Session timeout

[oleg yusim <ol...@gmail.com>]

Greetings,

Does Cassandra support session timeout? If so, where can I find this
configuration switch? If not, what kind of hook I can use to write my out
code, terminating session in so many seconds of inactivity?

Thanks,

Oleg

Re: Session timeout

[oleg yusim <ol...@gmail.com>]

Jack,

I updated my document with all the security gaps I was able to discover
(see the second table, below the fist one). I also moved the document to
Google Docs from Word doc, shared on Google Drive, following Matt's
suggestion.

Please, see the updated link:
https://docs.google.com/document/d/13-yu-1a0MMkBiJFPNkYoTd1Hzed9tgKltWi6hFLZbsk/edit?usp=sharing

Thanks,

Oleg

On Thu, Feb 11, 2016 at 3:52 PM, oleg yusim <ol...@gmail.com> wrote:

> Jack,
>
> This document doesn't cover all the areas where user will need to get
> engaged in explicit mitigation, it only covers those, I wasn't sure about.
> But - you are making a good point here. Let me update the document with the
> rest of the gaps, so community would have a complete list here.
>
> Thanks,
>
> Oleg
>
> On Thu, Feb 11, 2016 at 3:38 PM, Jack Krupansky <ja...@gmail.com>
> wrote:
>
>> Thanks! A useful contribution, no matter what the outcome. I trust your
>> ability to read of the doc, so I don't expect a lot of change to the
>> responses, but we'll see. At a minimum, it will probably be good to have
>> doc to highlight areas where users will need to engage in explicit
>> mitigation efforts if their infrastructure does not implicitly effect
>> mitigation for various security exposures.
>>
>> -- Jack Krupansky
>>
>> On Thu, Feb 11, 2016 at 3:21 PM, oleg yusim <ol...@gmail.com> wrote:
>>
>>> Robert, Jack, Bryan,
>>>
>>> As you suggested, I put together document, titled
>>> Cassandra_Security_Topics_to_Discuss, put it on Google Drive and shared it
>>> with everybody on this list. The document contains list of questions I have
>>> on Cassandra, my take on it, and has a place for notes Community would like
>>> to make on it.
>>>
>>> Please, review. Any help would be appreciated greatly.
>>>
>>> https://drive.google.com/open?id=0B2L9nW4Cyj41YWd1UkI4ZXVPYmM
>>>
>>> Oleg
>>>
>>> On Fri, Jan 29, 2016 at 6:30 PM, Bryan Cheng <br...@blockcypher.com>
>>> wrote:
>>>
>>>> To throw my (unsolicited) 2 cents into the ring, Oleg, you work for a
>>>> well-funded and fairly large company. You are certainly free to continue
>>>> using the list and asking for community support (I am definitely not in any
>>>> position to tell you otherwise, anyway), but that community support is by
>>>> definition ad-hoc and best effort. Furthermore, your questions range from
>>>> trivial to, as Jonathan as mentioned earlier, concepts that many of us have
>>>> no reason to consider at this time (perhaps your work will convince us
>>>> otherwise- but you'll need to finish it first ;) )
>>>>
>>>> What I'm getting at here is that perhaps, if you need faster, deeper
>>>> level, and more elaborate support than this list can provide, you should
>>>> look into the services of a paid Cassandra support company like Datastax.
>>>>
>>>> On Fri, Jan 29, 2016 at 3:34 PM, Robert Coli <rc...@eventbrite.com>
>>>> wrote:
>>>>
>>>>> On Fri, Jan 29, 2016 at 3:12 PM, Jack Krupansky <
>>>>> jack.krupansky@gmail.com> wrote:
>>>>>
>>>>>> One last time, I'll simply renew my objection to the way you are
>>>>>> abusing this list.
>>>>>>
>>>>>
>>>>> FWIW, while I appreciate that OP (Oleg) is attempting to do a service
>>>>> for the community, I agree that the flood of single topic, context-lacking
>>>>> posts regarding deep internals of Cassandra is likely to inspire the
>>>>> opposite of a helpful response.
>>>>>
>>>>> This is important work, however, so hopefully we can collectively find
>>>>> a way through the meta and can discuss this topic without acrimony! :D
>>>>>
>>>>> =Rob
>>>>>
>>>>>
>>>>
>>>>
>>>
>>
>

Re: Session timeout

[oleg yusim <ol...@gmail.com>]

Jack,

This document doesn't cover all the areas where user will need to get
engaged in explicit mitigation, it only covers those, I wasn't sure about.
But - you are making a good point here. Let me update the document with the
rest of the gaps, so community would have a complete list here.

Thanks,

Oleg

On Thu, Feb 11, 2016 at 3:38 PM, Jack Krupansky <ja...@gmail.com>
wrote:

> Thanks! A useful contribution, no matter what the outcome. I trust your
> ability to read of the doc, so I don't expect a lot of change to the
> responses, but we'll see. At a minimum, it will probably be good to have
> doc to highlight areas where users will need to engage in explicit
> mitigation efforts if their infrastructure does not implicitly effect
> mitigation for various security exposures.
>
> -- Jack Krupansky
>
> On Thu, Feb 11, 2016 at 3:21 PM, oleg yusim <ol...@gmail.com> wrote:
>
>> Robert, Jack, Bryan,
>>
>> As you suggested, I put together document, titled
>> Cassandra_Security_Topics_to_Discuss, put it on Google Drive and shared it
>> with everybody on this list. The document contains list of questions I have
>> on Cassandra, my take on it, and has a place for notes Community would like
>> to make on it.
>>
>> Please, review. Any help would be appreciated greatly.
>>
>> https://drive.google.com/open?id=0B2L9nW4Cyj41YWd1UkI4ZXVPYmM
>>
>> Oleg
>>
>> On Fri, Jan 29, 2016 at 6:30 PM, Bryan Cheng <br...@blockcypher.com>
>> wrote:
>>
>>> To throw my (unsolicited) 2 cents into the ring, Oleg, you work for a
>>> well-funded and fairly large company. You are certainly free to continue
>>> using the list and asking for community support (I am definitely not in any
>>> position to tell you otherwise, anyway), but that community support is by
>>> definition ad-hoc and best effort. Furthermore, your questions range from
>>> trivial to, as Jonathan as mentioned earlier, concepts that many of us have
>>> no reason to consider at this time (perhaps your work will convince us
>>> otherwise- but you'll need to finish it first ;) )
>>>
>>> What I'm getting at here is that perhaps, if you need faster, deeper
>>> level, and more elaborate support than this list can provide, you should
>>> look into the services of a paid Cassandra support company like Datastax.
>>>
>>> On Fri, Jan 29, 2016 at 3:34 PM, Robert Coli <rc...@eventbrite.com>
>>> wrote:
>>>
>>>> On Fri, Jan 29, 2016 at 3:12 PM, Jack Krupansky <
>>>> jack.krupansky@gmail.com> wrote:
>>>>
>>>>> One last time, I'll simply renew my objection to the way you are
>>>>> abusing this list.
>>>>>
>>>>
>>>> FWIW, while I appreciate that OP (Oleg) is attempting to do a service
>>>> for the community, I agree that the flood of single topic, context-lacking
>>>> posts regarding deep internals of Cassandra is likely to inspire the
>>>> opposite of a helpful response.
>>>>
>>>> This is important work, however, so hopefully we can collectively find
>>>> a way through the meta and can discuss this topic without acrimony! :D
>>>>
>>>> =Rob
>>>>
>>>>
>>>
>>>
>>
>

Re: Session timeout

[Jack Krupansky <ja...@gmail.com>]

Thanks! A useful contribution, no matter what the outcome. I trust your
ability to read of the doc, so I don't expect a lot of change to the
responses, but we'll see. At a minimum, it will probably be good to have
doc to highlight areas where users will need to engage in explicit
mitigation efforts if their infrastructure does not implicitly effect
mitigation for various security exposures.

-- Jack Krupansky

On Thu, Feb 11, 2016 at 3:21 PM, oleg yusim <ol...@gmail.com> wrote:

> Robert, Jack, Bryan,
>
> As you suggested, I put together document, titled
> Cassandra_Security_Topics_to_Discuss, put it on Google Drive and shared it
> with everybody on this list. The document contains list of questions I have
> on Cassandra, my take on it, and has a place for notes Community would like
> to make on it.
>
> Please, review. Any help would be appreciated greatly.
>
> https://drive.google.com/open?id=0B2L9nW4Cyj41YWd1UkI4ZXVPYmM
>
> Oleg
>
> On Fri, Jan 29, 2016 at 6:30 PM, Bryan Cheng <br...@blockcypher.com>
> wrote:
>
>> To throw my (unsolicited) 2 cents into the ring, Oleg, you work for a
>> well-funded and fairly large company. You are certainly free to continue
>> using the list and asking for community support (I am definitely not in any
>> position to tell you otherwise, anyway), but that community support is by
>> definition ad-hoc and best effort. Furthermore, your questions range from
>> trivial to, as Jonathan as mentioned earlier, concepts that many of us have
>> no reason to consider at this time (perhaps your work will convince us
>> otherwise- but you'll need to finish it first ;) )
>>
>> What I'm getting at here is that perhaps, if you need faster, deeper
>> level, and more elaborate support than this list can provide, you should
>> look into the services of a paid Cassandra support company like Datastax.
>>
>> On Fri, Jan 29, 2016 at 3:34 PM, Robert Coli <rc...@eventbrite.com>
>> wrote:
>>
>>> On Fri, Jan 29, 2016 at 3:12 PM, Jack Krupansky <
>>> jack.krupansky@gmail.com> wrote:
>>>
>>>> One last time, I'll simply renew my objection to the way you are
>>>> abusing this list.
>>>>
>>>
>>> FWIW, while I appreciate that OP (Oleg) is attempting to do a service
>>> for the community, I agree that the flood of single topic, context-lacking
>>> posts regarding deep internals of Cassandra is likely to inspire the
>>> opposite of a helpful response.
>>>
>>> This is important work, however, so hopefully we can collectively find a
>>> way through the meta and can discuss this topic without acrimony! :D
>>>
>>> =Rob
>>>
>>>
>>
>>
>

Re: Session timeout

[oleg yusim <ol...@gmail.com>]

Robert, Jack, Bryan,

As you suggested, I put together document, titled
Cassandra_Security_Topics_to_Discuss, put it on Google Drive and shared it
with everybody on this list. The document contains list of questions I have
on Cassandra, my take on it, and has a place for notes Community would like
to make on it.

Please, review. Any help would be appreciated greatly.

https://drive.google.com/open?id=0B2L9nW4Cyj41YWd1UkI4ZXVPYmM

Oleg

On Fri, Jan 29, 2016 at 6:30 PM, Bryan Cheng <br...@blockcypher.com> wrote:

> To throw my (unsolicited) 2 cents into the ring, Oleg, you work for a
> well-funded and fairly large company. You are certainly free to continue
> using the list and asking for community support (I am definitely not in any
> position to tell you otherwise, anyway), but that community support is by
> definition ad-hoc and best effort. Furthermore, your questions range from
> trivial to, as Jonathan as mentioned earlier, concepts that many of us have
> no reason to consider at this time (perhaps your work will convince us
> otherwise- but you'll need to finish it first ;) )
>
> What I'm getting at here is that perhaps, if you need faster, deeper
> level, and more elaborate support than this list can provide, you should
> look into the services of a paid Cassandra support company like Datastax.
>
> On Fri, Jan 29, 2016 at 3:34 PM, Robert Coli <rc...@eventbrite.com> wrote:
>
>> On Fri, Jan 29, 2016 at 3:12 PM, Jack Krupansky <jack.krupansky@gmail.com
>> > wrote:
>>
>>> One last time, I'll simply renew my objection to the way you are abusing
>>> this list.
>>>
>>
>> FWIW, while I appreciate that OP (Oleg) is attempting to do a service for
>> the community, I agree that the flood of single topic, context-lacking
>> posts regarding deep internals of Cassandra is likely to inspire the
>> opposite of a helpful response.
>>
>> This is important work, however, so hopefully we can collectively find a
>> way through the meta and can discuss this topic without acrimony! :D
>>
>> =Rob
>>
>>
>
>

Re: Session timeout

[Bryan Cheng <br...@blockcypher.com>]

To throw my (unsolicited) 2 cents into the ring, Oleg, you work for a
well-funded and fairly large company. You are certainly free to continue
using the list and asking for community support (I am definitely not in any
position to tell you otherwise, anyway), but that community support is by
definition ad-hoc and best effort. Furthermore, your questions range from
trivial to, as Jonathan as mentioned earlier, concepts that many of us have
no reason to consider at this time (perhaps your work will convince us
otherwise- but you'll need to finish it first ;) )

What I'm getting at here is that perhaps, if you need faster, deeper level,
and more elaborate support than this list can provide, you should look into
the services of a paid Cassandra support company like Datastax.

