You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@cassandra.apache.org by Gil Ganz <gi...@gmail.com> on 2020/06/02 06:26:01 UTC
Impact of enabling authentication on performance
Hi
I have a production 3.11.6 cluster which I'm might want to enable
authentication in, I'm trying to understand what will be the performance
impact, if any.
I understand each use case might be different, trying to understand if
there is a common % people usually see their performance hit, or if someone
has looked into this.
Gil
Re: Impact of enabling authentication on performance
Posted by Sam Tunnicliffe <sa...@beobal.com>.
Passwords are hashed using bcrypt, which performs a configurable number of encryption rounds on the input. The more rounds, the more computationally expensive the hashing and so the more effort required to defeat by brute force. By default, Cassandra encrypts with 2^10 rounds, but this can be set anywhere between 2^4 and 2^31, the trade off being a lower number of rounds is technically less secure but puts less strain on the servers, particularly if you have a lot of short lived client connections and/or thundering herd issues.
To override the default use a system property, which can be added to jvm-server.options, e.g.:
cassandra.auth_bcrypt_gensalt_log2_rounds=4
Bcrypt encodes the number of rounds used to generate a hash in the hash itself so existing passwords will continue to work, they just won't benefit from the reduced costs. See https://issues.apache.org/jira/browse/CASSANDRA-8085 for (slightly) more info.
> On 4 Jun 2020, at 07:39, Gil Ganz <gi...@gmail.com> wrote:
>
> Great advice guys, will check it out.
> Jeff, what do you mean exactly by dropping bcrypt rounds?
>
>
> On Wed, Jun 3, 2020 at 10:22 AM Alex Ott <alexott@gmail.com <ma...@gmail.com>> wrote:
> You can decrease this time for picking up the change by using lower number
> for credentials_update_interval_in_ms, roles_update_interval_in_ms &
> permissions_update_interval_in_ms
>
> Durity, Sean R at "Tue, 2 Jun 2020 14:48:28 +0000" wrote:
> DSR> To flesh this out a bit, I set roles_validity_in_ms and permissions_validity_in_ms to
> DSR> 3600000 (10 minutes). The default of 2000 is far too often for my use cases. Usually I set
> DSR> the RF for system_auth to 3 per DC. On a larger, busier cluster I have set it to 6 per
> DSR> DC. NOTE: if you set the validity higher, it may take that amount of time before a change
> DSR> in password or table permissions is picked up (usually less).
>
>
> DSR> Sean Durity
>
> DSR> -----Original Message-----
> DSR> From: Jeff Jirsa <jjirsa@gmail.com <ma...@gmail.com>>
> DSR> Sent: Tuesday, June 2, 2020 2:39 AM
> DSR> To: user@cassandra.apache.org <ma...@cassandra.apache.org>
> DSR> Subject: [EXTERNAL] Re: Impact of enabling authentication on performance
>
> DSR> Set the Auth cache to a long validity
>
> DSR> Don’t go crazy with RF of system auth
>
> DSR> Drop bcrypt rounds if you see massive cpu spikes on reconnect storms
>
>
> >> On Jun 1, 2020, at 11:26 PM, Gil Ganz <gilganz@gmail.com <ma...@gmail.com>> wrote:
> >>
> >>
> >> Hi
> >> I have a production 3.11.6 cluster which I'm might want to enable authentication in, I'm trying to understand what will be the performance impact, if any.
> >> I understand each use case might be different, trying to understand if there is a common % people usually see their performance hit, or if someone has looked into this.
> >> Gil
>
> DSR> ---------------------------------------------------------------------
> DSR> To unsubscribe, e-mail: user-unsubscribe@cassandra.apache.org <ma...@cassandra.apache.org>
> DSR> For additional commands, e-mail: user-help@cassandra.apache.org <ma...@cassandra.apache.org>
>
>
> DSR> ________________________________
>
> DSR> The information in this Internet Email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this Email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this Email are subject to the terms and conditions expressed in any applicable governing The Home Depot terms of business or client engagement letter. The Home Depot disclaims all responsibility and liability for the accuracy and content of this attachment and for any damages or losses arising from any inaccuracies, errors, viruses, e.g., worms, trojan horses, etc., or other items of a destructive nature, which may be contained in this attachment and shall not be liable for direct, indirect, consequential or special damages in connection with this e-mail message or its attachment.
>
> DSR> ---------------------------------------------------------------------
> DSR> To unsubscribe, e-mail: user-unsubscribe@cassandra.apache.org <ma...@cassandra.apache.org>
> DSR> For additional commands, e-mail: user-help@cassandra.apache.org <ma...@cassandra.apache.org>
>
>
> --
> With best wishes, Alex Ott
> Principal Architect, DataStax
> http://datastax.com/ <http://datastax.com/>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@cassandra.apache.org <ma...@cassandra.apache.org>
> For additional commands, e-mail: user-help@cassandra.apache.org <ma...@cassandra.apache.org>
>
Re: Impact of enabling authentication on performance
Posted by Gil Ganz <gi...@gmail.com>.
Great advice guys, will check it out.
Jeff, what do you mean exactly by dropping bcrypt rounds?
On Wed, Jun 3, 2020 at 10:22 AM Alex Ott <al...@gmail.com> wrote:
> You can decrease this time for picking up the change by using lower number
> for credentials_update_interval_in_ms, roles_update_interval_in_ms &
> permissions_update_interval_in_ms
>
> Durity, Sean R at "Tue, 2 Jun 2020 14:48:28 +0000" wrote:
> DSR> To flesh this out a bit, I set roles_validity_in_ms and
> permissions_validity_in_ms to
> DSR> 3600000 (10 minutes). The default of 2000 is far too often for my
> use cases. Usually I set
> DSR> the RF for system_auth to 3 per DC. On a larger, busier cluster I
> have set it to 6 per
> DSR> DC. NOTE: if you set the validity higher, it may take that amount of
> time before a change
> DSR> in password or table permissions is picked up (usually less).
>
>
> DSR> Sean Durity
>
> DSR> -----Original Message-----
> DSR> From: Jeff Jirsa <jj...@gmail.com>
> DSR> Sent: Tuesday, June 2, 2020 2:39 AM
> DSR> To: user@cassandra.apache.org
> DSR> Subject: [EXTERNAL] Re: Impact of enabling authentication on
> performance
>
> DSR> Set the Auth cache to a long validity
>
> DSR> Don’t go crazy with RF of system auth
>
> DSR> Drop bcrypt rounds if you see massive cpu spikes on reconnect storms
>
>
> >> On Jun 1, 2020, at 11:26 PM, Gil Ganz <gi...@gmail.com> wrote:
> >>
> >>
> >> Hi
> >> I have a production 3.11.6 cluster which I'm might want to enable
> authentication in, I'm trying to understand what will be the performance
> impact, if any.
> >> I understand each use case might be different, trying to understand if
> there is a common % people usually see their performance hit, or if someone
> has looked into this.
> >> Gil
>
> DSR> ---------------------------------------------------------------------
> DSR> To unsubscribe, e-mail: user-unsubscribe@cassandra.apache.org
> DSR> For additional commands, e-mail: user-help@cassandra.apache.org
>
>
> DSR> ________________________________
>
> DSR> The information in this Internet Email is confidential and may be
> legally privileged. It is intended solely for the addressee. Access to this
> Email by anyone else is unauthorized. If you are not the intended
> recipient, any disclosure, copying, distribution or any action taken or
> omitted to be taken in reliance on it, is prohibited and may be unlawful.
> When addressed to our clients any opinions or advice contained in this
> Email are subject to the terms and conditions expressed in any applicable
> governing The Home Depot terms of business or client engagement letter. The
> Home Depot disclaims all responsibility and liability for the accuracy and
> content of this attachment and for any damages or losses arising from any
> inaccuracies, errors, viruses, e.g., worms, trojan horses, etc., or other
> items of a destructive nature, which may be contained in this attachment
> and shall not be liable for direct, indirect, consequential or special
> damages in connection with this e-mail message or its attachment.
>
> DSR> ---------------------------------------------------------------------
> DSR> To unsubscribe, e-mail: user-unsubscribe@cassandra.apache.org
> DSR> For additional commands, e-mail: user-help@cassandra.apache.org
>
>
> --
> With best wishes, Alex Ott
> Principal Architect, DataStax
> http://datastax.com/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@cassandra.apache.org
> For additional commands, e-mail: user-help@cassandra.apache.org
>
>
Re: Impact of enabling authentication on performance
Posted by Alex Ott <al...@gmail.com>.
You can decrease this time for picking up the change by using lower number
for credentials_update_interval_in_ms, roles_update_interval_in_ms &
permissions_update_interval_in_ms
Durity, Sean R at "Tue, 2 Jun 2020 14:48:28 +0000" wrote:
DSR> To flesh this out a bit, I set roles_validity_in_ms and permissions_validity_in_ms to
DSR> 3600000 (10 minutes). The default of 2000 is far too often for my use cases. Usually I set
DSR> the RF for system_auth to 3 per DC. On a larger, busier cluster I have set it to 6 per
DSR> DC. NOTE: if you set the validity higher, it may take that amount of time before a change
DSR> in password or table permissions is picked up (usually less).
DSR> Sean Durity
DSR> -----Original Message-----
DSR> From: Jeff Jirsa <jj...@gmail.com>
DSR> Sent: Tuesday, June 2, 2020 2:39 AM
DSR> To: user@cassandra.apache.org
DSR> Subject: [EXTERNAL] Re: Impact of enabling authentication on performance
DSR> Set the Auth cache to a long validity
DSR> Don’t go crazy with RF of system auth
DSR> Drop bcrypt rounds if you see massive cpu spikes on reconnect storms
>> On Jun 1, 2020, at 11:26 PM, Gil Ganz <gi...@gmail.com> wrote:
>>
>>
>> Hi
>> I have a production 3.11.6 cluster which I'm might want to enable authentication in, I'm trying to understand what will be the performance impact, if any.
>> I understand each use case might be different, trying to understand if there is a common % people usually see their performance hit, or if someone has looked into this.
>> Gil
DSR> ---------------------------------------------------------------------
DSR> To unsubscribe, e-mail: user-unsubscribe@cassandra.apache.org
DSR> For additional commands, e-mail: user-help@cassandra.apache.org
DSR> ________________________________
DSR> The information in this Internet Email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this Email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this Email are subject to the terms and conditions expressed in any applicable governing The Home Depot terms of business or client engagement letter. The Home Depot disclaims all responsibility and liability for the accuracy and content of this attachment and for any damages or losses arising from any inaccuracies, errors, viruses, e.g., worms, trojan horses, etc., or other items of a destructive nature, which may be contained in this attachment and shall not be liable for direct, indirect, consequential or special damages in connection with this e-mail message or its attachment.
DSR> ---------------------------------------------------------------------
DSR> To unsubscribe, e-mail: user-unsubscribe@cassandra.apache.org
DSR> For additional commands, e-mail: user-help@cassandra.apache.org
--
With best wishes, Alex Ott
Principal Architect, DataStax
http://datastax.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@cassandra.apache.org
For additional commands, e-mail: user-help@cassandra.apache.org
RE: Impact of enabling authentication on performance
Posted by "Durity, Sean R" <SE...@homedepot.com>.
To flesh this out a bit, I set roles_validity_in_ms and permissions_validity_in_ms to 3600000 (10 minutes). The default of 2000 is far too often for my use cases. Usually I set the RF for system_auth to 3 per DC. On a larger, busier cluster I have set it to 6 per DC. NOTE: if you set the validity higher, it may take that amount of time before a change in password or table permissions is picked up (usually less).
Sean Durity
-----Original Message-----
From: Jeff Jirsa <jj...@gmail.com>
Sent: Tuesday, June 2, 2020 2:39 AM
To: user@cassandra.apache.org
Subject: [EXTERNAL] Re: Impact of enabling authentication on performance
Set the Auth cache to a long validity
Don’t go crazy with RF of system auth
Drop bcrypt rounds if you see massive cpu spikes on reconnect storms
> On Jun 1, 2020, at 11:26 PM, Gil Ganz <gi...@gmail.com> wrote:
>
>
> Hi
> I have a production 3.11.6 cluster which I'm might want to enable authentication in, I'm trying to understand what will be the performance impact, if any.
> I understand each use case might be different, trying to understand if there is a common % people usually see their performance hit, or if someone has looked into this.
> Gil
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@cassandra.apache.org
For additional commands, e-mail: user-help@cassandra.apache.org
________________________________
The information in this Internet Email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this Email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this Email are subject to the terms and conditions expressed in any applicable governing The Home Depot terms of business or client engagement letter. The Home Depot disclaims all responsibility and liability for the accuracy and content of this attachment and for any damages or losses arising from any inaccuracies, errors, viruses, e.g., worms, trojan horses, etc., or other items of a destructive nature, which may be contained in this attachment and shall not be liable for direct, indirect, consequential or special damages in connection with this e-mail message or its attachment.
Re: Impact of enabling authentication on performance
Posted by Jeff Jirsa <jj...@gmail.com>.
Set the Auth cache to a long validity
Don’t go crazy with RF of system auth
Drop bcrypt rounds if you see massive cpu spikes on reconnect storms
> On Jun 1, 2020, at 11:26 PM, Gil Ganz <gi...@gmail.com> wrote:
>
>
> Hi
> I have a production 3.11.6 cluster which I'm might want to enable authentication in, I'm trying to understand what will be the performance impact, if any.
> I understand each use case might be different, trying to understand if there is a common % people usually see their performance hit, or if someone has looked into this.
> Gil
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@cassandra.apache.org
For additional commands, e-mail: user-help@cassandra.apache.org