Re: Warn about SASI usage and allow to disable them
+1 to enable_sasi_indexes flag +1 to disabling experimental features by default on 4.0 (SASI and MVs, transient replication already disabled) Regarding the warning on creation of SASI indexes, I think that's a user-level warning complimentary to the flag, which is targeted to admins, so +1. If people are bothered by this, we could add another flag to disable warnings on experimental features, which would be applied to both this and MV creation warning (and any other future experimental feature). I think the warning should be "SASI indexes are experimental and are not recommended for production use.", similar to the MV warning added on CASSANDRA-13959. We should open a doc ticket to list limitations of experimental features (MVs, SASI, transient replication), but this should probably be out of the scope of CASSANDRA-14866. Once we have this doc, we can maybe amend the warning to include a link to the doc. Now that the number of experimental feature flags is growing we should perhaps unify all flags in a "experimental features" section on cassandra.yaml to allow easily locating them - and a pointer to the limitations doc once we have it. Em qua, 16 de jan de 2019 às 20:18, sankalp kohli escreveu: > If we want to put a warning, we should list in a doc all the open issues it > has along with explanation of how it can impact. We have a few in the first > email of this thread but we should put it in a doc for people to know what > are the issues and if they want to take that risk. > > > > On Wed, Jan 16, 2019 at 3:14 PM Brandon Williams wrote: > > > Which, if I'm not mistaken, is the goal here? > > > > On Wed, Jan 16, 2019 at 5:12 PM Jeff Jirsa wrote: > > > > > The cost is in how many users you scare away > > > > > > -- > > > Jeff Jirsa > > > > > > > > > > On Jan 16, 2019, at 2:34 PM, Brandon Williams > > wrote: > > > > > > > > Also it costs us nothing to add it. > > > > > > > >> On Wed, Jan 16, 2019 at 4:29 PM Jonathan Haddad > > > wrote: > > > >> > > > >> I'm +1 on the warning for two reasons. > > > >> > > > >>> A cqlsh warning only applies to those that create the sasi via > cqlsh. > > > >> > > > >> 1. When people are creating their schemas in development, this is > > > usually > > > >> the first step. You use the REPL to figure out what you need, then > > you > > > >> copy your schema somewhere else. The warning here should prevent a > > lot > > > of > > > >> folks from making a serious mistake. > > > >> > > > >> 2. It's consistent with how we warn when people try to use > > materialized > > > >> views. > > > >> > > > >> > > > >> > > > >> > > > >>> On Wed, Jan 16, 2019 at 2:15 PM Mick Semb Wever > > > wrote: > > > >>> > > > >>> Regarding the warning, we might add it at least in 3.11, since for > > that > > > >>> version the property to enable SASI is going to be present but not > > > >> disabled > > > >>> by default. WDYT? > > > >>> > > > >>> > > > >>> I'm -0 on this. > > > >>> > > > >>> A single line warning in the logs on the sasi creation won't be > > noticed > > > >> by > > > >>> many users. > > > >>> A cqlsh warning only applies to those that create the sasi via > cqlsh. > > > >>> And we're not talking about patching client drivers to generate a > > > warning > > > >>> there. > > > >>> > > > >>> So I'd be happy with a yaml comment on the config flag explaining > > that > > > >>> it's a beta feature and that users should check open tickets and > > > >> understand > > > >>> current limitations on sasi before using them. > > > >>> > > > >>> regards, > > > >>> Mick > > > >>> > > > >>> > - > > > >>> To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org > > > >>> For additional commands, e-mail: dev-h...@cassandra.apache.org > > > >>> > > > >>> > > > >> > > > >> -- > > > >> Jon Haddad > > > >> http://www.rustyrazorblade.com > > > >> twitter: rustyrazorblade > > > >> > > > > > > - > > > To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org > > > For additional commands, e-mail: dev-h...@cassandra.apache.org > > > > > > > > >
Re: Cassandra Integrated Auth for JMX
The built-in Cassandra auth for JMX works at the connector (i.e. RMI) level. If
you try a direct JMX connection, such as jconsole, you should see the Cassandra
access controls being enforced. As I understand it, Jolokia bypasses the
connectors and so this auth config has no effect. In fact, Jolokia ships with
its own policy-based method of configuring access controls. I haven't looked
into it too much, but I think it would be possible to duplicate the
functionality of Cassandra's built-in auth with a custom Jolokia Restrictor.
Thanks,
Sam
> On 16 Dec 2018, at 05:21, Cyril Scetbon wrote:
>
> Hey guys,
>
> I’ve followed
> https://docs.datastax.com/en/cassandra/3.0/cassandra/configuration/secureJmxAuthentication.html
> to setup JMX with Cassandra’s internal auth using Cassandra 3.11.3
>
> However I still can connect to JMX without authenticating. You can see in the
> following attempts that authentication is set up :
>
> cassandra@ 2a1d064ce844 / $ cqlsh -u cassandra -p cassandra
> Connected to MyCluster at 127.0.0.1:9042.