On Fri, Jan 29, 2016 at 3:34 PM, Robert Coli <rc...@eventbrite.com> wrote:

> On Fri, Jan 29, 2016 at 3:12 PM, Jack Krupansky <ja...@gmail.com>
> wrote:
>
>> One last time, I'll simply renew my objection to the way you are abusing
>> this list.
>>
>
> FWIW, while I appreciate that OP (Oleg) is attempting to do a service for
> the community, I agree that the flood of single topic, context-lacking
> posts regarding deep internals of Cassandra is likely to inspire the
> opposite of a helpful response.
>
> This is important work, however, so hopefully we can collectively find a
> way through the meta and can discuss this topic without acrimony! :D
>
> =Rob
>
>

Re: Session timeout

[Robert Coli <rc...@eventbrite.com>]

On Fri, Jan 29, 2016 at 3:12 PM, Jack Krupansky <ja...@gmail.com>
wrote:

> One last time, I'll simply renew my objection to the way you are abusing
> this list.
>

FWIW, while I appreciate that OP (Oleg) is attempting to do a service for
the community, I agree that the flood of single topic, context-lacking
posts regarding deep internals of Cassandra is likely to inspire the
opposite of a helpful response.

This is important work, however, so hopefully we can collectively find a
way through the meta and can discuss this topic without acrimony! :D

=Rob

Re: Session timeout

[Jack Krupansky <ja...@gmail.com>]

One last time, I'll simply renew my objection to the way you are abusing
this list. You'll hear no further reply from me and I will begin marking
any more of your excessive inquiries as spam. If others in the community
wish to do your security review for you one item at a time, that is their
prerogative and I'll respect their wishes. My suggestions for a superior
approach to getting feedback for your review still stands and requires no
further efforts from me at this stage.

-- Jack Krupansky

On Fri, Jan 29, 2016 at 5:50 PM, oleg yusim <ol...@gmail.com> wrote:

> Jack,
>
> I have to note, Cassandra documentation the way it stays now, is not
> nearly detailed enough. For instance:
> https://docs.datastax.com/en/cassandra/2.1/cassandra/configuration/configLoggingLevels_r.html
> is all Cassandra has to say about logging. The reason why I bring my
> questions to the mailing list is, once again, I can't make security
> recommendations which would be followed across US, based of the lack of
> information. It is really not that difficult to confirm that such feature
> is not present.
>
> Besides, questions I ask might give some implementations ideas. Even from
> that particular discussion one has been raised already.
> https://issues.apache.org/jira/browse/CASSANDRA-11097 With that in mind,
> would you please be able to respond with definitive answers to questions I
> raised here? My assumption, answer would be "not supported" for all 5 not
> yet answered, but I need a confirmation from community.
>
> Thanks,
>
> Oleg
>
> On Fri, Jan 29, 2016 at 4:34 PM, Jack Krupansky <ja...@gmail.com>
> wrote:
>
>> No offense, but my suggestion here is that you write up a preliminary
>> list of your own answers based on your own reading of the doc, specs, and
>> white papers (and source code) and post that list, like on Google Docs, for
>> people to review in bulk, rather than force all Cassandra users on this
>> list to participate in a full security review one item at a time. To
>> reiterate, you should be treating the doc as the definitive guide to what
>> is supported - given the importance that the Cassandra and DSE developers
>> placed on security features over the past couple of years, it really is
>> truly safe to say that if it isn't in the doc then it is definitively not
>> supported. Yes, it would be good to review your final list as a courtesy
>> check, but asking us to confirm what appears to be obvious (i.e., it is not
>> in the doc) seems more than a bit excessive to me.
>>
>> If there is any true confusion in the doc, of course let us know (or
>> email to docs@datastax.com), but there is no need for us to confirm that
>> you did not find something in the doc.
>>
>> -- Jack Krupansky
>>
>> On Fri, Jan 29, 2016 at 5:02 PM, oleg yusim <ol...@gmail.com> wrote:
>>
>>> Jack,
>>>
>>> Appreciate the links. As I mentioned, I looked over both DSE and
>>> Cassandra sets of documentation, and ran some experiments on my Cassandra
>>> installation. What I'm bringing here is something I couldn't find
>>> definitive answer for in any of the above-mentioned sources.
>>>
>>> For instance, regarding logging, here are questions I have:
>>>
>>> 1)  Identity-based logging (we investigated it in another thread and I
>>> got "not supported" as an answer)
>>> 2)  Logging source and destinations (server and client IP)
>>> 3)  Logging connections and disconnections - same
>>> 4)  Logging hostname
>>> 5)  Ability to automatically shut down in case if it ran out of space
>>> to store logs?
>>> 6)  Ability to automatically overwrite audit logs in case if no more
>>> space is available (oldest first) ?
>>>
>>> Thanks,
>>>
>>> Oleg
>>>
>>> On Fri, Jan 29, 2016 at 3:47 PM, Jack Krupansky <
>>> jack.krupansky@gmail.com> wrote:
>>>
>>>> There is some more detail on DSE Security in this white paper:
>>>>
>>>> http://www.datastax.com/wp-content/uploads/2014/04/WP-DataStax-Enterprise-SOX-Compliance.pdf
>>>>
>>>> It mentions auditing, for example. I think you were asking abut that
>>>> earlier.
>>>>
>>>> There may be some additional info or discussion related to security on
>>>> these main web site pages:
>>>> http://www.datastax.com/products/datastax-enterprise-security
>>>>
>>>> Security was given a reasonably high priority for DSE in releases 3.0
>>>> and beyond, so that if something is not highlighted in those promotional
>>>> materials, then it probably isn't in the software.
>>>>
>>>> In general, if you see a feature in DSE, just do a keyword search in
>>>> the Cassandra doc to see if it is supported outside of DSE.
>>>>
>>>> -- Jack Krupansky
>>>>
>>>> On Fri, Jan 29, 2016 at 4:23 PM, oleg yusim <ol...@gmail.com>
>>>> wrote:
>>>>
>>>>> Alex,
>>>>>
>>>>> No offense are taken, your question is absolutely legit. As we used to
>>>>> joke in security world "putting on my black hat"/"putting on my white hat"
>>>>> - i.e. same set of questions I would be asking for hacking and protecting
>>>>> the product. So, I commend you for being careful here.
>>>>>
>>>>> Now, at that particular case I'm acting with my "white hat on". :) I'm
>>>>> hired by VMware, to help them improve security posture for their new
>>>>> products (vRealize package). I do that as part of the security team on
>>>>> VMware side, and working in conjunction with DISA (
>>>>> http://iase.disa.mil/stigs/Pages/a-z.aspx) we are creating STIGs (I
>>>>> explained this term in details in this same thread above, in my response to
>>>>> Jon, so I wouldn't repeat myself here) for all the components vRealize
>>>>> suite of products has, including Cassandra, which is used in one of the
>>>>> products. This STIGs would be handed over to DISA, reviewed by their SMEs
>>>>> and published on their website, creating great opportunity for all the
>>>>> products covered to improve their security posture and advance on a market
>>>>> for free.
>>>>>
>>>>> For VMware purposes, we would harden our suite of products, based on
>>>>> STIGs, and create own overall Security Guideline, riding on top of STIGs.
>>>>>
>>>>> As I mentioned above, for both Cassandra and DSE, equally, this
>>>>> document would be very beneficial, since it would enable customers and help
>>>>> them to run hardening on the product and place it right on the system,
>>>>> surrounded by the correct set of compensation controls.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Oleg
>>>>>
>>>>> On Fri, Jan 29, 2016 at 1:10 PM, Alex Popescu <al...@datastax.com>
>>>>> wrote:
>>>>>
>>>>>>
>>>>>> On Fri, Jan 29, 2016 at 8:17 AM, oleg yusim <ol...@gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Thanks for encouraging me, I kind of grew a bit desperate. I'm
>>>>>>> security person, not a Cassandra expert, and doing security assessment of
>>>>>>> Cassandra DB, I have to rely on community heavily. I will put together a
>>>>>>> composed version of all my previous queries, will title it "Security
>>>>>>> assessment questions" and will post it once again.
>>>>>>
>>>>>>
>>>>>> Oleg,
>>>>>>
>>>>>> I'll apologize in advance if my answer will sound initially harsh.
>>>>>> I've been following your questions (mostly because I find them
>>>>>> interesting), but I've never jumped to answer any of them as I confess not
>>>>>> knowing the purpose of your research/report makes me caution (e.g. are you
>>>>>> doing this for your current employer evaluating the future use of the
>>>>>> product? are you doing this for an analyst company? are you planning to
>>>>>> sell this report? etc. etc).
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Bests,
>>>>>>
>>>>>> Alex Popescu | @al3xandru
>>>>>> Sen. Product Manager @ DataStax
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>

Re: Session timeout

[oleg yusim <ol...@gmail.com>]

Jack,

I have to note, Cassandra documentation the way it stays now, is not nearly
detailed enough. For instance:
https://docs.datastax.com/en/cassandra/2.1/cassandra/configuration/configLoggingLevels_r.html
is all Cassandra has to say about logging. The reason why I bring my
questions to the mailing list is, once again, I can't make security
recommendations which would be followed across US, based of the lack of
information. It is really not that difficult to confirm that such feature
is not present.

Besides, questions I ask might give some implementations ideas. Even from
that particular discussion one has been raised already.
https://issues.apache.org/jira/browse/CASSANDRA-11097 With that in mind,
would you please be able to respond with definitive answers to questions I
raised here? My assumption, answer would be "not supported" for all 5 not
yet answered, but I need a confirmation from community.

Thanks,

Oleg

On Fri, Jan 29, 2016 at 4:34 PM, Jack Krupansky <ja...@gmail.com>
wrote:

