Re: Can someone invite me to the apache cassandra slack channel?

I've sent the invite, I think it may need an admin to approve it though, so if you didn't get it yet it should be on its way. > On 6 May 2023, at 06:52, Const Eust wrote: > > https://infra.apache.org/slack.html > > The directions say someone with apache.org powers needs

[RELEASE] Apache Cassandra 4.0.1 released

The Cassandra team is pleased to announce the release of Apache Cassandra version 4.0.1. Apache Cassandra is a fully distributed database. It is the right choice when you need scalability and high availability without compromising performance. http://cassandra.apache.org/ Downloads of

Re: Issue with native protocol

Assuming that the one node doesn't have native_transport_max_negotiable_protocol_version=3 in cassandra.yaml, you could check its log for "Detected peers which do not fully support protocol V4. Capping max negotiable version to V3". The details are in CASSANDRA-15193, but tl;dr is that a

Re: 4.0 best feature/fix?

That's a driver error using protocol V5, which is the default from 4.0-rc1 but only recently added to the drivers. Can you try specifying protocol V4 with all the same parameters? Also, if it's at all possible (which it may not be, given the divergence between driver versions 3 & 4), could you

Re: CVE-2020-13946 Apache Cassandra RMI Rebind Vulnerability

> Manish > > On Tue, Sep 1, 2020 at 8:03 PM Sam Tunnicliffe <mailto:s...@beobal.com>> wrote: > CVE-2020-13946 Apache Cassandra RMI Rebind Vulnerability > > Versions Affected: > All versions prior to: 2.1.22, 2.2.18, 3.0.22, 3.11.8 and 4.0-beta2 > > De

CVE-2020-13946 Apache Cassandra RMI Rebind Vulnerability

CVE-2020-13946 Apache Cassandra RMI Rebind Vulnerability Versions Affected: All versions prior to: 2.1.22, 2.2.18, 3.0.22, 3.11.8 and 4.0-beta2 Description: It is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry

Re: Impact of enabling authentication on performance

Passwords are hashed using bcrypt, which performs a configurable number of encryption rounds on the input. The more rounds, the more computationally expensive the hashing and so the more effort required to defeat by brute force. By default, Cassandra encrypts with 2^10 rounds, but this can be

Re: Cannot replace_address /10.xx.xx.xx because it doesn't exist ingossip

Do you have a cassandra-topology.properties file in place? If so, GPFS will instantiate a PropertyFileSnitch using that for compatibility mode. Then, when gossip state doesn’t contain any endpoint info about the down node (because you bounced the whole cluster), instead of reading the rack & dc

Re: Query failure

Hi Leo my guess would be that your configuration is not consistent across all nodes in the cluster. The responses you’re seeing are totally indicative of being connected to a node where PasswordAuthenticator is not enabled in cassandra.yaml. Thanks, Sam > On 14 Mar 2019, at 10:56, Léo

Re: Unexpected error during query + Operation timed out

There’s a timeout happening when querying the system tables in the auth subsystem. The timeout message "Operation timed out - received only 2 responses” indicates that you’re logging in as the default “cassandra” superuser, as queries for all other users are performed at LOCAL_ONE consistency.

Re: system_auth keyspace replication factor

> I suspect some of the intermediate queries (determining role, etc) happen at > quorum in 2.2+, but I don’t have time to go read the code and prove it. This isn’t true. Aside from when using the default superuser, only CRM::getAllRoles reads at QUORUM (because the resultset would include the

Re: System auth empty, how to populate it

$2a$10$ > 7sXeNr3okw61oisR9pCyHeWEO3wPzx3w8r/LKwtDSW2Tt68f4KFmi > > Le 18 juil. 2018 à 12:26, Sam Tunnicliffe a écrit : > > It may be an artifact of the email client, but that's not a valid INSERT > statement - the closing quote on the password hash is U2019 (right side > quotation

Re: System auth empty, how to populate it

heck if it works... > > Le 18 juil. 2018 à 12:03, Sam Tunnicliffe a écrit : > > With that config you'll be using the default AllowAllAuthenticator, so I > assume you are able to connect cqlsh without any credentials? If so, can > you verify the contents of the system_auth.roles t

Re: System auth empty, how to populate it

have not defined role_manager in the config > >>> - I dropped the users table, it was present in the keyspace > >>> - Cassandra then created a record in the roles table, yay ! > >>> > >>> But when I do clash -u cassandra -p cassandra > >>

Re: System auth empty, how to populate it

The default superuser is only created at startup if 3 conditions are met: i) The default role manager is configured. In cassandra.yaml, you should see "role_manager: CassandraRoleManager". This is also the default value, so unless you're explicitly using a custom role manager it should be good.

