[
https://issues.apache.org/jira/browse/CASSANDRA-16404?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17387348#comment-17387348
]
Sam Tunnicliffe commented on CASSANDRA-16404:
---------------------------------------------
bq. role_permissions table relies on this method while storing existing
permissions. So we cannot easily change it
this is correct. The only way around it would be to accept a CQL format string
and parse it on the server, but to be honest I don't believe it's really worth
it. So I'd say we should stick with the internal representation for now, seeing
as it's very much a poweruser feature anyway.
That one niggle aside, the CLI looks pretty good to me. There's just one small
issue whereby supplying invalid types for function params throws an exception,
which we could catch and present more nicely.
{code}
❯ bin/nodetool invalidatepermissionscache --functions-in-keyspace foo
--function bar\[x^y\] user
error: org.apache.cassandra.db.marshal.x
-- StackTrace --
java.lang.ClassNotFoundException: org.apache.cassandra.db.marshal.x
at java.net.URLClassLoader.findClass(URLClassLoader.java:382)
at java.lang.ClassLoader.loadClass(ClassLoader.java:419)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:352)
at java.lang.ClassLoader.loadClass(ClassLoader.java:352)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:264)
at
org.apache.cassandra.utils.FBUtilities.classForName(FBUtilities.java:716)
at
org.apache.cassandra.db.marshal.TypeParser.getAbstractType(TypeParser.java:357)
at org.apache.cassandra.db.marshal.TypeParser.parse(TypeParser.java:89)
at
org.apache.cassandra.auth.FunctionResource.argsListFromString(FunctionResource.java:338)
at
org.apache.cassandra.auth.FunctionResource.fromName(FunctionResource.java:190)
at org.apache.cassandra.auth.Resources.fromName(Resources.java:60)
at
org.apache.cassandra.auth.PermissionsCache.invalidatePermissions(PermissionsCache.java:48)
...
...
...
{code}
Otherwise, I think we're pretty much done with this. Thanks for all the good
work [~azotcsit]
> Provide a nodetool way of invalidating auth caches
> --------------------------------------------------
>
> Key: CASSANDRA-16404
> URL: https://issues.apache.org/jira/browse/CASSANDRA-16404
> Project: Cassandra
> Issue Type: Improvement
> Components: Feature/Authorization
> Reporter: Sumanth Pasupuleti
> Assignee: Aleksei Zotov
> Priority: Normal
> Fix For: 4.x
>
> Time Spent: 50m
> Remaining Estimate: 0h
>
> We currently have nodetool commands to invalidate certain caches like
> KeyCache, RowCache and CounterCache.
> Being able to invalidate auth caches as well can come in handy in situations
> where, critical backend auth changes may need to be in effect right away for
> all the connections, especially in configurations where cache validity is
> chosen to be for a longer duration. An example can be that an authenticated
> user "User1" is no longer authorized to access a table resource "table1" and
> it is vital that this change is reflected right away, without having to wait
> for cache expiry/refresh to trigger.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