> No offense, but my suggestion here is that you write up a preliminary list
> of your own answers based on your own reading of the doc, specs, and white
> papers (and source code) and post that list, like on Google Docs, for
> people to review in bulk, rather than force all Cassandra users on this
> list to participate in a full security review one item at a time. To
> reiterate, you should be treating the doc as the definitive guide to what
> is supported - given the importance that the Cassandra and DSE developers
> placed on security features over the past couple of years, it really is
> truly safe to say that if it isn't in the doc then it is definitively not
> supported. Yes, it would be good to review your final list as a courtesy
> check, but asking us to confirm what appears to be obvious (i.e., it is not
> in the doc) seems more than a bit excessive to me.
>
> If there is any true confusion in the doc, of course let us know (or email
> to docs@datastax.com), but there is no need for us to confirm that you
> did not find something in the doc.
>
> -- Jack Krupansky
>
> On Fri, Jan 29, 2016 at 5:02 PM, oleg yusim <ol...@gmail.com> wrote:
>
>> Jack,
>>
>> Appreciate the links. As I mentioned, I looked over both DSE and
>> Cassandra sets of documentation, and ran some experiments on my Cassandra
>> installation. What I'm bringing here is something I couldn't find
>> definitive answer for in any of the above-mentioned sources.
>>
>> For instance, regarding logging, here are questions I have:
>>
>> 1)  Identity-based logging (we investigated it in another thread and I
>> got "not supported" as an answer)
>> 2)  Logging source and destinations (server and client IP)
>> 3)  Logging connections and disconnections - same
>> 4)  Logging hostname
>> 5)  Ability to automatically shut down in case if it ran out of space to
>> store logs?
>> 6)  Ability to automatically overwrite audit logs in case if no more
>> space is available (oldest first) ?
>>
>> Thanks,
>>
>> Oleg
>>
>> On Fri, Jan 29, 2016 at 3:47 PM, Jack Krupansky <jack.krupansky@gmail.com
>> > wrote:
>>
>>> There is some more detail on DSE Security in this white paper:
>>>
>>> http://www.datastax.com/wp-content/uploads/2014/04/WP-DataStax-Enterprise-SOX-Compliance.pdf
>>>
>>> It mentions auditing, for example. I think you were asking abut that
>>> earlier.
>>>
>>> There may be some additional info or discussion related to security on
>>> these main web site pages:
>>> http://www.datastax.com/products/datastax-enterprise-security
>>>
>>> Security was given a reasonably high priority for DSE in releases 3.0
>>> and beyond, so that if something is not highlighted in those promotional
>>> materials, then it probably isn't in the software.
>>>
>>> In general, if you see a feature in DSE, just do a keyword search in the
>>> Cassandra doc to see if it is supported outside of DSE.
>>>
>>> -- Jack Krupansky
>>>
>>> On Fri, Jan 29, 2016 at 4:23 PM, oleg yusim <ol...@gmail.com> wrote:
>>>
>>>> Alex,
>>>>
>>>> No offense are taken, your question is absolutely legit. As we used to
>>>> joke in security world "putting on my black hat"/"putting on my white hat"
>>>> - i.e. same set of questions I would be asking for hacking and protecting
>>>> the product. So, I commend you for being careful here.
>>>>
>>>> Now, at that particular case I'm acting with my "white hat on". :) I'm
>>>> hired by VMware, to help them improve security posture for their new
>>>> products (vRealize package). I do that as part of the security team on
>>>> VMware side, and working in conjunction with DISA (
>>>> http://iase.disa.mil/stigs/Pages/a-z.aspx) we are creating STIGs (I
>>>> explained this term in details in this same thread above, in my response to
>>>> Jon, so I wouldn't repeat myself here) for all the components vRealize
>>>> suite of products has, including Cassandra, which is used in one of the
>>>> products. This STIGs would be handed over to DISA, reviewed by their SMEs
>>>> and published on their website, creating great opportunity for all the
>>>> products covered to improve their security posture and advance on a market
>>>> for free.
>>>>
>>>> For VMware purposes, we would harden our suite of products, based on
>>>> STIGs, and create own overall Security Guideline, riding on top of STIGs.
>>>>
>>>> As I mentioned above, for both Cassandra and DSE, equally, this
>>>> document would be very beneficial, since it would enable customers and help
>>>> them to run hardening on the product and place it right on the system,
>>>> surrounded by the correct set of compensation controls.
>>>>
>>>> Thanks,
>>>>
>>>> Oleg
>>>>
>>>> On Fri, Jan 29, 2016 at 1:10 PM, Alex Popescu <al...@datastax.com>
>>>> wrote:
>>>>
>>>>>
>>>>> On Fri, Jan 29, 2016 at 8:17 AM, oleg yusim <ol...@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Thanks for encouraging me, I kind of grew a bit desperate. I'm
>>>>>> security person, not a Cassandra expert, and doing security assessment of
>>>>>> Cassandra DB, I have to rely on community heavily. I will put together a
>>>>>> composed version of all my previous queries, will title it "Security
>>>>>> assessment questions" and will post it once again.
>>>>>
>>>>>
>>>>> Oleg,
>>>>>
>>>>> I'll apologize in advance if my answer will sound initially harsh.
>>>>> I've been following your questions (mostly because I find them
>>>>> interesting), but I've never jumped to answer any of them as I confess not
>>>>> knowing the purpose of your research/report makes me caution (e.g. are you
>>>>> doing this for your current employer evaluating the future use of the
>>>>> product? are you doing this for an analyst company? are you planning to
>>>>> sell this report? etc. etc).
>>>>>
>>>>>
>>>>> --
>>>>> Bests,
>>>>>
>>>>> Alex Popescu | @al3xandru
>>>>> Sen. Product Manager @ DataStax
>>>>>
>>>>>
>>>>
>>>
>>
>

Re: Session timeout

[Jack Krupansky <ja...@gmail.com>]

No offense, but my suggestion here is that you write up a preliminary list
of your own answers based on your own reading of the doc, specs, and white
papers (and source code) and post that list, like on Google Docs, for
people to review in bulk, rather than force all Cassandra users on this
list to participate in a full security review one item at a time. To
reiterate, you should be treating the doc as the definitive guide to what
is supported - given the importance that the Cassandra and DSE developers
placed on security features over the past couple of years, it really is
truly safe to say that if it isn't in the doc then it is definitively not
supported. Yes, it would be good to review your final list as a courtesy
check, but asking us to confirm what appears to be obvious (i.e., it is not
in the doc) seems more than a bit excessive to me.

If there is any true confusion in the doc, of course let us know (or email
to docs@datastax.com), but there is no need for us to confirm that you did
not find something in the doc.

-- Jack Krupansky

On Fri, Jan 29, 2016 at 5:02 PM, oleg yusim <ol...@gmail.com> wrote:

> Jack,
>
> Appreciate the links. As I mentioned, I looked over both DSE and Cassandra
> sets of documentation, and ran some experiments on my Cassandra
> installation. What I'm bringing here is something I couldn't find
> definitive answer for in any of the above-mentioned sources.
>
> For instance, regarding logging, here are questions I have:
>
> 1)  Identity-based logging (we investigated it in another thread and I got
> "not supported" as an answer)
> 2)  Logging source and destinations (server and client IP)
> 3)  Logging connections and disconnections - same
> 4)  Logging hostname
> 5)  Ability to automatically shut down in case if it ran out of space to
> store logs?
> 6)  Ability to automatically overwrite audit logs in case if no more space
> is available (oldest first) ?
>
> Thanks,
>
> Oleg
>
> On Fri, Jan 29, 2016 at 3:47 PM, Jack Krupansky <ja...@gmail.com>
> wrote:
>
>> There is some more detail on DSE Security in this white paper:
>>
>> http://www.datastax.com/wp-content/uploads/2014/04/WP-DataStax-Enterprise-SOX-Compliance.pdf
>>
>> It mentions auditing, for example. I think you were asking abut that
>> earlier.
>>
>> There may be some additional info or discussion related to security on
>> these main web site pages:
>> http://www.datastax.com/products/datastax-enterprise-security
>>
>> Security was given a reasonably high priority for DSE in releases 3.0 and
>> beyond, so that if something is not highlighted in those promotional
>> materials, then it probably isn't in the software.
>>
>> In general, if you see a feature in DSE, just do a keyword search in the
>> Cassandra doc to see if it is supported outside of DSE.
>>
>> -- Jack Krupansky
>>
>> On Fri, Jan 29, 2016 at 4:23 PM, oleg yusim <ol...@gmail.com> wrote:
>>
>>> Alex,
>>>
>>> No offense are taken, your question is absolutely legit. As we used to
>>> joke in security world "putting on my black hat"/"putting on my white hat"
>>> - i.e. same set of questions I would be asking for hacking and protecting
>>> the product. So, I commend you for being careful here.
>>>
>>> Now, at that particular case I'm acting with my "white hat on". :) I'm
>>> hired by VMware, to help them improve security posture for their new
>>> products (vRealize package). I do that as part of the security team on
>>> VMware side, and working in conjunction with DISA (
>>> http://iase.disa.mil/stigs/Pages/a-z.aspx) we are creating STIGs (I
>>> explained this term in details in this same thread above, in my response to
>>> Jon, so I wouldn't repeat myself here) for all the components vRealize
>>> suite of products has, including Cassandra, which is used in one of the
>>> products. This STIGs would be handed over to DISA, reviewed by their SMEs
>>> and published on their website, creating great opportunity for all the
>>> products covered to improve their security posture and advance on a market
>>> for free.
>>>
>>> For VMware purposes, we would harden our suite of products, based on
>>> STIGs, and create own overall Security Guideline, riding on top of STIGs.
>>>
>>> As I mentioned above, for both Cassandra and DSE, equally, this document
>>> would be very beneficial, since it would enable customers and help them to
>>> run hardening on the product and place it right on the system, surrounded
>>> by the correct set of compensation controls.
>>>
>>> Thanks,
>>>
>>> Oleg
>>>
>>> On Fri, Jan 29, 2016 at 1:10 PM, Alex Popescu <al...@datastax.com>
>>> wrote:
>>>
>>>>
>>>> On Fri, Jan 29, 2016 at 8:17 AM, oleg yusim <ol...@gmail.com>
>>>> wrote:
>>>>
>>>>> Thanks for encouraging me, I kind of grew a bit desperate. I'm
>>>>> security person, not a Cassandra expert, and doing security assessment of
>>>>> Cassandra DB, I have to rely on community heavily. I will put together a
>>>>> composed version of all my previous queries, will title it "Security
>>>>> assessment questions" and will post it once again.
>>>>
>>>>
>>>> Oleg,
>>>>
>>>> I'll apologize in advance if my answer will sound initially harsh. I've
>>>> been following your questions (mostly because I find them interesting), but
>>>> I've never jumped to answer any of them as I confess not knowing the
>>>> purpose of your research/report makes me caution (e.g. are you doing this
>>>> for your current employer evaluating the future use of the product? are you
>>>> doing this for an analyst company? are you planning to sell this report?
>>>> etc. etc).
>>>>
>>>>
>>>> --
>>>> Bests,
>>>>
>>>> Alex Popescu | @al3xandru
>>>> Sen. Product Manager @ DataStax
>>>>
>>>>
>>>
>>
>

Re: Session timeout

[oleg yusim <ol...@gmail.com>]

Jack,

Appreciate the links. As I mentioned, I looked over both DSE and Cassandra
sets of documentation, and ran some experiments on my Cassandra
installation. What I'm bringing here is something I couldn't find
definitive answer for in any of the above-mentioned sources.

For instance, regarding logging, here are questions I have:

1)  Identity-based logging (we investigated it in another thread and I got
"not supported" as an answer)
2)  Logging source and destinations (server and client IP)
3)  Logging connections and disconnections - same
4)  Logging hostname
5)  Ability to automatically shut down in case if it ran out of space to
store logs?
6)  Ability to automatically overwrite audit logs in case if no more space
is available (oldest first) ?

Thanks,

Oleg

On Fri, Jan 29, 2016 at 3:47 PM, Jack Krupansky <ja...@gmail.com>
wrote:

> There is some more detail on DSE Security in this white paper:
>
> http://www.datastax.com/wp-content/uploads/2014/04/WP-DataStax-Enterprise-SOX-Compliance.pdf
>
> It mentions auditing, for example. I think you were asking abut that
> earlier.
>
> There may be some additional info or discussion related to security on
> these main web site pages:
> http://www.datastax.com/products/datastax-enterprise-security
>
> Security was given a reasonably high priority for DSE in releases 3.0 and
> beyond, so that if something is not highlighted in those promotional
> materials, then it probably isn't in the software.
>
> In general, if you see a feature in DSE, just do a keyword search in the
> Cassandra doc to see if it is supported outside of DSE.
>
> -- Jack Krupansky
>
> On Fri, Jan 29, 2016 at 4:23 PM, oleg yusim <ol...@gmail.com> wrote:
>
>> Alex,
>>
>> No offense are taken, your question is absolutely legit. As we used to
>> joke in security world "putting on my black hat"/"putting on my white hat"
>> - i.e. same set of questions I would be asking for hacking and protecting
>> the product. So, I commend you for being careful here.
>>
>> Now, at that particular case I'm acting with my "white hat on". :) I'm
>> hired by VMware, to help them improve security posture for their new
>> products (vRealize package). I do that as part of the security team on
>> VMware side, and working in conjunction with DISA (
>> http://iase.disa.mil/stigs/Pages/a-z.aspx) we are creating STIGs (I
>> explained this term in details in this same thread above, in my response to
>> Jon, so I wouldn't repeat myself here) for all the components vRealize
>> suite of products has, including Cassandra, which is used in one of the
>> products. This STIGs would be handed over to DISA, reviewed by their SMEs
>> and published on their website, creating great opportunity for all the
>> products covered to improve their security posture and advance on a market
>> for free.
>>
>> For VMware purposes, we would harden our suite of products, based on
>> STIGs, and create own overall Security Guideline, riding on top of STIGs.
>>
>> As I mentioned above, for both Cassandra and DSE, equally, this document
>> would be very beneficial, since it would enable customers and help them to
>> run hardening on the product and place it right on the system, surrounded
>> by the correct set of compensation controls.
>>
>> Thanks,
>>
>> Oleg
>>
>> On Fri, Jan 29, 2016 at 1:10 PM, Alex Popescu <al...@datastax.com> wrote:
>>
>>>
>>> On Fri, Jan 29, 2016 at 8:17 AM, oleg yusim <ol...@gmail.com> wrote:
>>>
>>>> Thanks for encouraging me, I kind of grew a bit desperate. I'm security
>>>> person, not a Cassandra expert, and doing security assessment of Cassandra
>>>> DB, I have to rely on community heavily. I will put together a composed
>>>> version of all my previous queries, will title it "Security assessment
>>>> questions" and will post it once again.
>>>
>>>
>>> Oleg,
>>>
>>> I'll apologize in advance if my answer will sound initially harsh. I've
>>> been following your questions (mostly because I find them interesting), but
>>> I've never jumped to answer any of them as I confess not knowing the
>>> purpose of your research/report makes me caution (e.g. are you doing this
>>> for your current employer evaluating the future use of the product? are you
>>> doing this for an analyst company? are you planning to sell this report?
>>> etc. etc).
>>>
>>>
>>> --
>>> Bests,
>>>
>>> Alex Popescu | @al3xandru
>>> Sen. Product Manager @ DataStax
>>>
>>>
>>
>

Re: Session timeout

[Jack Krupansky <ja...@gmail.com>]

There is some more detail on DSE Security in this white paper:
http://www.datastax.com/wp-content/uploads/2014/04/WP-DataStax-Enterprise-SOX-Compliance.pdf

It mentions auditing, for example. I think you were asking abut that
earlier.

