickle.com<mailto:aaron@thelastpickle.com>>
In this case, it means that if there is a network = split between the 2 datacenters, it is impossible to get the quorum, and al= l connections will be rejected.
Yes.

Is there a reason why Cassandra uses the Quorum consistency level ?
I would guess to ensure there is a single, cluster wide, set of permissions= .

Using LOCAL or one could result in some requests that are rejected being al= lowed on other nodes.

Cheers


-----------------
Aaron Morton
Freelance Cassandra Developer
New Zealand

@aaronmorton
http://www.thela= stpickle.com

On 1/03/2013, at 6:40 AM, Jea= n-Armel Luce <jaluce06@gmail.com<mailto:jaluce06@gmail.com&g= t;> wrote:

Hi,


I am using Cassandra 1.2.2.
There are 16 nodes in my cluster in 2 datacenters (8 nodes in each datacent= er).
I am using NetworkTopologyStrategy.

For information, I set a RF =3D 6 (3 replicas in each datacenter)

With 1.2.2, I am using the new authentication backend PasswordAuthenticator= with the authorizer CassandraAuthorizer.

In the documentation (http://www.datastax.com/docs/1.2/security/security_keyspace_replication= #security-keyspace-replication), it is written that for all system_auth= -related queries, Cassandra uses the QUORUM consistency level.

In this case, it means that if there is a network split between the 2 datac= enters, it is impossible to get the quorum, and all connections will be rej= ected.

Is there a reason why Cassandra uses the Quorum consistency level ?
Maybe a local_quorum conssitency level (or a one consistency level) could d= o the job ?

Regards
Jean Armel



--089e01229cb6fa653004d71d9bb5--