Re: Impact of enabling authentication on performance
Passwords are hashed using bcrypt, which performs a configurable number of encryption rounds on the input. The more rounds, the more computationally expensive the hashing and so the more effort required to defeat by brute force. By default, Cassandra encrypts with 2^10 rounds, but this can be set anywhere between 2^4 and 2^31, the trade off being a lower number of rounds is technically less secure but puts less strain on the servers, particularly if you have a lot of short lived client connections and/or thundering herd issues. To override the default use a system property, which can be added to jvm-server.options, e.g.: cassandra.auth_bcrypt_gensalt_log2_rounds=4 Bcrypt encodes the number of rounds used to generate a hash in the hash itself so existing passwords will continue to work, they just won't benefit from the reduced costs. See https://issues.apache.org/jira/browse/CASSANDRA-8085 for (slightly) more info. > On 4 Jun 2020, at 07:39, Gil Ganz wrote: > > Great advice guys, will check it out. > Jeff, what do you mean exactly by dropping bcrypt rounds? > > > On Wed, Jun 3, 2020 at 10:22 AM Alex Ott <mailto:alex...@gmail.com>> wrote: > You can decrease this time for picking up the change by using lower number > for credentials_update_interval_in_ms, roles_update_interval_in_ms & > permissions_update_interval_in_ms > > Durity, Sean R at "Tue, 2 Jun 2020 14:48:28 +" wrote: > DSR> To flesh this out a bit, I set roles_validity_in_ms and > permissions_validity_in_ms to > DSR> 360 (10 minutes). The default of 2000 is far too often for my use > cases. Usually I set > DSR> the RF for system_auth to 3 per DC. On a larger, busier cluster I have > set it to 6 per > DSR> DC. NOTE: if you set the validity higher, it may take that amount of > time before a change > DSR> in password or table permissions is picked up (usually less). > > > DSR> Sean Durity > > DSR> -Original Message- > DSR> From: Jeff Jirsa mailto:jji...@gmail.com>> > DSR> Sent: Tuesday, June 2, 2020 2:39 AM > DSR> To: user@cassandra.apache.org <mailto:user@cassandra.apache.org> > DSR> Subject: [EXTERNAL] Re: Impact of enabling authentication on performance > > DSR> Set the Auth cache to a long validity > > DSR> Don’t go crazy with RF of system auth > > DSR> Drop bcrypt rounds if you see massive cpu spikes on reconnect storms > > > >> On Jun 1, 2020, at 11:26 PM, Gil Ganz <mailto:gilg...@gmail.com>> wrote: > >> > >> > >> Hi > >> I have a production 3.11.6 cluster which I'm might want to enable > authentication in, I'm trying to understand what will be the performance > impact, if any. > >> I understand each use case might be different, trying to understand if > there is a common % people usually see their performance hit, or if someone > has looked into this. > >> Gil > > DSR> - > DSR> To unsubscribe, e-mail: user-unsubscr...@cassandra.apache.org > <mailto:user-unsubscr...@cassandra.apache.org> > DSR> For additional commands, e-mail: user-h...@cassandra.apache.org > <mailto:user-h...@cassandra.apache.org> > > > DSR> > > DSR> The information in this Internet Email is confidential and may be > legally privileged. It is intended solely for the addressee. Access to this > Email by anyone else is unauthorized. If you are not the intended recipient, > any disclosure, copying, distribution or any action taken or omitted to be > taken in reliance on it, is prohibited and may be unlawful. When addressed to > our clients any opinions or advice contained in this Email are subject to the > terms and conditions expressed in any applicable governing The Home Depot > terms of business or client engagement letter. The Home Depot disclaims all > responsibility and liability for the accuracy and content of this attachment > and for any damages or losses arising from any inaccuracies, errors, viruses, > e.g., worms, trojan horses, etc., or other items of a destructive nature, > which may be contained in this attachment and shall not be liable for direct, > indirect, consequential or special damages in connection with this e-mail > message or its attachment. > > DSR> - > DSR> To unsubscribe, e-mail: user-unsubscr...@cassandra.apache.org > <mailto:user-unsubscr...@cassandra.apache.org> > DSR> For additional commands, e-mail: user-h...@cassandra.apache.org > <mailto:user-h...@cassandra.apache.org
Re: Impact of enabling authentication on performance