Re: How to restrict users to specific DC.

https://issues.apache.org/jira/browse/CASSANDRA-13985 is probably what you're looking for here Thanks, Sam On 10 April 2018 at 11:55, Rahul Singh wrote: > That seems to be more of a network segmentation issue. Protect the other > nodes behind a firewall / security

Re: unable to start cassandra 3.11.1

I've actually just committed the fix for this to the 3.11 and trunk branches, so if you desperately need a compatible build you can make build from those branches. As I mentioned on the JIRA, I expect we'll move to a release vote very soon, so hopefully should have a 3.11.2 release with this fix

Re: Cassandra 3.11 fails to start with JDK8u162

This isn't (wasn't) a known issue, but the way that CASSANDRA-10091 was implemented using internal JDK classes means it was always possible that a minor JVM version change could introduce incompatibilities (CASSANDRA-2967 is also relevant). We did already know that we need to revisit the way this

Re: cassandra non-super user login fails but super user works

Which version of Cassandra are you running? My guess is that you're on a version >= 2.2 and that you've created the non-superuser since upgrading, but haven't yet removed the legacy tables from the system_auth keyspace. If that's the case, then the new user will be present in the new tables, but

Re: system_auth replication factor in Cassandra 2.1

It's a better rule of thumb to use an RF of 3 to 5 per DC and this is what the docs now suggest: http://cassandra.apache.org/doc/latest/operating/security.html#authentication Out of the box, the system_auth keyspace is setup with SimpleStrategy and RF=1 so that it works on any new system

Re: Secondary Index

The second query will be much more efficient as the partition key restriction is applied before the one using the indexed column. Only the replicas for that partition will be involved in query 2, whereas query 1 will be distributed to enough replicas to cover the whole token ring. Also (& this

Re: system_auth replication strategy

> > auth logins for super users is 101 replicas serving the read This only applies to the default superuser (i.e. 'cassandra'), which is one of the reasons for recommending it is only used during initial setup[1]. Reads for all other users, including superusers, are done at LOCAL_ONE [1]

Re: Internal Security - Authentication & Authorization

> > Here is what I have pieced together. Please let me know if I am on the > right track. You're more or less right regarding the built in authenticator/authorizer/role manager (which are usually referred to as "internal" as they store their data in Cassandra tables). One important thing to note

Re: Question on configuring Apache Cassandra with LDAP

This is something that has been discussed before and there's an JIRA open for it already, it looks like progress has stalled but you might get some pointers from the linked WIP branch. https://issues.apache.org/jira/browse/CASSANDRA-12294 On Fri, Mar 3, 2017 at 7:45 PM, Harika Vangapelli -T

Re: Does securing C*'s CQL native interface (running on port 9042) automatically secure its Thrift API interface (running on port 9160)?

It does, yes. Clients will be required to call the thrift login method with a valid set of credentials before performing any other RPC calls. btw, in versions of C* >= 2.2 the Thrift server is not enabled by default (CASSANDRA-9319). On Mon, Oct 31, 2016 at 4:50 PM, Li, Guangxing

Re: During writing data into Cassandra 3.7.0 using Python driver 3.7 sometime loose Connection because of Server NullPointerException (Help please!)

The stacktrace suggests that when a connection is being established, either the can_login or is_superuser attribute of the authenticated role is null, which is definitely a bug as there should be no way to create a role in that state. Could you please open a ticket on

Re: Read Repairs and CL

Just to clarify a little further, it's true that read repair queries are performed at CL ALL, but this is slightly different to a regular, user-initiated query at that CL. Say you have RF=5 and you issue read at CL ALL, the coordinator will send requests to all 5 replicas and block until it

Re: Set up authentication on a live production cluster

> > However, the actual keyspace (system_auth) and tables are not created > until the last node is restarted with the parameters changed Actually, this is not strictly true. On 2.2+ the tables in system_auth are created up front, regardless of the auth config. Practically you can't go about

Re: Get clustering column in Custom cassandra trigger

If you just want the string representations you can just use Unfiltered::clustering to get the Clustering instance for each Unfiltered, then call its toString(CFMetadata), passing update.metadata(). On Thu, May 26, 2016 at 12:01 PM, Siddharth Verma < verma.siddha...@snapdeal.com> wrote: >

Re: Why simple replication strategy for system_auth ?

LocalStrategy means that data is not replicated in the usual way and remains local to each node. Where it is used, replication is either not required (for example in the case of secondary indexes and system.local) or happens out of band via some other method (as in the case of schema, or

Re: Optional TLS CQL Encryption

>From 3.0, separate ports can be configured for encrypted & non-encrypted connections. See https://issues.apache.org/jira/browse/CASSANDRA-9590 On Wed, Apr 20, 2016 at 8:51 AM, Jason J. W. Williams < jasonjwwilli...@gmail.com> wrote: > Hi Ben, > > Thanks for confirming what I saw occur. The

Re: seconday index queries with thrift in cassandra 3.x supported ?

That certainly looks like a bug, would you mind opening a ticket at https://issues.apache.org/jira/browse/CASSANDRA please? Thanks, Sam On Thu, Apr 7, 2016 at 2:19 PM, Ivan Georgiev wrote: > Hi, are secondary index queries with thrift supported in Cassandra 3.x ? > Asking as I

Re: Logging

Paulo is correct in saying that C* doesn't have a direct equivalent of SecurityContextHolder. Authenticated principal info is retrievable from the QueryState during query execution but a) this isn't available to every method in the call chain and b) its scope is limited to the coordinator for the

Re: unable to create a user on version 2.2.4

If you've upgraded to 2.2.4, the full instructions necessary for auth-enabled clusters were unfortunately missing from NEWS.txt. See CASSANDRA-10904 for details. On 2 Jan 2016 10:05, "david" wrote: > we are running cassandra version 2.2.4 on Debian jessie (latest

Re: [Marketing Mail] Re: [Marketing Mail] can't make any permissions change in 2.2.4

Sorry about the confusing omission of the upgrade instructions from NEWS.txt, the oversight there was mine in the course of CASSANDRA-7653. Dropping those tables is absolutely what you need to do in order to trigger C* to switch over to using the new role-based tables following an upgrade to 2.2+

Re: AssertionError on PasswordAuthenticator

I don't know Usergrid at all, but the error can be reproduced with cqlsh by supplying an empty string for the username, e.g bin/cqlsh -u -p cassandra So I guess something in Usergrid is not setting it correctly. On Sat, Jul 25, 2015 at 5:22 PM, Andreas Schlüter dr.andreas.schlue...@gmx.de

Re: Datastax Java Driver vs Cassandra 2.1.7

.* On 23 Jun 2015, at 13:06 , Sam Tunnicliffe s...@beobal.com wrote: Can you share the query that you're executing when you see the error and the schema of the target table? It could be something related to CASSANDRA-9532. On Tue, Jun 23, 2015 at 10:05 AM, Jean Tremblay jean.tremb...@zen

Re: Datastax Java Driver vs Cassandra 2.1.7

Can you share the query that you're executing when you see the error and the schema of the target table? It could be something related to CASSANDRA-9532. On Tue, Jun 23, 2015 at 10:05 AM, Jean Tremblay jean.tremb...@zen-innovations.com wrote: Hi, I’m using Datastax Java Driver V 2.1.6 I

Re: Turning on internal security with no downtime

If you're able to configure your clients so that they don't send requests to 1 node in the cluster you can enable PasswordAuthenticator CassandraAuthorizer on that node only and use cqlsh to setup all your users permissions. The rest of the cluster will continue to serve client requests as

Re: Can not connect with cqlsh to something different than localhost

rpc_address (or rpc_interface) is used for client connections, listen_address is for inter-node communication. On 8 December 2014 at 19:21, Richard Snowden richard.t.snow...@gmail.com wrote: $ netstat -ntl | grep 9042 tcp6 0 0 127.0.0.1:9042 :::* LISTEN

Re: Secondary index read/write explanation

On 7 September 2012 00:42, aaron morton aa...@thelastpickle.com wrote: 1. When a write request is received, it is written to the base CF and secondary index to secondary (hidden) CF. If this right, will the secondary index be written local the node or will it follow RP/OPP to write to nodes.

Re: [RELEASE] Apache Cassandra 1.0.10 released

Hi Jonas, the bug that was fixed in 4116 meant that the max timestamp recorded for an sstable didn't consider any tombstones from row deletions. This meant that from some queries, some sstables were not being read when they should have been. I couldn't say categorically that this would cause the