[ 
https://issues.apache.org/jira/browse/CASSANDRA-19385?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17912988#comment-17912988
 ] 

Francisco Guerrero commented on CASSANDRA-19385:
------------------------------------------------

We talked about having two potential follow ups to this PR:

1. When you connect using mTLS and you drop the identity from the role, i.e. 
{{DROP IDENTITY '<identity>'}}, we currently do not disconnect mTLS 
connections. While the role still has access to the database, connections to 
the database with the mTLS identity are disallowed, so we should drop these 
connections as well.
2. Having a {{nodetool}} command to disconnect a user without waiting for the 
background thread for the disconnection.

> ALTER ROLE WITH LOGIN=FALSE and REVOKE ROLE do not disconnect existing users
> ----------------------------------------------------------------------------
>
>                 Key: CASSANDRA-19385
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-19385
>             Project: Apache Cassandra
>          Issue Type: Bug
>          Components: Messaging/Client
>            Reporter: Abe Ratnofsky
>            Assignee: Abe Ratnofsky
>            Priority: Normal
>         Attachments: ci_summary.html
>
>          Time Spent: 1h 20m
>  Remaining Estimate: 0h
>
> Currently, if users want to block a role from connecting to Cassandra, ALTER 
> ROLE WITH LOGIN=FALSE and REVOKE ROLE seem like the sensible options. But 
> these commands do not disconnect existing connections authenticated with the 
> given role, and these connections will stay alive until they're disconnected 
> for another reason. Subsequent attempts to connect with that role will fail.
> There is currently no way to disconnect all connections for a given user 
> either. nodetool disablebinary will disconnect all client connections for a 
> given node, and client sessions can be shut down. But in the case of a 
> credential leak or a misconfigured user, it can be desirable to prevent login 
> for a given role and disconnect all existing connections for that role.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

Reply via email to