> [cqlsh 5.0.1 | Cassandra 3.11.3 | CQL spec 3.4.4 | Native protocol v4]
> Use HELP for help.
> cassandra@cqlsh>
>
> cassandra@ 2a1d064ce844 / $ cqlsh -u cassandra -p cassandra2
> Connection error: ('Unable to connect to any servers', {'127.0.0.1':
> AuthenticationFailed('Failed to authenticate to 127.0.0.1: Error from server:
> code=0100 [Bad credentials] message="Provided username cassandra and/or
> password are incorrect"',)})
>
> Here is my whole JVM's configuration :
>
> -Xloggc:/var/log/cassandra/gc.log, -XX:+UseThreadPriorities,
> -XX:ThreadPriorityPolicy=42, -XX:+HeapDumpOnOutOfMemoryError, -Xss256k,
> -XX:StringTableSize=103, -XX:+AlwaysPreTouch, -XX:-UseBiasedLocking,
> -XX:+UseTLAB, -XX:+ResizeTLAB, -Djava.net.preferIPv4Stack=true, -Xms128M,
> -Xmx128M, -XX:+UseG1GC, -XX:G1RSetUpdatingPauseTimePercent=5,
> -XX:+PrintGCDetails, -XX:+PrintGCDateStamps, -XX:+PrintHeapAtGC,
> -XX:+PrintTenuringDistribution, -XX:+PrintGCApplicationStoppedTime,
> -XX:+PrintPromotionFailure,
> -javaagent:/usr/local/share/jolokia-agent.jar=host=0.0.0.0,executor=fixed,
> -javaagent:/usr/local/share/prometheus-agent.jar=1234:/etc/cassandra/prometheus.yaml,
> -XX:+PrintCommandLineFlags, -Xloggc:/var/lib/cassandra/log/gc.log,
> -XX:+UseGCLogFileRotation, -XX:NumberOfGCLogFiles=10, -XX:GCLogFileSize=10M,
> -Dcassandra.migration_task_wait_in_seconds=1,
> -Dcassandra.ring_delay_ms=3,
> -XX:CompileCommandFile=/etc/cassandra/hotspot_compiler,
> -javaagent:/usr/share/cassandra/lib/jamm-0.3.0.jar,
> -Dcassandra.jmx.remote.port=7199,
> -Dcom.sun.management.jmxremote.rmi.port=7199,
> -Djava.library.path=/usr/share/cassandra/lib/sigar-bin,
> -Dcom.sun.management.jmxremote.authenticate=true,
> -Dcassandra.jmx.remote.login.config=CassandraLogin,
> -Djava.security.auth.login.config=/etc/cassandra/cassandra-jaas.config,
> -Dcassandra.jmx.authorizer=org.apache.cassandra.auth.jmx.AuthorizationProxy,
> -Dcom.sun.management.jmxremote, -Dcom.sun.management.jmxremote.ssl=false,
> -Dcom.sun.management.jmxremote.local.only=false,
> -Dcassandra.jmx.remote.port=7199,
> -Dcom.sun.management.jmxremote.rmi.port=7199, -Djava.rmi.server.hostname=
> 2a1d064ce844,
> -Dcassandra.libjemalloc=/usr/lib/x86_64-linux-gnu/libjemalloc.so.1,
> -XX:OnOutOfMemoryError=kill -9 %p, -Dlogback.configurationFile=logback.xml,
> -Dcassandra.logdir=/var/log/cassandra,
> -Dcassandra.storagedir=/var/lib/cassandra, -Dcassandra-foreground=yes
>
> But I still can query JMX without authenticating :
>
> echo '{"mbean": "org.apache.cassandra.db:type=StorageService", "attribute":
> "OperationMode", "type": "read"}' | http -a cassandra:cassandra POST
> http://localhost:8778/jolokia/
> HTTP/1.1 200 OK
> Cache-control: no-cache
> Content-type: text/plain; charset=utf-8
> Date: Sun, 16 Dec 2018 05:15:36 GMT
> Expires: Sun, 16 Dec 2018 04:15:36 GMT
> Pragma: no-cache
> Transfer-encoding: chunked
>
> {
>"request": {
>"attribute": "OperationMode",
>"mbean": "org.apache.cassandra.db:type=StorageService",
>"type": "read"
>},
>"status": 200,
>"timestamp": 1544937336,
>"value": "NORMAL"
> }
>
>
> I also have to add that I had to change permissions on the file
> $JAVA_HOME/lib/management/jmxremote.password which is weird as it should not
> be used in that case, but Cassandra was complaining before I did it.
>
> Is there anything I'm missing ?
>
> Thanks
> —
> Cyril Scetbon
>
-
To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org
For additional commands, e-mail: dev-h...@cassandra.apache.org
Re: Cassandra Integrated Auth for JMX
Hey guys,
I never got any answer from Jolokia ML or on the GitHub project. Is there
anyone who configured it with success ?