Great advice guys, will check it out. Jeff, what do you mean exactly by dropping bcrypt rounds? On Wed, Jun 3, 2020 at 10:22 AM Alex Ott wrote: > You can decrease this time for picking up the change by using lower number > for credentials_update_interval_in_ms, roles_update_interval_in_ms & > permissions_update_interval_in_ms > > Durity, Sean R at "Tue, 2 Jun 2020 14:48:28 +" wrote: > DSR> To flesh this out a bit, I set roles_validity_in_ms and > permissions_validity_in_ms to > DSR> 360 (10 minutes). The default of 2000 is far too often for my > use cases. Usually I set > DSR> the RF for system_auth to 3 per DC. On a larger, busier cluster I > have set it to 6 per > DSR> DC. NOTE: if you set the validity higher, it may take that amount of > time before a change > DSR> in password or table permissions is picked up (usually less). > > > DSR> Sean Durity > > DSR> -Original Message- > DSR> From: Jeff Jirsa > DSR> Sent: Tuesday, June 2, 2020 2:39 AM > DSR> To: user@cassandra.apache.org > DSR> Subject: [EXTERNAL] Re: Impact of enabling authentication on > performance > > DSR> Set the Auth cache to a long validity > > DSR> Don’t go crazy with RF of system auth > > DSR> Drop bcrypt rounds if you see massive cpu spikes on reconnect storms > > > >> On Jun 1, 2020, at 11:26 PM, Gil Ganz wrote: > >> > >> > >> Hi > >> I have a production 3.11.6 cluster which I'm might want to enable > authentication in, I'm trying to understand what will be the performance > impact, if any. > >> I understand each use case might be different, trying to understand if > there is a common % people usually see their performance hit, or if someone > has looked into this. > >> Gil > > DSR> - > DSR> To unsubscribe, e-mail: user-unsubscr...@cassandra.apache.org > DSR> For additional commands, e-mail: user-h...@cassandra.apache.org > > > DSR> > > DSR> The information in this Internet Email is confidential and may be > legally privileged. It is intended solely for the addressee. Access to this > Email by anyone else is unauthorized. If you are not the intended > recipient, any disclosure, copying, distribution or any action taken or > omitted to be taken in reliance on it, is prohibited and may be unlawful. > When addressed to our clients any opinions or advice contained in this > Email are subject to the terms and conditions expressed in any applicable > governing The Home Depot terms of business or client engagement letter. The > Home Depot disclaims all responsibility and liability for the accuracy and > content of this attachment and for any damages or losses arising from any > inaccuracies, errors, viruses, e.g., worms, trojan horses, etc., or other > items of a destructive nature, which may be contained in this attachment > and shall not be liable for direct, indirect, consequential or special > damages in connection with this e-mail message or its attachment. > > DSR> - > DSR> To unsubscribe, e-mail: user-unsubscr...@cassandra.apache.org > DSR> For additional commands, e-mail: user-h...@cassandra.apache.org > > > -- > With best wishes,Alex Ott > Principal Architect, DataStax > http://datastax.com/ > > - > To unsubscribe, e-mail: user-unsubscr...@cassandra.apache.org > For additional commands, e-mail: user-h...@cassandra.apache.org > >
Re: Impact of enabling authentication on performance
You can decrease this time for picking up the change by using lower number for credentials_update_interval_in_ms, roles_update_interval_in_ms & permissions_update_interval_in_ms Durity, Sean R at "Tue, 2 Jun 2020 14:48:28 +" wrote: DSR> To flesh this out a bit, I set roles_validity_in_ms and permissions_validity_in_ms to DSR> 360 (10 minutes). The default of 2000 is far too often for my use cases. Usually I set DSR> the RF for system_auth to 3 per DC. On a larger, busier cluster I have set it to 6 per DSR> DC. NOTE: if you set the validity higher, it may take that amount of time before a change DSR> in password or table permissions is picked up (usually less). DSR> Sean Durity DSR> -Original Message- DSR> From: Jeff Jirsa DSR> Sent: Tuesday, June 2, 2020 2:39 AM DSR> To: user@cassandra.apache.org DSR> Subject: [EXTERNAL] Re: Impact of enabling authentication on performance DSR> Set the Auth cache to a long validity DSR> Don’t go crazy with RF of system auth DSR> Drop bcrypt rounds if you see massive cpu spikes on reconnect storms >> On Jun 1, 2020, at 11:26 PM, Gil Ganz wrote: >> >> >> Hi >> I have a production 3.11.6 cluster which I'm might want to enable >> authentication in, I'm trying to understand what will be the performance >> impact, if any. >> I understand each use case might be different, trying to understand if >> there is a common % people usually see their performance hit, or if someone >> has looked into this. >> Gil DSR> - DSR> To unsubscribe, e-mail: user-unsubscr...