There may be some additional info or discussion related to security on
these main web site pages:
http://www.datastax.com/products/datastax-enterprise-security

Security was given a reasonably high priority for DSE in releases 3.0 and
beyond, so that if something is not highlighted in those promotional
materials, then it probably isn't in the software.

In general, if you see a feature in DSE, just do a keyword search in the
Cassandra doc to see if it is supported outside of DSE.

-- Jack Krupansky

On Fri, Jan 29, 2016 at 4:23 PM, oleg yusim <ol...@gmail.com> wrote:

> Alex,
>
> No offense are taken, your question is absolutely legit. As we used to
> joke in security world "putting on my black hat"/"putting on my white hat"
> - i.e. same set of questions I would be asking for hacking and protecting
> the product. So, I commend you for being careful here.
>
> Now, at that particular case I'm acting with my "white hat on". :) I'm
> hired by VMware, to help them improve security posture for their new
> products (vRealize package). I do that as part of the security team on
> VMware side, and working in conjunction with DISA (
> http://iase.disa.mil/stigs/Pages/a-z.aspx) we are creating STIGs (I
> explained this term in details in this same thread above, in my response to
> Jon, so I wouldn't repeat myself here) for all the components vRealize
> suite of products has, including Cassandra, which is used in one of the
> products. This STIGs would be handed over to DISA, reviewed by their SMEs
> and published on their website, creating great opportunity for all the
> products covered to improve their security posture and advance on a market
> for free.
>
> For VMware purposes, we would harden our suite of products, based on
> STIGs, and create own overall Security Guideline, riding on top of STIGs.
>
> As I mentioned above, for both Cassandra and DSE, equally, this document
> would be very beneficial, since it would enable customers and help them to
> run hardening on the product and place it right on the system, surrounded
> by the correct set of compensation controls.
>
> Thanks,
>
> Oleg
>
> On Fri, Jan 29, 2016 at 1:10 PM, Alex Popescu <al...@datastax.com> wrote:
>
>>
>> On Fri, Jan 29, 2016 at 8:17 AM, oleg yusim <ol...@gmail.com> wrote:
>>
>>> Thanks for encouraging me, I kind of grew a bit desperate. I'm security
>>> person, not a Cassandra expert, and doing security assessment of Cassandra
>>> DB, I have to rely on community heavily. I will put together a composed
>>> version of all my previous queries, will title it "Security assessment
>>> questions" and will post it once again.
>>
>>
>> Oleg,
>>
>> I'll apologize in advance if my answer will sound initially harsh. I've
>> been following your questions (mostly because I find them interesting), but
>> I've never jumped to answer any of them as I confess not knowing the
>> purpose of your research/report makes me caution (e.g. are you doing this
>> for your current employer evaluating the future use of the product? are you
>> doing this for an analyst company? are you planning to sell this report?
>> etc. etc).
>>
>>
>> --
>> Bests,
>>
>> Alex Popescu | @al3xandru
>> Sen. Product Manager @ DataStax
>>
>>
>

Re: Session timeout

[oleg yusim <ol...@gmail.com>]

Alex,

No offense are taken, your question is absolutely legit. As we used to joke
in security world "putting on my black hat"/"putting on my white hat" -
i.e. same set of questions I would be asking for hacking and protecting the
product. So, I commend you for being careful here.

Now, at that particular case I'm acting with my "white hat on". :) I'm
hired by VMware, to help them improve security posture for their new
products (vRealize package). I do that as part of the security team on
VMware side, and working in conjunction with DISA (
http://iase.disa.mil/stigs/Pages/a-z.aspx) we are creating STIGs (I
explained this term in details in this same thread above, in my response to
Jon, so I wouldn't repeat myself here) for all the components vRealize
suite of products has, including Cassandra, which is used in one of the
products. This STIGs would be handed over to DISA, reviewed by their SMEs
and published on their website, creating great opportunity for all the
products covered to improve their security posture and advance on a market
for free.

For VMware purposes, we would harden our suite of products, based on STIGs,
and create own overall Security Guideline, riding on top of STIGs.

As I mentioned above, for both Cassandra and DSE, equally, this document
would be very beneficial, since it would enable customers and help them to
run hardening on the product and place it right on the system, surrounded
by the correct set of compensation controls.

Thanks,

Oleg

On Fri, Jan 29, 2016 at 1:10 PM, Alex Popescu <al...@datastax.com> wrote:

>
> On Fri, Jan 29, 2016 at 8:17 AM, oleg yusim <ol...@gmail.com> wrote:
>
>> Thanks for encouraging me, I kind of grew a bit desperate. I'm security
>> person, not a Cassandra expert, and doing security assessment of Cassandra
>> DB, I have to rely on community heavily. I will put together a composed
>> version of all my previous queries, will title it "Security assessment
>> questions" and will post it once again.
>
>
> Oleg,
>
> I'll apologize in advance if my answer will sound initially harsh. I've
> been following your questions (mostly because I find them interesting), but
> I've never jumped to answer any of them as I confess not knowing the
> purpose of your research/report makes me caution (e.g. are you doing this
> for your current employer evaluating the future use of the product? are you
> doing this for an analyst company? are you planning to sell this report?
> etc. etc).
>
>
> --
> Bests,
>
> Alex Popescu | @al3xandru
> Sen. Product Manager @ DataStax
>
>

Re: Session timeout

[Alex Popescu <al...@datastax.com>]

On Fri, Jan 29, 2016 at 8:17 AM, oleg yusim <ol...@gmail.com> wrote:

> Thanks for encouraging me, I kind of grew a bit desperate. I'm security
> person, not a Cassandra expert, and doing security assessment of Cassandra
> DB, I have to rely on community heavily. I will put together a composed
> version of all my previous queries, will title it "Security assessment
> questions" and will post it once again.


Oleg,

I'll apologize in advance if my answer will sound initially harsh. I've
been following your questions (mostly because I find them interesting), but
I've never jumped to answer any of them as I confess not knowing the
purpose of your research/report makes me caution (e.g. are you doing this
for your current employer evaluating the future use of the product? are you
doing this for an analyst company? are you planning to sell this report?
etc. etc).


-- 
Bests,

Alex Popescu | @al3xandru
Sen. Product Manager @ DataStax

Re: Session timeout

[oleg yusim <ol...@gmail.com>]

Hi Carlos,

Thanks for encouraging me, I kind of grew a bit desperate. I'm security
person, not a Cassandra expert, and doing security assessment of Cassandra
DB, I have to rely on community heavily. I will put together a composed
version of all my previous queries, will title it "Security assessment
questions" and will post it once again.

As per the session timeout, my understanding, Cassandra currently doesn't
support it. I didn't find any mention of it in documentation. Also, I just
ran simple experiment on my installation (version 2.1.8, default settings):
I opened two ssh sessions on my Linux server, hosting Cassandra DB. On one,
I entered cqlsh, another was just left as is. Then I stepped away from
computer and went for breakfast. Now here are the results: first session
with cqlsh still sits there, 50 minutes into it. Second was terminated in
15 minutes (ssh session timeout).

As per the mailing list, a little housekeeping suggestion if I may. Right
now our mailing list allows to reply to user@cassandra.apache.org. That
leads to a situation, when all the emails are getting filtered to the same
folder at the recipients end (I have it setup such way, I'm sure everybody
else have similar setup too). If we will introduce "Reply to All" option,
which would allow to reply not only to mailing list, but to personal email
addresses of guys, involved into this particular conversation, those emails
would bypass filters and would end up in our personal emails space in
Inbox. This way we would help correspondents, engaged into the conversation
to notice those emails easily, understand that those are targeted to them
and stay engaged in the conversation, until the issue would be resolved one
way or another.

Thanks,

Oleg



On Fri, Jan 29, 2016 at 8:27 AM, Carlos Alonso <in...@mrcalonso.com> wrote:

> I've been in this community and mailing list quite a while now and it's
> hard to find questions without answer. There are lots of good experts
> willing to help here. If you don't see you question answered I'd advice you
> to send it again, because its also true that the mailing list has quite a
> lot of activity and its easy sometimes to miss emails.
>
> About this session timeout thing, could you please reply to this thread if
> you find a solution? I'm curious about it.
>
> Cheers!
>
> Carlos Alonso | Software Engineer | @calonso <https://twitter.com/calonso>
>
> On 29 January 2016 at 14:19, oleg yusim <ol...@gmail.com> wrote:
>
>> Not a problem, Carlos, at least you tried :) I have overall a big problem
>> with my queries to Cassandra community. Most of them are not getting
>> answered.
>>
>> Oleg
>>
>> On Fri, Jan 29, 2016 at 8:03 AM, Carlos Alonso <in...@mrcalonso.com>
>> wrote:
>>
>>> Oh, I thought you meant read/write timeout, not session timeout due to
>>> inactivity...
>>>
>>> Not sure there's such option. Sorry
>>>
>>> Carlos Alonso | Software Engineer | @calonso
>>> <https://twitter.com/calonso>
>>>
>>> On 29 January 2016 at 13:35, oleg yusim <ol...@gmail.com> wrote:
>>>
>>>> Carlos,
>>>>
>>>> I went through Java and Python drivers... didn't find anything like
>>>> that. Can you bring me example from your Ruby driver? Let me also make sure
>>>> we are on the same page - I'm talking about session timeout due to
>>>> inactivity, not read timeout or something like that.
>>>>
>>>> Thanks,
>>>>
>>>> Oleg
>>>>
>>>> On Fri, Jan 29, 2016 at 7:23 AM, Carlos Alonso <in...@mrcalonso.com>
>>>> wrote:
>>>>
>>>>> I personally don't use the Java but the Ruby driver, but I'm pretty
>>>>> sure you'll be able to find it in the docs:
>>>>> https://github.com/datastax/java-driver
>>>>>
>>>>> Carlos Alonso | Software Engineer | @calonso
>>>>> <https://twitter.com/calonso>
>>>>>
>>>>> On 29 January 2016 at 13:15, oleg yusim <ol...@gmail.com> wrote:
>>>>>
>>>>>> Hi Carlos,
>>>>>>
>>>>>> Thanks for your anwer. Can you, please, get me a bit me information?
>>>>>> What is the driver? JDBC? What is the name of configuration file?
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Oleg
>>>>>>
>>>>>> On Fri, Jan 29, 2016 at 5:12 AM, Carlos Alonso <in...@mrcalonso.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi Oleg.
>>>>>>>
>>>>>>> The drivers have builtin the timeout configurable functionality.
>>>>>>>
>>>>>>> Hope it helps.
>>>>>>>
>>>>>>> Carlos Alonso | Software Engineer | @calonso
>>>>>>> <https://twitter.com/calonso>
>>>>>>>
>>>>>>> On 28 January 2016 at 22:18, oleg yusim <ol...@gmail.com> wrote:
>>>>>>>
>>>>>>>> Greetings,
>>>>>>>>
>>>>>>>> Does Cassandra support session timeout? If so, where can I find
>>>>>>>> this configuration switch? If not, what kind of hook I can use to write my
>>>>>>>> out code, terminating session in so many seconds of inactivity?
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>>
>>>>>>>> Oleg
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>

Re: Session timeout

[Carlos Alonso <in...@mrcalonso.com>]

I've been in this community and mailing list quite a while now and it's
hard to find questions without answer. There are lots of good experts
willing to help here. If you don't see you question answered I'd advice you
to send it again, because its also true that the mailing list has quite a
lot of activity and its easy sometimes to miss emails.