—
Cyril Scetbon
> On Dec 16, 2018, at 6:21 AM, Cyril Scetbon wrote:
>
> Hey guys,
>
> I’ve followed
> https://docs.datastax.com/en/cassandra/3.0/cassandra/configuration/secureJmxAuthentication.html
> to setup JMX with Cassandra’s internal auth using Cassandra 3.11.3
>
> However I still can connect to JMX without authenticating. You can see in the
> following attempts that authentication is set up :
>
> cassandra@ 2a1d064ce844 / $ cqlsh -u cassandra -p cassandra
> Connected to MyCluster at 127.0.0.1:9042.
> [cqlsh 5.0.1 | Cassandra 3.11.3 | CQL spec 3.4.4 | Native protocol v4]
> Use HELP for help.
> cassandra@cqlsh>
>
> cassandra@ 2a1d064ce844 / $ cqlsh -u cassandra -p cassandra2
> Connection error: ('Unable to connect to any servers', {'127.0.0.1':
> AuthenticationFailed('Failed to authenticate to 127.0.0.1: Error from server:
> code=0100 [Bad credentials] message="Provided username cassandra and/or
> password are incorrect"',)})
>
> Here is my whole JVM's configuration :
>
> -Xloggc:/var/log/cassandra/gc.log, -XX:+UseThreadPriorities,
> -XX:ThreadPriorityPolicy=42, -XX:+HeapDumpOnOutOfMemoryError, -Xss256k,
> -XX:StringTableSize=103, -XX:+AlwaysPreTouch, -XX:-UseBiasedLocking,
> -XX:+UseTLAB, -XX:+ResizeTLAB, -Djava.net.preferIPv4Stack=true, -Xms128M,
> -Xmx128M, -XX:+UseG1GC, -XX:G1RSetUpdatingPauseTimePercent=5,
> -XX:+PrintGCDetails, -XX:+PrintGCDateStamps, -XX:+PrintHeapAtGC,
> -XX:+PrintTenuringDistribution, -XX:+PrintGCApplicationStoppedTime,
> -XX:+PrintPromotionFailure,
> -javaagent:/usr/local/share/jolokia-agent.jar=host=0.0.0.0,executor=fixed,
> -javaagent:/usr/local/share/prometheus-agent.jar=1234:/etc/cassandra/prometheus.yaml,
> -XX:+PrintCommandLineFlags, -Xloggc:/var/lib/cassandra/log/gc.log,
> -XX:+UseGCLogFileRotation, -XX:NumberOfGCLogFiles=10, -XX:GCLogFileSize=10M,
> -Dcassandra.migration_task_wait_in_seconds=1,
> -Dcassandra.ring_delay_ms=3,
> -XX:CompileCommandFile=/etc/cassandra/hotspot_compiler,
> -javaagent:/usr/share/cassandra/lib/jamm-0.3.0.jar,
> -Dcassandra.jmx.remote.port=7199,
> -Dcom.sun.management.jmxremote.rmi.port=7199,
> -Djava.library.path=/usr/share/cassandra/lib/sigar-bin,
> -Dcom.sun.management.jmxremote.authenticate=true,
> -Dcassandra.jmx.remote.login.config=CassandraLogin,
> -Djava.security.auth.login.config=/etc/cassandra/cassandra-jaas.config,
> -Dcassandra.jmx.authorizer=org.apache.cassandra.auth.jmx.AuthorizationProxy,
> -Dcom.sun.management.jmxremote, -Dcom.sun.management.jmxremote.ssl=false,
> -Dcom.sun.management.jmxremote.local.only=false,
> -Dcassandra.jmx.remote.port=7199,
> -Dcom.sun.management.jmxremote.rmi.port=7199, -Djava.rmi.server.hostname=
> 2a1d064ce844,
> -Dcassandra.libjemalloc=/usr/lib/x86_64-linux-gnu/libjemalloc.so.1,
> -XX:OnOutOfMemoryError=kill -9 %p, -Dlogback.configurationFile=logback.xml,
> -Dcassandra.logdir=/var/log/cassandra,
> -Dcassandra.storagedir=/var/lib/cassandra, -Dcassandra-foreground=yes
>
> But I still can query JMX without authenticating :
>
> echo '{"mbean": "org.apache.cassandra.db:type=StorageService", "attribute":
> "OperationMode", "type": "read"}' | http -a cassandra:cassandra POST
> http://localhost:8778/jolokia/
> HTTP/1.1 200 OK
> Cache-control: no-cache
> Content-type: text/plain; charset=utf-8
> Date: Sun, 16 Dec 2018 05:15:36 GMT
> Expires: Sun, 16 Dec 2018 04:15:36 GMT
> Pragma: no-cache
> Transfer-encoding: chunked
>
> {
>"request": {
>"attribute": "OperationMode",
>"mbean": "org.apache.cassandra.db:type=StorageService",
>"type": "read"
>},
>"status": 200,
>"timestamp": 1544937336,
>"value": "NORMAL"
> }
>
>
> I also have to add that I had to change permissions on the file
> $JAVA_HOME/lib/management/jmxremote.password which is weird as it should not
> be used in that case, but Cassandra was complaining before I did it.
>
> Is there anything I'm missing ?
>
> Thanks
> —
> Cyril Scetbon
>
