[jira] [Updated] (CASSANDRA-19385) ALTER ROLE WITH LOGIN=FALSE and REVOKE ROLE do not disconnect existing users
[ https://issues.apache.org/jira/browse/CASSANDRA-19385?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Stefan Miklosovic updated CASSANDRA-19385: -- Fix Version/s: 5.1 (was: 5.x) > ALTER ROLE WITH LOGIN=FALSE and REVOKE ROLE do not disconnect existing users > > > Key: CASSANDRA-19385 > URL: https://issues.apache.org/jira/browse/CASSANDRA-19385 > Project: Apache Cassandra > Issue Type: Bug > Components: Messaging/Client >Reporter: Abe Ratnofsky >Assignee: Abe Ratnofsky >Priority: Normal > Fix For: 5.1 > > Attachments: ci_summary.html, ci_summary_9.html > > Time Spent: 1h 20m > Remaining Estimate: 0h > > Currently, if users want to block a role from connecting to Cassandra, ALTER > ROLE WITH LOGIN=FALSE and REVOKE ROLE seem like the sensible options. But > these commands do not disconnect existing connections authenticated with the > given role, and these connections will stay alive until they're disconnected > for another reason. Subsequent attempts to connect with that role will fail. > There is currently no way to disconnect all connections for a given user > either. nodetool disablebinary will disconnect all client connections for a > given node, and client sessions can be shut down. But in the case of a > credential leak or a misconfigured user, it can be desirable to prevent login > for a given role and disconnect all existing connections for that role. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Updated] (CASSANDRA-19385) ALTER ROLE WITH LOGIN=FALSE and REVOKE ROLE do not disconnect existing users
[ https://issues.apache.org/jira/browse/CASSANDRA-19385?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Francisco Guerrero updated CASSANDRA-19385: --- Fix Version/s: 5.x Since Version: 5.x Source Control Link: https://github.com/apache/cassandra/commit/aa5b8e3d3fdcc55fdde68a205f376673f8ce1f88 Resolution: Fixed Status: Resolved (was: Ready to Commit) > ALTER ROLE WITH LOGIN=FALSE and REVOKE ROLE do not disconnect existing users > > > Key: CASSANDRA-19385 > URL: https://issues.apache.org/jira/browse/CASSANDRA-19385 > Project: Apache Cassandra > Issue Type: Bug > Components: Messaging/Client >Reporter: Abe Ratnofsky >Assignee: Abe Ratnofsky >Priority: Normal > Fix For: 5.x > > Attachments: ci_summary.html, ci_summary_9.html > > Time Spent: 1h 20m > Remaining Estimate: 0h > > Currently, if users want to block a role from connecting to Cassandra, ALTER > ROLE WITH LOGIN=FALSE and REVOKE ROLE seem like the sensible options. But > these commands do not disconnect existing connections authenticated with the > given role, and these connections will stay alive until they're disconnected > for another reason. Subsequent attempts to connect with that role will fail. > There is currently no way to disconnect all connections for a given user > either. nodetool disablebinary will disconnect all client connections for a > given node, and client sessions can be shut down. But in the case of a > credential leak or a misconfigured user, it can be desirable to prevent login > for a given role and disconnect all existing connections for that role. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Updated] (CASSANDRA-19385) ALTER ROLE WITH LOGIN=FALSE and REVOKE ROLE do not disconnect existing users
[ https://issues.apache.org/jira/browse/CASSANDRA-19385?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Francisco Guerrero updated CASSANDRA-19385: --- Status: Ready to Commit (was: Review In Progress) Test results look good for the most part. There are 8 failures unrelated to the patch > ALTER ROLE WITH LOGIN=FALSE and REVOKE ROLE do not disconnect existing users > > > Key: CASSANDRA-19385 > URL: https://issues.apache.org/jira/browse/CASSANDRA-19385 > Project: Apache Cassandra > Issue Type: Bug > Components: Messaging/Client >Reporter: Abe Ratnofsky >Assignee: Abe Ratnofsky >Priority: Normal > Attachments: ci_summary.html, ci_summary_9.html > > Time Spent: 1h 20m > Remaining Estimate: 0h > > Currently, if users want to block a role from connecting to Cassandra, ALTER > ROLE WITH LOGIN=FALSE and REVOKE ROLE seem like