About this session timeout thing, could you please reply to this thread if
you find a solution? I'm curious about it.

Cheers!

Carlos Alonso | Software Engineer | @calonso <https://twitter.com/calonso>

On 29 January 2016 at 14:19, oleg yusim <ol...@gmail.com> wrote:

> Not a problem, Carlos, at least you tried :) I have overall a big problem
> with my queries to Cassandra community. Most of them are not getting
> answered.
>
> Oleg
>
> On Fri, Jan 29, 2016 at 8:03 AM, Carlos Alonso <in...@mrcalonso.com> wrote:
>
>> Oh, I thought you meant read/write timeout, not session timeout due to
>> inactivity...
>>
>> Not sure there's such option. Sorry
>>
>> Carlos Alonso | Software Engineer | @calonso
>> <https://twitter.com/calonso>
>>
>> On 29 January 2016 at 13:35, oleg yusim <ol...@gmail.com> wrote:
>>
>>> Carlos,
>>>
>>> I went through Java and Python drivers... didn't find anything like
>>> that. Can you bring me example from your Ruby driver? Let me also make sure
>>> we are on the same page - I'm talking about session timeout due to
>>> inactivity, not read timeout or something like that.
>>>
>>> Thanks,
>>>
>>> Oleg
>>>
>>> On Fri, Jan 29, 2016 at 7:23 AM, Carlos Alonso <in...@mrcalonso.com>
>>> wrote:
>>>
>>>> I personally don't use the Java but the Ruby driver, but I'm pretty
>>>> sure you'll be able to find it in the docs:
>>>> https://github.com/datastax/java-driver
>>>>
>>>> Carlos Alonso | Software Engineer | @calonso
>>>> <https://twitter.com/calonso>
>>>>
>>>> On 29 January 2016 at 13:15, oleg yusim <ol...@gmail.com> wrote:
>>>>
>>>>> Hi Carlos,
>>>>>
>>>>> Thanks for your anwer. Can you, please, get me a bit me information?
>>>>> What is the driver? JDBC? What is the name of configuration file?
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Oleg
>>>>>
>>>>> On Fri, Jan 29, 2016 at 5:12 AM, Carlos Alonso <in...@mrcalonso.com>
>>>>> wrote:
>>>>>
>>>>>> Hi Oleg.
>>>>>>
>>>>>> The drivers have builtin the timeout configurable functionality.
>>>>>>
>>>>>> Hope it helps.
>>>>>>
>>>>>> Carlos Alonso | Software Engineer | @calonso
>>>>>> <https://twitter.com/calonso>
>>>>>>
>>>>>> On 28 January 2016 at 22:18, oleg yusim <ol...@gmail.com> wrote:
>>>>>>
>>>>>>> Greetings,
>>>>>>>
>>>>>>> Does Cassandra support session timeout? If so, where can I find this
>>>>>>> configuration switch? If not, what kind of hook I can use to write my out
>>>>>>> code, terminating session in so many seconds of inactivity?
>>>>>>>
>>>>>>> Thanks,
>>>>>>>
>>>>>>> Oleg
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>

Re: Session timeout

[oleg yusim <ol...@gmail.com>]

Jeff,

Understood. Thanks for your response. I would put together my questions in
one thread here, will title it "Security". Then I will move whatever was
not answered to the dev thread.

Thanks,

Oleg

On Fri, Jan 29, 2016 at 11:42 AM, Jeff Jirsa <je...@crowdstrike.com>
wrote:

>
> > For instance, way AAA (authentication, authorization, audit) is done,
> doesn't allow for centralized account and access control management, which
> in reality translates into shared accounts and no hierarchy.
>
> Authentication and Authorization are both pluggable. Any organization can
> write their own, and tie it to any AAA system they currently have. If they
> were feeling generous, they could open source it for the community, and
> perhaps bring it upstream. There’s nothing fundamentally preventing your
> organization from writing an Authenticator (
> https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/auth/IAuthenticator.java )
> or Authorizor (
> https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/auth/IAuthorizer.java )
> if they were so inclined.
>
> Audit is something that’s being actively discussed (
> https://issues.apache.org/jira/browse/CASSANDRA-8844 ).
>
> It’s an open source project with a very small number of commercial
> vendors. In general, that means there are 3 options:
>
>    1. Wait for someone else to write it to fit their need, and hopefully
>    they open source it.
>    2. Write it yourself
>    3. Pay a vendor (such as Datastax), and let them know in advance it’s
>    a requirement to get it on their roadmap. This is really #2 with some
>    polish to make it easier to get through your legal/AP systems.
>
> > So far it doesn't work quite well, and from what you are saying, it
> wouldn't, because of lack of knowledge and lack of motivation to get it.
> What would be your suggestion? Who is capable of answering my questions? Is
> there another community, I should turn to?
>
> The cassandra-user and cassandra-dev mailing lists are the primary sources
> of knowledge outside of support contracts. For paid support, companies like
> Datastax and The Last Pickle tend to be well respected options. Both of
> those companies will probably answer some of your questions for free if you
> post on these mailing lists. They’ll likely answer even more if you pay
> them.
>
>
>
> From: oleg yusim
> Reply-To: "user@cassandra.apache.org"
> Date: Friday, January 29, 2016 at 9:16 AM
> To: "user@cassandra.apache.org"
> Subject: Re: Session timeout
>
> Jon,
>
> I suspected something like that. I did a bit of learning on Cassandra
> before starting my assessment, and I understand that you are right, and it
> is generally not used like that.
>
> However (taking off my developer hat and putting on my security architect
> hat), from the security point of view the way Cassandra is used now is not
> very secure. For instance, way AAA (authentication, authorization, audit)
> is done, doesn't allow for centralized account and access control
> management, which in reality translates into shared accounts and no
> hierarchy. That in turn translates into situation when one person
> compromising credentials means complete disaster - administrative access to
> DB was just given up, with all the consequences. To top it all logging
> currently implemented in horrible manner too. It doesn't even allow to log
> username - basic requirement for any product, which would allow DBA or ISSO
> to figure out who did what on DB and recover in case of attack or crash. In
> general, logs the way they are today are targeted toward developer, making
> changes in DB, not toward the DBA, using it, and doesn't make much sense in
> my opinion.
>
> Now if you are interested in that subject, that document:
> http://iasecontent.disa.mil/stigs/zip/Jan2016/U_Database_V2R3_SRG.zip
> covers security concerns which should be taken in the account, when we are
> designing database. It also explains why each of them is important and what
> exactly would happen if it would be neglected.
>
> Jon, I would also appreciate suggestion. What I do right now is called
> "writing a STIG".That is when somebody takes concepts from SRG (the
> document I gave you link to above) and figures out how those are applied to
> that particular product. What is met (and what configuration on product
> leads to it, exactly), what is not met, but can be with little enhancement
> (and again - what those would be exactly), and what is not met and can't be
> met at current design. All that is combined into one document, called STIG
> and published by government (DISA) on
> http://iase.disa.mil/stigs/Pages/a-z.aspx page. Those STIGs mean a great
> deal from the security point of view because they:
>
>    - Allow to save a lot of time on re-assessment of the product every
>    single time
>    - Allow to know what are the products limitations are from the
>    security point of view before hands (and as such, place it right on the
>    system, implementing all right compensation controls around it)
>    - Allow to automate, both configuration checks from the security point
>    of view and hardening of the product
>    - Give product pass to DoD framework because if product has STIG and
>    was configured in accordance to it, it is secure by DoD definition
>
> So overall, it is to the great benefit for the product to have STIG
> written for it, since it advances it on security market quite a bit and at
> the end - improves product's security posture quite a bit as well. My
> initial idea was that I would bring on board my knowledge of security
> concepts, and when I would lack understanding of intricate details of DB, I
> would turn to the Cassandra community for support.
>
> So far it doesn't work quite well, and from what you are saying, it
> wouldn't, because of lack of knowledge and lack of motivation to get it.
> What would be your suggestion? Who is capable of answering my questions? Is
> there another community, I should turn to?
>
> Would really appreciate your input on that,
>
> Thanks,
>
> Oleg
>
>
>
>
>
> On Fri, Jan 29, 2016 at 10:24 AM, Jonathan Haddad <jo...@jonhaddad.com>
> wrote:
>
>> I think the reason why most of your queries aren't being answered is
>> because you're asking questions that most people don't have the answer to.
>> On the automatic disconnect, anyone using Cassandra in prod doesn't really
>> need to think about it because we're always running queries, perhaps
>> millions a second.  Queries are multiplexed over a single connection.
>> Almost nobody ever actually runs into a case of leaving a socket open for
>> hours without a query, so to find out if it actually happens, someone would
>> have to look it up in the source.
>>
>> Your questions about auditing are geared more towards if you're using a
>> database that's built for multi user access.  Cassandra was built to solve
>> a very different problem.  In most cases, you don't have hundreds of people
>> connecting from a shell, leaving connections open, casually querying for BI
>> reports.  This isn't how *most* people use Cassandra, it wasn't really
>> built for that.  There's better support for users & roles nowadays but it's
>> relatively new and that's about all you have right now.
>>
>> I realize you're new to the community, and it can be frustrating to not
>> get answers to questions that seem completely basic and obvious, but you're
>> asking about areas that *most* people on this list don't have knowledge
>> about and zero motivation to learn, because it's not necessary to solve the
>> problems we face.
>>
>>
>> On Fri, Jan 29, 2016 at 6:19 AM oleg yusim <ol...@gmail.com> wrote:
>>
>>> Not a problem, Carlos, at least you tried :) I have overall a big
>>> problem with my queries to Cassandra community. Most of them are not
>>> getting answered.
>>>
>>> Oleg
>>>
>>> On Fri, Jan 29, 2016 at 8:03 AM, Carlos Alonso <in...@mrcalonso.com>
>>> wrote:
>>>
>>>> Oh, I thought you meant read/write timeout, not session timeout due to
>>>> inactivity...
>>>>
>>>> Not sure there's such option. Sorry
>>>>
>>>> Carlos Alonso | Software Engineer | @calonso
>>>> <https://twitter.com/calonso>
>>>>
>>>> On 29 January 2016 at 13:35, oleg yusim <ol...@gmail.com> wrote:
>>>>
>>>>> Carlos,
>>>>>
>>>>> I went through Java and Python drivers... didn't find anything like
>>>>> that. Can you bring me example from your Ruby driver? Let me also make sure
>>>>> we are on the same page - I'm talking about session timeout due to
>>>>> inactivity, not read timeout or something like that.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Oleg
>>>>>
>>>>> On Fri, Jan 29, 2016 at 7:23 AM, Carlos Alonso <in...@mrcalonso.com>
>>>>> wrote:
>>>>>
>>>>>> I personally don't use the Java but the Ruby driver, but I'm pretty
>>>>>> sure you'll be able to find it in the docs:
>>>>>> https://github.com/datastax/java-driver
>>>>>>
>>>>>> Carlos Alonso | Software Engineer | @calonso
>>>>>> <https://twitter.com/calonso>
>>>>>>
>>>>>> On 29 January 2016 at 13:15, oleg yusim <ol...@gmail.com> wrote:
>>>>>>
>>>>>>> Hi Carlos,
>>>>>>>
>>>>>>> Thanks for your anwer. Can you, please, get me a bit me information?
>>>>>>> What is the driver? JDBC? What is the name of configuration file?
>>>>>>>
>>>>>>> Thanks,
>>>>>>>
>>>>>>> Oleg
>>>>>>>
>>>>>>> On Fri, Jan 29, 2016 at 5:12 AM, Carlos Alonso <in...@mrcalonso.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Hi Oleg.
>>>>>>>>
>>>>>>>> The drivers have builtin the timeout configurable functionality.
>>>>>>>>
>>>>>>>> Hope it helps.
>>>>>>>>
>>>>>>>> Carlos Alonso | Software Engineer | @calonso
>>>>>>>> <https://twitter.com/calonso>
>>>>>>>>
>>>>>>>> On 28 January 2016 at 22:18, oleg yusim <ol...@gmail.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> Greetings,
>>>>>>>>>
>>>>>>>>> Does Cassandra support session timeout? If so, where can I find
>>>>>>>>> this configuration switch? If not, what kind of hook I can use to write my
>>>>>>>>> out code, terminating session in so many seconds of inactivity?
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>>
>>>>>>>>> Oleg
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>

Re: Session timeout

[oleg yusim <ol...@gmail.com>]

Jeff,

You mentioned that both Authentication and Authorization are pluggable. In
relation to that, is logging pluggable as well? I.e. if I'm not happy with
what logback has to provide and want to replace it with some alternative
logging module, can I do it?

