启用一次 Cassandra 身份验证和授权检查并永久缓存

【问题标题】:Enable one time Cassandra Authentication and Authorization check and cache it forever启用一次 Cassandra 身份验证和授权检查并永久缓存
【发布时间】:2018-11-11 13:14:46
【问题描述】:

我在我的单节点 Cassandra 设置中使用了身份验证和授权,但我经常在 Cassandra 服务器日志中收到以下错误,

ERROR [SharedPool-Worker-71] 2018-06-01 10:40:36,661 ErrorMessage.java:338 - Unexpected exception during request
java.lang.RuntimeException: org.apache.cassandra.exceptions.ReadTimeoutException: Operation timed out - received only 1 responses.
        at org.apache.cassandra.auth.CassandraRoleManager.getRole(CassandraRoleManager.java:489) ~[apache-cassandra-3.0.8.jar:3.0.8]
        at org.apache.cassandra.auth.CassandraRoleManager.getRoles(CassandraRoleManager.java:269) ~[apache-cassandra-3.0.8.jar:3.0.8]
        at org.apache.cassandra.auth.RolesCache.getRoles(RolesCache.java:66) ~[apache-cassandra-3.0.8.jar:3.0.8]
        at org.apache.cassandra.auth.Roles.hasSuperuserStatus(Roles.java:51) ~[apache-cassandra-3.0.8.jar:3.0.8]
        at org.apache.cassandra.auth.AuthenticatedUser.isSuper(AuthenticatedUser.java:71) ~[apache-cassandra-3.0.8.jar:3.0.8]
        at org.apache.cassandra.auth.CassandraAuthorizer.authorize(CassandraAuthorizer.java:76) ~[apache-cassandra-3.0.8.jar:3.0.8]
        at org.apache.cassandra.auth.PermissionsCache.getPermissions(PermissionsCache.java:68) ~[apache-cassandra-3.0.8.jar:3.0.8]
        at org.apache.cassandra.auth.AuthenticatedUser.getPermissions(AuthenticatedUser.java:104) ~[apache-cassandra-3.0.8.jar:3.0.8]
        at org.apache.cassandra.service.ClientState.authorize(ClientState.java:412) ~[apache-cassandra-3.0.8.jar:3.0.8]
        at org.apache.cassandra.service.ClientState.checkPermissionOnResourceChain(ClientState.java:345) ~[apache-cassandra-3.0.8.jar:3.0.8]
        at org.apache.cassandra.service.ClientState.ensureHasPermission(ClientState.java:322) ~[apache-cassandra-3.0.8.jar:3.0.8]
        at org.apache.cassandra.service.ClientState.hasAccess(ClientState.java:309) ~[apache-cassandra-3.0.8.jar:3.0.8]
        at org.apache.cassandra.service.ClientState.hasColumnFamilyAccess(ClientState.java:293) ~[apache-cassandra-3.0.8.jar:3.0.8]
        at org.apache.cassandra.cql3.statements.SelectStatement.checkAccess(SelectStatement.java:198) ~[apache-cassandra-3.0.8.jar:3.0.8]
        at org.apache.cassandra.cql3.QueryProcessor.processStatement(QueryProcessor.java:203) ~[apache-cassandra-3.0.8.jar:3.0.8]
        at org.apache.cassandra.cql3.QueryProcessor.processPrepared(QueryProcessor.java:487) ~[apache-cassandra-3.0.8.jar:3.0.8]
        at org.apache.cassandra.cql3.QueryProcessor.processPrepared(QueryProcessor.java:464) ~[apache-cassandra-3.0.8.jar:3.0.8]
        at org.apache.cassandra.transport.messages.ExecuteMessage.execute(ExecuteMessage.java:130) ~[apache-cassandra-3.0.8.jar:3.0.8]
        at org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:507) [apache-cassandra-3.0.8.jar:3.0.8]
        at org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:401) [apache-cassandra-3.0.8.jar:3.0.8]
        at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105) [netty-all-4.0.23.Final.jar:4.0.23.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:333) [netty-all-4.0.23.Final.jar:4.0.23.Final]
        at io.netty.channel.AbstractChannelHandlerContext.access$700(AbstractChannelHandlerContext.java:32) [netty-all-4.0.23.Final.jar:4.0.23.Final]
        at io.netty.channel.AbstractChannelHandlerContext$8.run(AbstractChannelHandlerContext.java:324) [netty-all-4.0.23.Final.jar:4.0.23.Final]
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [na:1.8.0_91]
        at org.apache.cassandra.concurrent.AbstractLocalAwareExecutorService$FutureTask.run(AbstractLocalAwareExecutorService.java:164) [apache-cassandra-3.0.8.jar:3.0.8]
        at org.apache.cassandra.concurrent.SEPWorker.run(SEPWorker.java:105) [apache-cassandra-3.0.8.jar:3.0.8]
        at java.lang.Thread.run(Thread.java:745) [na:1.8.0_91]
Caused by: org.apache.cassandra.exceptions.ReadTimeoutException: Operation timed out - received only 1 responses.
        at org.apache.cassandra.service.ReadCallback.awaitResults(ReadCallback.java:132) ~[apache-cassandra-3.0.8.jar:3.0.8]
        at org.apache.cassandra.service.ReadCallback.get(ReadCallback.java:137) ~[apache-cassandra-3.0.8.jar:3.0.8]
        at org.apache.cassandra.service.AbstractReadExecutor.get(AbstractReadExecutor.java:145) ~[apache-cassandra-3.0.8.jar:3.0.8]
        at org.apache.cassandra.service.StorageProxy$SinglePartitionReadLifecycle.awaitResultsAndRetryOnDigestMismatch(StorageProxy.java:1715) ~[apache-cassandra-3.0.8.jar:3.0.8]
        at org.apache.cassandra.service.StorageProxy.fetchRows(StorageProxy.java:1664) ~[apache-cassandra-3.0.8.jar:3.0.8]
        at org.apache.cassandra.service.StorageProxy.readRegular(StorageProxy.java:1605) ~[apache-cassandra-3.0.8.jar:3.0.8]
        at org.apache.cassandra.service.StorageProxy.read(StorageProxy.java:1524) ~[apache-cassandra-3.0.8.jar:3.0.8]
        at org.apache.cassandra.db.SinglePartitionReadCommand$Group.execute(SinglePartitionReadCommand.java:954) ~[apache-cassandra-3.0.8.jar:3.0.8]
        at org.apache.cassandra.cql3.statements.SelectStatement.execute(SelectStatement.java:263) ~[apache-cassandra-3.0.8.jar:3.0.8]
        at org.apache.cassandra.cql3.statements.SelectStatement.execute(SelectStatement.java:224) ~[apache-cassandra-3.0.8.jar:3.0.8]
        at org.apache.cassandra.auth.CassandraRoleManager.getRoleFromTable(CassandraRoleManager.java:497) ~[apache-cassandra-3.0.8.jar:3.0.8]
        at org.apache.cassandra.auth.CassandraRoleManager.getRole(CassandraRoleManager.java:485) ~[apache-cassandra-3.0.8.jar:3.0.8]
        ... 27 common frames omitted