@cassandra.apache.org DSR> For additional commands, e-mail: user-h...@cassandra.apache.org DSR> DSR> The information in this Internet Email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this Email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this Email are subject to the terms and conditions expressed in any applicable governing The Home Depot terms of business or client engagement letter. The Home Depot disclaims all responsibility and liability for the accuracy and content of this attachment and for any damages or losses arising from any inaccuracies, errors, viruses, e.g., worms, trojan horses, etc., or other items of a destructive nature, which may be contained in this attachment and shall not be liable for direct, indirect, consequential or special damages in connection with this e-mail message or its attachment. DSR> - DSR> To unsubscribe, e-mail: user-unsubscr...@cassandra.apache.org DSR> For additional commands, e-mail: user-h...@cassandra.apache.org -- With best wishes,Alex Ott Principal Architect, DataStax http://datastax.com/ - To unsubscribe, e-mail: user-unsubscr...@cassandra.apache.org For additional commands, e-mail: user-h...@cassandra.apache.org
RE: Impact of enabling authentication on performance
To flesh this out a bit, I set roles_validity_in_ms and permissions_validity_in_ms to 360 (10 minutes). The default of 2000 is far too often for my use cases. Usually I set the RF for system_auth to 3 per DC. On a larger, busier cluster I have set it to 6 per DC. NOTE: if you set the validity higher, it may take that amount of time before a change in password or table permissions is picked up (usually less). Sean Durity -Original Message- From: Jeff Jirsa Sent: Tuesday, June 2, 2020 2:39 AM To: user@cassandra.apache.org Subject: [EXTERNAL] Re: Impact of enabling authentication on performance Set the Auth cache to a long validity Don’t go crazy with RF of system auth Drop bcrypt rounds if you see massive cpu spikes on reconnect storms > On Jun 1, 2020, at 11:26 PM, Gil Ganz wrote: > > > Hi > I have a production 3.11.6 cluster which I'm might want to enable > authentication in, I'm trying to understand what will be the performance > impact, if any. > I understand each use case might be different, trying to understand if there > is a common % people usually see their performance hit, or if someone has > looked into this. > Gil - To unsubscribe, e-mail: user-unsubscr...@cassandra.apache.org For additional commands, e-mail: user-h...@cassandra.apache.org The information in this Internet Email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this Email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this Email are subject to the terms and conditions expressed in any applicable governing The Home Depot terms of business or client engagement letter. The Home Depot disclaims all responsibility and liability for the accuracy and content of this attachment and for any damages or losses arising from any inaccuracies, errors, viruses, e.g., worms, trojan horses, etc., or other items of a destructive nature, which may be contained in this attachment and shall not be liable for direct, indirect, consequential or special damages in connection with this e-mail message or its attachment.
Re: Impact of enabling authentication on performance
Set the Auth cache to a long validity Don’t go crazy with RF of system auth Drop bcrypt rounds if you see massive cpu spikes on reconnect storms > On Jun 1, 2020, at 11:26 PM, Gil Ganz wrote: > > > Hi > I have a production 3.11.6 cluster which I'm might want to enable > authentication in, I'm trying to understand what will be the performance > impact, if any. > I understand each use case might be different, trying to understand if there > is a common % people usually see their performance hit, or if someone has > looked into this. > Gil - To unsubscribe, e-mail: user-unsubscr...@cassandra.apache.org For additional commands, e-mail: user-h...@cassandra.apache.org