the sensible options. But > these commands do not disconnect existing connections authenticated with the > given role, and these connections will stay alive until they're disconnected > for another reason. Subsequent attempts to connect with that role will fail. > There is currently no way to disconnect all connections for a given user > either. nodetool disablebinary will disconnect all client connections for a > given node, and client sessions can be shut down. But in the case of a > credential leak or a misconfigured user, it can be desirable to prevent login > for a given role and disconnect all existing connections for that role. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Updated] (CASSANDRA-19385) ALTER ROLE WITH LOGIN=FALSE and REVOKE ROLE do not disconnect existing users
[ https://issues.apache.org/jira/browse/CASSANDRA-19385?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Abe Ratnofsky updated CASSANDRA-19385: -- Attachment: ci_summary_9.html > ALTER ROLE WITH LOGIN=FALSE and REVOKE ROLE do not disconnect existing users > > > Key: CASSANDRA-19385 > URL: https://issues.apache.org/jira/browse/CASSANDRA-19385 > Project: Apache Cassandra > Issue Type: Bug > Components: Messaging/Client >Reporter: Abe Ratnofsky >Assignee: Abe Ratnofsky >Priority: Normal > Attachments: ci_summary.html, ci_summary_9.html > > Time Spent: 1h 20m > Remaining Estimate: 0h > > Currently, if users want to block a role from connecting to Cassandra, ALTER > ROLE WITH LOGIN=FALSE and REVOKE ROLE seem like the sensible options. But > these commands do not disconnect existing connections authenticated with the > given role, and these connections will stay alive until they're disconnected > for another reason. Subsequent attempts to connect with that role will fail. > There is currently no way to disconnect all connections for a given user > either. nodetool disablebinary will disconnect all client connections for a > given node, and client sessions can be shut down. But in the case of a > credential leak or a misconfigured user, it can be desirable to prevent login > for a given role and disconnect all existing connections for that role. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Updated] (CASSANDRA-19385) ALTER ROLE WITH LOGIN=FALSE and REVOKE ROLE do not disconnect existing users
[ https://issues.apache.org/jira/browse/CASSANDRA-19385?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Abe Ratnofsky updated CASSANDRA-19385: -- Attachment: ci_summary.html > ALTER ROLE WITH LOGIN=FALSE and REVOKE ROLE do not disconnect existing users > > > Key: CASSANDRA-19385 > URL: https://issues.apache.org/jira/browse/CASSANDRA-19385 > Project: Apache Cassandra > Issue Type: Bug > Components: Messaging/Client >Reporter: Abe Ratnofsky >Assignee: Abe Ratnofsky >Priority: Normal > Attachments: ci_summary.html > > Time Spent: 1h 20m > Remaining Estimate: 0h > > Currently, if users want to block a role from connecting to Cassandra, ALTER > ROLE WITH LOGIN=FALSE and REVOKE ROLE seem like the sensible options. But > these commands do not disconnect existing connections authenticated with the > given role, and these connections will stay alive until they're disconnected > for another reason. Subsequent attempts to connect with that role will fail. > There is currently no way to disconnect all connections for a given user > either. nodetool disablebinary will disconnect all client connections for a > given node, and client sessions can be shut down. But in the case of a > credential leak or a misconfigured user, it can be desirable to prevent login > for a given role and disconnect all existing connections for that role. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Updated] (CASSANDRA-19385) ALTER ROLE WITH LOGIN=FALSE and REVOKE ROLE do not disconnect existing users