Thanks,

Oleg

On Fri, Jan 29, 2016 at 11:42 AM, Jeff Jirsa <je...@crowdstrike.com>
wrote:

>
> > For instance, way AAA (authentication, authorization, audit) is done,
> doesn't allow for centralized account and access control management, which
> in reality translates into shared accounts and no hierarchy.
>
> Authentication and Authorization are both pluggable. Any organization can
> write their own, and tie it to any AAA system they currently have. If they
> were feeling generous, they could open source it for the community, and
> perhaps bring it upstream. There’s nothing fundamentally preventing your
> organization from writing an Authenticator (
> https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/auth/IAuthenticator.java )
> or Authorizor (
> https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/auth/IAuthorizer.java )
> if they were so inclined.
>
> Audit is something that’s being actively discussed (
> https://issues.apache.org/jira/browse/CASSANDRA-8844 ).
>
> It’s an open source project with a very small number of commercial
> vendors. In general, that means there are 3 options:
>
>    1. Wait for someone else to write it to fit their need, and hopefully
>    they open source it.
>    2. Write it yourself
>    3. Pay a vendor (such as Datastax), and let them know in advance it’s
>    a requirement to get it on their roadmap. This is really #2 with some
>    polish to make it easier to get through your legal/AP systems.
>
> > So far it doesn't work quite well, and from what you are saying, it
> wouldn't, because of lack of knowledge and lack of motivation to get it.
> What would be your suggestion? Who is capable of answering my questions? Is
> there another community, I should turn to?
>
> The cassandra-user and cassandra-dev mailing lists are the primary sources
> of knowledge outside of support contracts. For paid support, companies like
> Datastax and The Last Pickle tend to be well respected options. Both of
> those companies will probably answer some of your questions for free if you
> post on these mailing lists. They’ll likely answer even more if you pay
> them.
>
>
>
> From: oleg yusim
> Reply-To: "user@cassandra.apache.org"
> Date: Friday, January 29, 2016 at 9:16 AM
> To: "user@cassandra.apache.org"
> Subject: Re: Session timeout
>
> Jon,
>
> I suspected something like that. I did a bit of learning on Cassandra
> before starting my assessment, and I understand that you are right, and it
> is generally not used like that.
>
> However (taking off my developer hat and putting on my security architect
> hat), from the security point of view the way Cassandra is used now is not
> very secure. For instance, way AAA (authentication, authorization, audit)
> is done, doesn't allow for centralized account and access control
> management, which in reality translates into shared accounts and no
> hierarchy. That in turn translates into situation when one person
> compromising credentials means complete disaster - administrative access to
> DB was just given up, with all the consequences. To top it all logging
> currently implemented in horrible manner too. It doesn't even allow to log
> username - basic requirement for any product, which would allow DBA or ISSO
> to figure out who did what on DB and recover in case of attack or crash. In
> general, logs the way they are today are targeted toward developer, making
> changes in DB, not toward the DBA, using it, and doesn't make much sense in
> my opinion.
>
> Now if you are interested in that subject, that document:
> http://iasecontent.disa.mil/stigs/zip/Jan2016/U_Database_V2R3_SRG.zip
> covers security concerns which should be taken in the account, when we are
> designing database. It also explains why each of them is important and what
> exactly would happen if it would be neglected.
>
> Jon, I would also appreciate suggestion. What I do right now is called
> "writing a STIG".That is when somebody takes concepts from SRG (the
> document I gave you link to above) and figures out how those are applied to
> that particular product. What is met (and what configuration on product
> leads to it, exactly), what is not met, but can be with little enhancement
> (and again - what those would be exactly), and what is not met and can't be
> met at current design. All that is combined into one document, called STIG
> and published by government (DISA) on
> http://iase.disa.mil/stigs/Pages/a-z.aspx page. Those STIGs mean a great
> deal from the security point of view because they:
>
>    - Allow to save a lot of time on re-assessment of the product every
>    single time
>    - Allow to know what are the products limitations are from the
>    security point of view before hands (and as such, place it right on the
>    system, implementing all right compensation controls around it)
>    - Allow to automate, both configuration checks from the security point
>    of view and hardening of the product
>    - Give product pass to DoD framework because if product has STIG and
>    was configured in accordance to it, it is secure by DoD definition
>
> So overall, it is to the great benefit for the product to have STIG
> written for it, since it advances it on security market quite a bit and at
> the end - improves product's security posture quite a bit as well. My
> initial idea was that I would bring on board my knowledge of security
> concepts, and when I would lack understanding of intricate details of DB, I
> would turn to the Cassandra community for support.
>
> So far it doesn't work quite well, and from what you are saying, it
> wouldn't, because of lack of knowledge and lack of motivation to get it.
> What would be your suggestion? Who is capable of answering my questions? Is
> there another community, I should turn to?
>
> Would really appreciate your input on that,
>
> Thanks,
>
> Oleg
>
>
>
>
>
> On Fri, Jan 29, 2016 at 10:24 AM, Jonathan Haddad <jo...@jonhaddad.com>
> wrote:
>
>> I think the reason why most of your queries aren't being answered is
>> because you're asking questions that most people don't have the answer to.
>> On the automatic disconnect, anyone using Cassandra in prod doesn't really
>> need to think about it because we're always running queries, perhaps
>> millions a second.  Queries are multiplexed over a single connection.
>> Almost nobody ever actually runs into a case of leaving a socket open for
>> hours without a query, so to find out if it actually happens, someone would
>> have to look it up in the source.
>>
>> Your questions about auditing are geared more towards if you're using a
>> database that's built for multi user access.  Cassandra was built to solve
>> a very different problem.  In most cases, you don't have hundreds of people
>> connecting from a shell, leaving connections open, casually querying for BI
>> reports.  This isn't how *most* people use Cassandra, it wasn't really
>> built for that.  There's better support for users & roles nowadays but it's
>> relatively new and that's about all you have right now.
>>
>> I realize you're new to the community, and it can be frustrating to not
>> get answers to questions that seem completely basic and obvious, but you're
>> asking about areas that *most* people on this list don't have knowledge
>> about and zero motivation to learn, because it's not necessary to solve the
>> problems we face.
>>
>>
>> On Fri, Jan 29, 2016 at 6:19 AM oleg yusim <ol...@gmail.com> wrote:
>>
>>> Not a problem, Carlos, at least you tried :) I have overall a big
>>> problem with my queries to Cassandra community. Most of them are not
>>> getting answered.
>>>
>>> Oleg
>>>
>>> On Fri, Jan 29, 2016 at 8:03 AM, Carlos Alonso <in...@mrcalonso.com>
>>> wrote:
>>>
>>>> Oh, I thought you meant read/write timeout, not session timeout due to
>>>> inactivity...
>>>>
>>>> Not sure there's such option. Sorry
>>>>
>>>> Carlos Alonso | Software Engineer | @calonso
>>>> <https://twitter.com/calonso>
>>>>
>>>> On 29 January 2016 at 13:35, oleg yusim <ol...@gmail.com> wrote:
>>>>
>>>>> Carlos,
>>>>>
>>>>> I went through Java and Python drivers... didn't find anything like
>>>>> that. Can you bring me example from your Ruby driver? Let me also make sure
>>>>> we are on the same page - I'm talking about session timeout due to
>>>>> inactivity, not read timeout or something like that.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Oleg
>>>>>
>>>>> On Fri, Jan 29, 2016 at 7:23 AM, Carlos Alonso <in...@mrcalonso.com>
>>>>> wrote:
>>>>>
>>>>>> I personally don't use the Java but the Ruby driver, but I'm pretty
>>>>>> sure you'll be able to find it in the docs:
>>>>>> https://github.com/datastax/java-driver
>>>>>>
>>>>>> Carlos Alonso | Software Engineer | @calonso
>>>>>> <https://twitter.com/calonso>
>>>>>>
>>>>>> On 29 January 2016 at 13:15, oleg yusim <ol...@gmail.com> wrote:
>>>>>>
>>>>>>> Hi Carlos,
>>>>>>>
>>>>>>> Thanks for your anwer. Can you, please, get me a bit me information?
>>>>>>> What is the driver? JDBC? What is the name of configuration file?
>>>>>>>
>>>>>>> Thanks,
>>>>>>>
>>>>>>> Oleg
>>>>>>>
>>>>>>> On Fri, Jan 29, 2016 at 5:12 AM, Carlos Alonso <in...@mrcalonso.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Hi Oleg.
>>>>>>>>
>>>>>>>> The drivers have builtin the timeout configurable functionality.
>>>>>>>>
>>>>>>>> Hope it helps.
>>>>>>>>
>>>>>>>> Carlos Alonso | Software Engineer | @calonso
>>>>>>>> <https://twitter.com/calonso>
>>>>>>>>
>>>>>>>> On 28 January 2016 at 22:18, oleg yusim <ol...@gmail.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> Greetings,
>>>>>>>>>
>>>>>>>>> Does Cassandra support session timeout? If so, where can I find
>>>>>>>>> this configuration switch? If not, what kind of hook I can use to write my
>>>>>>>>> out code, terminating session in so many seconds of inactivity?
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>>
>>>>>>>>> Oleg
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>

Re: Session timeout

[Jeff Jirsa <je...@crowdstrike.com>]

> For instance, way AAA (authentication, authorization, audit) is done, doesn't allow for centralized account and access control management, which in reality translates into shared accounts and no hierarchy. 

Authentication and Authorization are both pluggable. Any organization can write their own, and tie it to any AAA system they currently have. If they were feeling generous, they could open source it for the community, and perhaps bring it upstream. There’s nothing fundamentally preventing your organization from writing an Authenticator ( https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/auth/IAuthenticator.java ) or Authorizor ( https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/auth/IAuthorizer.java ) if they were so inclined.

Audit is something that’s being actively discussed ( https://issues.apache.org/jira/browse/CASSANDRA-8844 ).

It’s an open source project with a very small number of commercial vendors. In general, that means there are 3 options:
Wait for someone else to write it to fit their need, and hopefully they open source it. 
Write it yourself
Pay a vendor (such as Datastax), and let them know in advance it’s a requirement to get it on their roadmap. This is really #2 with some polish to make it easier to get through your legal/AP systems.
>So far it doesn't work quite well, and from what you are saying, it wouldn't, because of lack of knowledge and lack of motivation to get it. What would be your suggestion? Who is capable of answering my questions? Is there another community, I should turn to?

The cassandra-user and cassandra-dev mailing lists are the primary sources of knowledge outside of support contracts. For paid support, companies like Datastax and The Last Pickle tend to be well respected options. Both of those companies will probably answer some of your questions for free if you post on these mailing lists. They’ll likely answer even more if you pay them.



From:  oleg yusim
Reply-To:  "user@cassandra.apache.org"
Date:  Friday, January 29, 2016 at 9:16 AM
To:  "user@cassandra.apache.org"
Subject:  Re: Session timeout

Jon, 

I suspected something like that. I did a bit of learning on Cassandra before starting my assessment, and I understand that you are right, and it is generally not used like that. 

However (taking off my developer hat and putting on my security architect hat), from the security point of view the way Cassandra is used now is not very secure. For instance, way AAA (authentication, authorization, audit) is done, doesn't allow for centralized account and access control management, which in reality translates into shared accounts and no hierarchy. That in turn translates into situation when one person compromising credentials means complete disaster - administrative access to DB was just given up, with all the consequences. To top it all logging currently implemented in horrible manner too. It doesn't even allow to log username - basic requirement for any product, which would allow DBA or ISSO to figure out who did what on DB and recover in case of attack or crash. In general, logs the way they are today are targeted toward developer, making changes in DB, not toward the DBA, using it, and doesn't make much sense in my opinion.

Now if you are interested in that subject, that document: http://iasecontent.disa.mil/stigs/zip/Jan2016/U_Database_V2R3_SRG.zip covers security concerns which should be taken in the account, when we are designing database. It also explains why each of them is important and what exactly would happen if it would be neglected.