考虑到这一点,我尝试启用一次 Cassandra 身份验证和授权检查并永久缓存,基于 URL 中观察到的以下设置,

https://docs.datastax.com/en/dse/5.1/dse-admin/datastax_enterprise/security/secAuthCacheSettings.html

authenticator: PasswordAuthenticator
authorizer: CassandraAuthorizer
role_manager: CassandraRoleManager
roles_validity_in_ms: 0
permissions_validity_in_ms: 0

但我还是经常在服务器日志中看到上述错误,是否也需要添加此配置:credentials_validity_in_ms: 0 还是我错过了什么?

【问题讨论】:

    标签: cassandra datastax cassandra-3.0


    【解决方案1】:

    此消息实际上是您的设置出现问题的信号 - 机器过载或类似情况。

    我建议不要完全禁用这些设置(更改密码或更改角色将需要重新启动节点),而是建议执行以下操作:

    • roles_validity_in_mspermissions_validity_in_mscredentials_validity_in_ms 设置为相当高的值,例如月份;
    • roles_update_interval_in_mscredentials_update_interval_in_mspermissions_update_interval_in_ms 配置为某个值,例如一分钟

    如果您有大量用户和表,调整 permissions_cache_max_entries 也很有意义。

    【讨论】:

    • 我们不会在设置中更改用户名和密码,所以最好将roles_validity_in_ms、permissions_validity_in_ms和credentials_validity_in_ms设置为'0'而不配置roles_update_interval_in_ms、credentials_update_interval_in_ms和permissions_update_interval_in_ms?我们总是只有 2 个用户,所以我认为没有必要调整:permissions_cache_max_entries?
    • 另外我的问题是:我已经设置了:roles_validity_in_ms, permissions_validity_in_ms = 0 但我仍然在 Cassandra 中收到“getRole”调用(从错误中观察到它被频繁调用),这是一种预期的行为,因为我没有配置 credentials_validity_in_ms = 0?
    • 第一个问题是,第二个问题是 - 为经过身份验证的用户设置权限缓存,如果用户的条目过期(默认为 2 秒),则权限缓存将消失...
    • 谢谢@Alex Ott,我会尝试将credentials_validity_in_ms 添加到'0',除了roles_validity_in_ms,permissions_validity_in_ms = 0
    猜你喜欢
    • 2010-12-07
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 2016-03-14
    • 2015-12-24
    • 2013-10-02
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode