CASSANDRA-19385: ALTER ROLE WITH LOGIN=FALSE and REVOKE ROLE do not disconnect existing users #3706
+253
−0
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ER LOGIN = false It's straightforward to have the coordinator of the DROP / ALTER disconnect the impacted client, but non-coordinators don't have a direct path of finding out that a user has been impacted. The role update causes a write to system_auth.roles, and non-coordinators will pick up that change async when they refresh their RolesCache. It's important for this patch that non-coordinators also disconnect the impacted user, because we could be revoking the role due to account takeover or other risk. One approach to solve this is having all instances periodically check all their active connections, and disconnect impacted users. The active connection count default maximum is 10k, and the list of active connections is scanned for various metrics collection anyway. Another approach is to limit the maximum duration that any connection can be established, so users are required to re-authenticate periodically, like every 24h. This improves our security posture in other ways, and makes it easier to detect nodes that are added to the cluster but cannot be accessed by clients. For either approach, it would be helpful to have a JMX call that allows operators to disconnect users by name, particularly for handling account takeover scenarios.
Periodic disconnection would be useful for a few other reasons: - When using mTLS, clients with short-lived certificates that don't support live certificate reloading would be required to re-authenticate periodically - Security requirements that clients re-authenticate periodically, rather that depending on bounce schedules to enforce that
aratno
commented
Nov 22, 2024
| @@ -301,6 +306,7 @@ public void dropRole(AuthenticatedUser performer, RoleResource role) throws Requ | |||
| consistencyForRoleWrite(role.getRoleName())); | |||
| removeAllMembers(role.getRoleName()); | |||
| removeAllIdentitiesOfRole(role.getRoleName()); | |||
| disconnect(role); | |||
There was a problem hiding this comment.
I think I'll remove ALTER-coordinator disconnects here, seems better to have all disconnects happen on the jitter schedule (particularly for smaller clusters)
…sable invalid role disconnect, null handling
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.