Jon, I would also appreciate suggestion. What I do right now is called "writing a STIG".That is when somebody takes concepts from SRG (the document I gave you link to above) and figures out how those are applied to that particular product. What is met (and what configuration on product leads to it, exactly), what is not met, but can be with little enhancement (and again - what those would be exactly), and what is not met and can't be met at current design. All that is combined into one document, called STIG and published by government (DISA) on http://iase.disa.mil/stigs/Pages/a-z.aspx page. Those STIGs mean a great deal from the security point of view because they:
Allow to save a lot of time on re-assessment of the product every single time
Allow to know what are the products limitations are from the security point of view before hands (and as such, place it right on the system, implementing all right compensation controls around it)
Allow to automate, both configuration checks from the security point of view and hardening of the product
Give product pass to DoD framework because if product has STIG and was configured in accordance to it, it is secure by DoD definition
So overall, it is to the great benefit for the product to have STIG written for it, since it advances it on security market quite a bit and at the end - improves product's security posture quite a bit as well. My initial idea was that I would bring on board my knowledge of security concepts, and when I would lack understanding of intricate details of DB, I would turn to the Cassandra community for support.

So far it doesn't work quite well, and from what you are saying, it wouldn't, because of lack of knowledge and lack of motivation to get it. What would be your suggestion? Who is capable of answering my questions? Is there another community, I should turn to?

Would really appreciate your input on that,

Thanks,

Oleg



 

On Fri, Jan 29, 2016 at 10:24 AM, Jonathan Haddad <jo...@jonhaddad.com> wrote:
I think the reason why most of your queries aren't being answered is because you're asking questions that most people don't have the answer to.  On the automatic disconnect, anyone using Cassandra in prod doesn't really need to think about it because we're always running queries, perhaps millions a second.  Queries are multiplexed over a single connection.  Almost nobody ever actually runs into a case of leaving a socket open for hours without a query, so to find out if it actually happens, someone would have to look it up in the source. 

Your questions about auditing are geared more towards if you're using a database that's built for multi user access.  Cassandra was built to solve a very different problem.  In most cases, you don't have hundreds of people connecting from a shell, leaving connections open, casually querying for BI reports.  This isn't how *most* people use Cassandra, it wasn't really built for that.  There's better support for users & roles nowadays but it's relatively new and that's about all you have right now.

I realize you're new to the community, and it can be frustrating to not get answers to questions that seem completely basic and obvious, but you're asking about areas that *most* people on this list don't have knowledge about and zero motivation to learn, because it's not necessary to solve the problems we face.


On Fri, Jan 29, 2016 at 6:19 AM oleg yusim <ol...@gmail.com> wrote:
Not a problem, Carlos, at least you tried :) I have overall a big problem with my queries to Cassandra community. Most of them are not getting answered.

Oleg

On Fri, Jan 29, 2016 at 8:03 AM, Carlos Alonso <in...@mrcalonso.com> wrote:
Oh, I thought you meant read/write timeout, not session timeout due to inactivity... 

Not sure there's such option. Sorry

Carlos Alonso | Software Engineer | @calonso

On 29 January 2016 at 13:35, oleg yusim <ol...@gmail.com> wrote:
Carlos, 

I went through Java and Python drivers... didn't find anything like that. Can you bring me example from your Ruby driver? Let me also make sure we are on the same page - I'm talking about session timeout due to inactivity, not read timeout or something like that.

Thanks,

Oleg

On Fri, Jan 29, 2016 at 7:23 AM, Carlos Alonso <in...@mrcalonso.com> wrote:
I personally don't use the Java but the Ruby driver, but I'm pretty sure you'll be able to find it in the docs: https://github.com/datastax/java-driver

Carlos Alonso | Software Engineer | @calonso

On 29 January 2016 at 13:15, oleg yusim <ol...@gmail.com> wrote:
Hi Carlos, 

Thanks for your anwer. Can you, please, get me a bit me information? What is the driver? JDBC? What is the name of configuration file?

Thanks,

Oleg

On Fri, Jan 29, 2016 at 5:12 AM, Carlos Alonso <in...@mrcalonso.com> wrote:
Hi Oleg. 

The drivers have builtin the timeout configurable functionality.

Hope it helps.

Carlos Alonso | Software Engineer | @calonso

On 28 January 2016 at 22:18, oleg yusim <ol...@gmail.com> wrote:
Greetings, 

Does Cassandra support session timeout? If so, where can I find this configuration switch? If not, what kind of hook I can use to write my out code, terminating session in so many seconds of inactivity?

Thanks,

Oleg

Re: Session timeout

[oleg yusim <ol...@gmail.com>]

Jon,

I suspected something like that. I did a bit of learning on Cassandra
before starting my assessment, and I understand that you are right, and it
is generally not used like that.

However (taking off my developer hat and putting on my security architect
hat), from the security point of view the way Cassandra is used now is not
very secure. For instance, way AAA (authentication, authorization, audit)
is done, doesn't allow for centralized account and access control
management, which in reality translates into shared accounts and no
hierarchy. That in turn translates into situation when one person
compromising credentials means complete disaster - administrative access to
DB was just given up, with all the consequences. To top it all logging
currently implemented in horrible manner too. It doesn't even allow to log
username - basic requirement for any product, which would allow DBA or ISSO
to figure out who did what on DB and recover in case of attack or crash. In
general, logs the way they are today are targeted toward developer, making
changes in DB, not toward the DBA, using it, and doesn't make much sense in
my opinion.

Now if you are interested in that subject, that document:
http://iasecontent.disa.mil/stigs/zip/Jan2016/U_Database_V2R3_SRG.zip
covers security concerns which should be taken in the account, when we are
designing database. It also explains why each of them is important and what
exactly would happen if it would be neglected.

Jon, I would also appreciate suggestion. What I do right now is called
"writing a STIG".That is when somebody takes concepts from SRG (the
document I gave you link to above) and figures out how those are applied to
that particular product. What is met (and what configuration on product
leads to it, exactly), what is not met, but can be with little enhancement
(and again - what those would be exactly), and what is not met and can't be
met at current design. All that is combined into one document, called STIG
and published by government (DISA) on
http://iase.disa.mil/stigs/Pages/a-z.aspx page. Those STIGs mean a great
deal from the security point of view because they:

   - Allow to save a lot of time on re-assessment of the product every
   single time
   - Allow to know what are the products limitations are from the security
   point of view before hands (and as such, place it right on the system,
   implementing all right compensation controls around it)
   - Allow to automate, both configuration checks from the security point
   of view and hardening of the product
   - Give product pass to DoD framework because if product has STIG and was
   configured in accordance to it, it is secure by DoD definition

So overall, it is to the great benefit for the product to have STIG written
for it, since it advances it on security market quite a bit and at the end
- improves product's security posture quite a bit as well. My initial idea
was that I would bring on board my knowledge of security concepts, and when
I would lack understanding of intricate details of DB, I would turn to the
Cassandra community for support.

So far it doesn't work quite well, and from what you are saying, it
wouldn't, because of lack of knowledge and lack of motivation to get it.
What would be your suggestion? Who is capable of answering my questions? Is
there another community, I should turn to?

Would really appreciate your input on that,

Thanks,

Oleg





On Fri, Jan 29, 2016 at 10:24 AM, Jonathan Haddad <jo...@jonhaddad.com> wrote:

> I think the reason why most of your queries aren't being answered is
> because you're asking questions that most people don't have the answer to.
> On the automatic disconnect, anyone using Cassandra in prod doesn't really
> need to think about it because we're always running queries, perhaps
> millions a second.  Queries are multiplexed over a single connection.
> Almost nobody ever actually runs into a case of leaving a socket open for
> hours without a query, so to find out if it actually happens, someone would
> have to look it up in the source.
>
> Your questions about auditing are geared more towards if you're using a
> database that's built for multi user access.  Cassandra was built to solve
> a very different problem.  In most cases, you don't have hundreds of people
> connecting from a shell, leaving connections open, casually querying for BI
> reports.  This isn't how *most* people use Cassandra, it wasn't really
> built for that.  There's better support for users & roles nowadays but it's
> relatively new and that's about all you have right now.
>
> I realize you're new to the community, and it can be frustrating to not
> get answers to questions that seem completely basic and obvious, but you're
> asking about areas that *most* people on this list don't have knowledge
> about and zero motivation to learn, because it's not necessary to solve the
> problems we face.
>
>
> On Fri, Jan 29, 2016 at 6:19 AM oleg yusim <ol...@gmail.com> wrote:
>
>> Not a problem, Carlos, at least you tried :) I have overall a big problem
>> with my queries to Cassandra community. Most of them are not getting
>> answered.
>>
>> Oleg
>>
>> On Fri, Jan 29, 2016 at 8:03 AM, Carlos Alonso <in...@mrcalonso.com>
>> wrote:
>>
>>> Oh, I thought you meant read/write timeout, not session timeout due to
>>> inactivity...
>>>
>>> Not sure there's such option. Sorry
>>>
>>> Carlos Alonso | Software Engineer | @calonso
>>> <https://twitter.com/calonso>
>>>
>>> On 29 January 2016 at 13:35, oleg yusim <ol...@gmail.com> wrote:
>>>
>>>> Carlos,
>>>>
>>>> I went through Java and Python drivers... didn't find anything like
>>>> that. Can you bring me example from your Ruby driver? Let me also make sure
>>>> we are on the same page - I'm talking about session timeout due to
>>>> inactivity, not read timeout or something like that.
>>>>
>>>> Thanks,
>>>>
>>>> Oleg
>>>>
>>>> On Fri, Jan 29, 2016 at 7:23 AM, Carlos Alonso <in...@mrcalonso.com>
>>>> wrote:
>>>>
>>>>> I personally don't use the Java but the Ruby driver, but I'm pretty
>>>>> sure you'll be able to find it in the docs:
>>>>> https://github.com/datastax/java-driver
>>>>>
>>>>> Carlos Alonso | Software Engineer | @calonso
>>>>> <https://twitter.com/calonso>
>>>>>
>>>>> On 29 January 2016 at 13:15, oleg yusim <ol...@gmail.com> wrote:
>>>>>
>>>>>> Hi Carlos,
>>>>>>
>>>>>> Thanks for your anwer. Can you, please, get me a bit me information?
>>>>>> What is the driver? JDBC? What is the name of configuration file?
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Oleg
>>>>>>
>>>>>> On Fri, Jan 29, 2016 at 5:12 AM, Carlos Alonso <in...@mrcalonso.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi Oleg.
>>>>>>>
>>>>>>> The drivers have builtin the timeout configurable functionality.
>>>>>>>
>>>>>>> Hope it helps.
>>>>>>>
>>>>>>> Carlos Alonso | Software Engineer | @calonso
>>>>>>> <https://twitter.com/calonso>
>>>>>>>
>>>>>>> On 28 January 2016 at 22:18, oleg yusim <ol...@gmail.com> wrote:
>>>>>>>
>>>>>>>> Greetings,
>>>>>>>>
>>>>>>>> Does Cassandra support session timeout? If so, where can I find
>>>>>>>> this configuration switch? If not, what kind of hook I can use to write my
>>>>>>>> out code, terminating session in so many seconds of inactivity?
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>>
>>>>>>>> Oleg
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>

Re: Session timeout

[Jonathan Haddad <jo...@jonhaddad.com>]

I think the reason why most of your queries aren't being answered is
because you're asking questions that most people don't have the answer to.
On the automatic disconnect, anyone using Cassandra in prod doesn't really
need to think about it because we're always running queries, perhaps
millions a second.  Queries are multiplexed over a single connection.
Almost nobody ever actually runs into a case of leaving a socket open for
hours without a query, so to find out if it actually happens, someone would
have to look it up in the source.

Your questions about auditing are geared more towards if you're using a
database that's built for multi user access.  Cassandra was built to solve
a very different problem.  In most cases, you don't have hundreds of people
connecting from a shell, leaving connections open, casually querying for BI
reports.  This isn't how *most* people use Cassandra, it wasn't really
built for that.  There's better support for users & roles nowadays but it's
relatively new and that's about all you have right now.

I realize you're new to the community, and it can be frustrating to not get
answers to questions that seem completely basic and obvious, but you're
asking about areas that *most* people on this list don't have knowledge
about and zero motivation to learn, because it's not necessary to solve the
problems we face.


