[ 
https://issues.apache.org/jira/browse/CASSANDRA-11097?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16878821#comment-16878821
 ] 

Andy Tolbert commented on CASSANDRA-11097:
------------------------------------------

Thanks for the background [~ifesdjeen], that makes sense to me (y).  I can see 
how being able to clean up defunct connections that aren't doing anything would 
be nice, especially since TCP keepalive defaults are usually large (2 hours).

With regards to this case from description:

{quote}
An example would be an administrator who connected via ssh+cqlsh and then 
walked away. Disconnecting that user and forcing it to re-authenticate could 
protect against unauthorized access.
{quote}

If the underlying python-driver was using the default heartbeat configuration, 
wouldn't the connections stay alive then even with this new configuration? Even 
if it did close the connections, the driver would likely successfully reconnect 
since it looks like the configured auth provider for cqlsh will retain 
credentials between reconnections. 

That being said I still like the change as it enables the capability of timing 
out idle connections, but may require some configuration on the client side to 
achieve the "walk way from my cqlsh session" case.

> Idle session timeout for secure environments
> --------------------------------------------
>
>                 Key: CASSANDRA-11097
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-11097
>             Project: Cassandra
>          Issue Type: Improvement
>          Components: Legacy/CQL
>            Reporter: Jeff Jirsa
>            Assignee: Alex Petrov
>            Priority: Low
>              Labels: lhf, ponies
>             Fix For: 4.0
>
>
> A thread on the user list pointed out that some use cases may prefer to have 
> a database disconnect sessions after some idle timeout. An example would be 
> an administrator who connected via ssh+cqlsh and then walked away. 
> Disconnecting that user and forcing it to re-authenticate could protect 
> against unauthorized access.
> It seems like it may be possible to do this using a netty 
> {{IdleStateHandler}} in a way that's low risk and perhaps off by default.  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to