[ https://issues.apache.org/jira/browse/CASSANDRA-19385?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Francisco Guerrero updated CASSANDRA-19385: --- Reviewers: Francisco Guerrero, Francisco Guerrero Francisco Guerrero, Francisco Guerrero (was: Francisco Guerrero) Status: Review In Progress (was: Patch Available) > ALTER ROLE WITH LOGIN=FALSE and REVOKE ROLE do not disconnect existing users > > > Key: CASSANDRA-19385 > URL: https://issues.apache.org/jira/browse/CASSANDRA-19385 > Project: Apache Cassandra > Issue Type: Bug > Components: Messaging/Client >Reporter: Abe Ratnofsky >Assignee: Abe Ratnofsky >Priority: Normal > Time Spent: 0.5h > Remaining Estimate: 0h > > Currently, if users want to block a role from connecting to Cassandra, ALTER > ROLE WITH LOGIN=FALSE and REVOKE ROLE seem like the sensible options. But > these commands do not disconnect existing connections authenticated with the > given role, and these connections will stay alive until they're disconnected > for another reason. Subsequent attempts to connect with that role will fail. > There is currently no way to disconnect all connections for a given user > either. nodetool disablebinary will disconnect all client connections for a > given node, and client sessions can be shut down. But in the case of a > credential leak or a misconfigured user, it can be desirable to prevent login > for a given role and disconnect all existing connections for that role. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Updated] (CASSANDRA-19385) ALTER ROLE WITH LOGIN=FALSE and REVOKE ROLE do not disconnect existing users
[ https://issues.apache.org/jira/browse/CASSANDRA-19385?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Abe Ratnofsky updated CASSANDRA-19385: -- Bug Category: Parent values: Security(12985) Complexity: Normal Discovered By: Code Inspection Severity: Normal Status: Open (was: Triage Needed) > ALTER ROLE WITH LOGIN=FALSE and REVOKE ROLE do not disconnect existing users > > > Key: CASSANDRA-19385 > URL: https://issues.apache.org/jira/browse/CASSANDRA-19385 > Project: Cassandra > Issue Type: Bug > Components: Messaging/Client >Reporter: Abe Ratnofsky >Assignee: Abe Ratnofsky >Priority: Normal > Time Spent: 20m > Remaining Estimate: 0h > > Currently, if users want to block a role from connecting to Cassandra, ALTER > ROLE WITH LOGIN=FALSE and REVOKE ROLE seem like the sensible options. But > these commands do not disconnect existing connections authenticated with the > given role, and these connections will stay alive until they're disconnected > for another reason. Subsequent attempts to connect with that role will fail. > There is currently no way to disconnect all connections for a given user > either. nodetool disablebinary will disconnect all client connections for a > given node, and client sessions can be shut down. But in the case of a > credential leak or a misconfigured user, it can be desirable to prevent login > for a given role and disconnect all existing connections for that role. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Updated] (CASSANDRA-19385) ALTER ROLE WITH LOGIN=FALSE and REVOKE ROLE do not disconnect existing users
[ https://issues.apache.org/jira/browse/CASSANDRA-19385?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Abe Ratnofsky updated CASSANDRA-19385: -- Test and Documentation Plan: Unit tests Status: Patch Available (was: Open) > ALTER ROLE WITH LOGIN=FALSE and REVOKE ROLE do not disconnect existing users > > > Key: CASSANDRA-19385 > URL: https://issues.apache.org/jira/browse/CASSANDRA-19385 > Project: Cassandra > Issue Type: Bug > Components: Messaging/Client >Reporter: Abe Ratnofsky >Assignee: Abe Ratnofsky >Priority: Normal > Time Spent: 20m > Remaining Estimate: 0h > > Currently, if users want to block a role from connecting to Cassandra, ALTER > ROLE WITH LOGIN=FALSE and REVOKE ROLE seem like the sensible options. But > these commands do not disconnect existing connections authenticated with the > given role, and these connections will stay alive until they're disconnected > for another reason. Subsequent attempts to connect with that role will fail. > There is currently no way to disconnect all connections for a given user > either. nodetool disablebinary will disconnect all client connections for a > given node, and client sessions can be shut down. But in the case of a > credential leak or a misconfigured user, it can be desirable to prevent login > for a given role and disconnect all existing connections for that role. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