On Fri, Jan 29, 2016 at 6:19 AM oleg yusim <ol...@gmail.com> wrote:

> Not a problem, Carlos, at least you tried :) I have overall a big problem
> with my queries to Cassandra community. Most of them are not getting
> answered.
>
> Oleg
>
> On Fri, Jan 29, 2016 at 8:03 AM, Carlos Alonso <in...@mrcalonso.com> wrote:
>
>> Oh, I thought you meant read/write timeout, not session timeout due to
>> inactivity...
>>
>> Not sure there's such option. Sorry
>>
>> Carlos Alonso | Software Engineer | @calonso
>> <https://twitter.com/calonso>
>>
>> On 29 January 2016 at 13:35, oleg yusim <ol...@gmail.com> wrote:
>>
>>> Carlos,
>>>
>>> I went through Java and Python drivers... didn't find anything like
>>> that. Can you bring me example from your Ruby driver? Let me also make sure
>>> we are on the same page - I'm talking about session timeout due to
>>> inactivity, not read timeout or something like that.
>>>
>>> Thanks,
>>>
>>> Oleg
>>>
>>> On Fri, Jan 29, 2016 at 7:23 AM, Carlos Alonso <in...@mrcalonso.com>
>>> wrote:
>>>
>>>> I personally don't use the Java but the Ruby driver, but I'm pretty
>>>> sure you'll be able to find it in the docs:
>>>> https://github.com/datastax/java-driver
>>>>
>>>> Carlos Alonso | Software Engineer | @calonso
>>>> <https://twitter.com/calonso>
>>>>
>>>> On 29 January 2016 at 13:15, oleg yusim <ol...@gmail.com> wrote:
>>>>
>>>>> Hi Carlos,
>>>>>
>>>>> Thanks for your anwer. Can you, please, get me a bit me information?
>>>>> What is the driver? JDBC? What is the name of configuration file?
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Oleg
>>>>>
>>>>> On Fri, Jan 29, 2016 at 5:12 AM, Carlos Alonso <in...@mrcalonso.com>
>>>>> wrote:
>>>>>
>>>>>> Hi Oleg.
>>>>>>
>>>>>> The drivers have builtin the timeout configurable functionality.
>>>>>>
>>>>>> Hope it helps.
>>>>>>
>>>>>> Carlos Alonso | Software Engineer | @calonso
>>>>>> <https://twitter.com/calonso>
>>>>>>
>>>>>> On 28 January 2016 at 22:18, oleg yusim <ol...@gmail.com> wrote:
>>>>>>
>>>>>>> Greetings,
>>>>>>>
>>>>>>> Does Cassandra support session timeout? If so, where can I find this
>>>>>>> configuration switch? If not, what kind of hook I can use to write my out
>>>>>>> code, terminating session in so many seconds of inactivity?
>>>>>>>
>>>>>>> Thanks,
>>>>>>>
>>>>>>> Oleg
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>

Re: Session timeout

[oleg yusim <ol...@gmail.com>]

Not a problem, Carlos, at least you tried :) I have overall a big problem
with my queries to Cassandra community. Most of them are not getting
answered.

Oleg

On Fri, Jan 29, 2016 at 8:03 AM, Carlos Alonso <in...@mrcalonso.com> wrote:

> Oh, I thought you meant read/write timeout, not session timeout due to
> inactivity...
>
> Not sure there's such option. Sorry
>
> Carlos Alonso | Software Engineer | @calonso <https://twitter.com/calonso>
>
> On 29 January 2016 at 13:35, oleg yusim <ol...@gmail.com> wrote:
>
>> Carlos,
>>
>> I went through Java and Python drivers... didn't find anything like that.
>> Can you bring me example from your Ruby driver? Let me also make sure we
>> are on the same page - I'm talking about session timeout due to inactivity,
>> not read timeout or something like that.
>>
>> Thanks,
>>
>> Oleg
>>
>> On Fri, Jan 29, 2016 at 7:23 AM, Carlos Alonso <in...@mrcalonso.com>
>> wrote:
>>
>>> I personally don't use the Java but the Ruby driver, but I'm pretty sure
>>> you'll be able to find it in the docs:
>>> https://github.com/datastax/java-driver
>>>
>>> Carlos Alonso | Software Engineer | @calonso
>>> <https://twitter.com/calonso>
>>>
>>> On 29 January 2016 at 13:15, oleg yusim <ol...@gmail.com> wrote:
>>>
>>>> Hi Carlos,
>>>>
>>>> Thanks for your anwer. Can you, please, get me a bit me information?
>>>> What is the driver? JDBC? What is the name of configuration file?
>>>>
>>>> Thanks,
>>>>
>>>> Oleg
>>>>
>>>> On Fri, Jan 29, 2016 at 5:12 AM, Carlos Alonso <in...@mrcalonso.com>
>>>> wrote:
>>>>
>>>>> Hi Oleg.
>>>>>
>>>>> The drivers have builtin the timeout configurable functionality.
>>>>>
>>>>> Hope it helps.
>>>>>
>>>>> Carlos Alonso | Software Engineer | @calonso
>>>>> <https://twitter.com/calonso>
>>>>>
>>>>> On 28 January 2016 at 22:18, oleg yusim <ol...@gmail.com> wrote:
>>>>>
>>>>>> Greetings,
>>>>>>
>>>>>> Does Cassandra support session timeout? If so, where can I find this
>>>>>> configuration switch? If not, what kind of hook I can use to write my out
>>>>>> code, terminating session in so many seconds of inactivity?
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Oleg
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>

Re: Session timeout

[Carlos Alonso <in...@mrcalonso.com>]

Oh, I thought you meant read/write timeout, not session timeout due to
inactivity...

Not sure there's such option. Sorry

Carlos Alonso | Software Engineer | @calonso <https://twitter.com/calonso>

On 29 January 2016 at 13:35, oleg yusim <ol...@gmail.com> wrote:

> Carlos,
>
> I went through Java and Python drivers... didn't find anything like that.
> Can you bring me example from your Ruby driver? Let me also make sure we
> are on the same page - I'm talking about session timeout due to inactivity,
> not read timeout or something like that.
>
> Thanks,
>
> Oleg
>
> On Fri, Jan 29, 2016 at 7:23 AM, Carlos Alonso <in...@mrcalonso.com> wrote:
>
>> I personally don't use the Java but the Ruby driver, but I'm pretty sure
>> you'll be able to find it in the docs:
>> https://github.com/datastax/java-driver
>>
>> Carlos Alonso | Software Engineer | @calonso
>> <https://twitter.com/calonso>
>>
>> On 29 January 2016 at 13:15, oleg yusim <ol...@gmail.com> wrote:
>>
>>> Hi Carlos,
>>>
>>> Thanks for your anwer. Can you, please, get me a bit me information?
>>> What is the driver? JDBC? What is the name of configuration file?
>>>
>>> Thanks,
>>>
>>> Oleg
>>>
>>> On Fri, Jan 29, 2016 at 5:12 AM, Carlos Alonso <in...@mrcalonso.com>
>>> wrote:
>>>
>>>> Hi Oleg.
>>>>
>>>> The drivers have builtin the timeout configurable functionality.
>>>>
>>>> Hope it helps.
>>>>
>>>> Carlos Alonso | Software Engineer | @calonso
>>>> <https://twitter.com/calonso>
>>>>
>>>> On 28 January 2016 at 22:18, oleg yusim <ol...@gmail.com> wrote:
>>>>
>>>>> Greetings,
>>>>>
>>>>> Does Cassandra support session timeout? If so, where can I find this
>>>>> configuration switch? If not, what kind of hook I can use to write my out
>>>>> code, terminating session in so many seconds of inactivity?
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Oleg
>>>>>
>>>>
>>>>
>>>
>>
>

Re: Session timeout

[oleg yusim <ol...@gmail.com>]

Carlos,

I went through Java and Python drivers... didn't find anything like that.
Can you bring me example from your Ruby driver? Let me also make sure we
are on the same page - I'm talking about session timeout due to inactivity,
not read timeout or something like that.

Thanks,

Oleg

On Fri, Jan 29, 2016 at 7:23 AM, Carlos Alonso <in...@mrcalonso.com> wrote:

> I personally don't use the Java but the Ruby driver, but I'm pretty sure
> you'll be able to find it in the docs:
> https://github.com/datastax/java-driver
>
> Carlos Alonso | Software Engineer | @calonso <https://twitter.com/calonso>
>
> On 29 January 2016 at 13:15, oleg yusim <ol...@gmail.com> wrote:
>
>> Hi Carlos,
>>
>> Thanks for your anwer. Can you, please, get me a bit me information? What
>> is the driver? JDBC? What is the name of configuration file?
>>
>> Thanks,
>>
>> Oleg
>>
>> On Fri, Jan 29, 2016 at 5:12 AM, Carlos Alonso <in...@mrcalonso.com>
>> wrote:
>>
>>> Hi Oleg.
>>>
>>> The drivers have builtin the timeout configurable functionality.
>>>
>>> Hope it helps.
>>>
>>> Carlos Alonso | Software Engineer | @calonso
>>> <https://twitter.com/calonso>
>>>
>>> On 28 January 2016 at 22:18, oleg yusim <ol...@gmail.com> wrote:
>>>
>>>> Greetings,
>>>>
>>>> Does Cassandra support session timeout? If so, where can I find this
>>>> configuration switch? If not, what kind of hook I can use to write my out
>>>> code, terminating session in so many seconds of inactivity?
>>>>
>>>> Thanks,
>>>>
>>>> Oleg
>>>>
>>>
>>>
>>
>

Re: Session timeout

[Carlos Alonso <in...@mrcalonso.com>]

I personally don't use the Java but the Ruby driver, but I'm pretty sure
you'll be able to find it in the docs:
https://github.com/datastax/java-driver

Carlos Alonso | Software Engineer | @calonso <https://twitter.com/calonso>

On 29 January 2016 at 13:15, oleg yusim <ol...@gmail.com> wrote:

> Hi Carlos,
>
> Thanks for your anwer. Can you, please, get me a bit me information? What
> is the driver? JDBC? What is the name of configuration file?
>
> Thanks,
>
> Oleg
>
> On Fri, Jan 29, 2016 at 5:12 AM, Carlos Alonso <in...@mrcalonso.com> wrote:
>
>> Hi Oleg.
>>
>> The drivers have builtin the timeout configurable functionality.
>>
>> Hope it helps.
>>
>> Carlos Alonso | Software Engineer | @calonso
>> <https://twitter.com/calonso>
>>
>> On 28 January 2016 at 22:18, oleg yusim <ol...@gmail.com> wrote:
>>
>>> Greetings,
>>>
>>> Does Cassandra support session timeout? If so, where can I find this
>>> configuration switch? If not, what kind of hook I can use to write my out
>>> code, terminating session in so many seconds of inactivity?
>>>
>>> Thanks,
>>>
>>> Oleg
>>>
>>
>>
>

Re: Session timeout

[oleg yusim <ol...@gmail.com>]

Hi Carlos,

Thanks for your anwer. Can you, please, get me a bit me information? What
is the driver? JDBC? What is the name of configuration file?

Thanks,

Oleg

On Fri, Jan 29, 2016 at 5:12 AM, Carlos Alonso <in...@mrcalonso.com> wrote:

> Hi Oleg.
>
> The drivers have builtin the timeout configurable functionality.
>
> Hope it helps.
>
> Carlos Alonso | Software Engineer | @calonso <https://twitter.com/calonso>
>
> On 28 January 2016 at 22:18, oleg yusim <ol...@gmail.com> wrote:
>
>> Greetings,
>>
>> Does Cassandra support session timeout? If so, where can I find this
>> configuration switch? If not, what kind of hook I can use to write my out
>> code, terminating session in so many seconds of inactivity?
>>
>> Thanks,
>>
>> Oleg
>>
>
>

Re: Session timeout

[Carlos Alonso <in...@mrcalonso.com>]

Hi Oleg.

The drivers have builtin the timeout configurable functionality.

Hope it helps.

Carlos Alonso | Software Engineer | @calonso <https://twitter.com/calonso>

On 28 January 2016 at 22:18, oleg yusim <ol...@gmail.com> wrote:

> Greetings,
>
> Does Cassandra support session timeout? If so, where can I find this
> configuration switch? If not, what kind of hook I can use to write my out
> code, terminating session in so many seconds of inactivity?
>
> Thanks,
>
> Oleg
>