You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@cassandra.apache.org by Michal Michalski <mi...@opera.com> on 2012/04/17 14:23:11 UTC
User authorized for cannot create CFs
Hi,
I'm suffering a problem, which maybe is a feature ( ;) ), but for me
it's rather an annoying problem. I use SimpleAuthenticator and I have
user who should be a kind of Cassandra's keyspace "root" - he should be
allowed to do everything. So I set:
<modify-keyspaces>=master
Unluckily, when I try to create CFs (with a script) I get:
pycassa.cassandra.c10.ttypes.InvalidRequestException:
InvalidRequestException(why='#<User master groups=[]> does not have
permission WRITE for /cassandra/keyspaces/test')
It's not a problem of logging in, because if I provide wrong password I
get different error:
pycassa.cassandra.c10.ttypes.AuthenticationException:
AuthenticationException(why='Given password in password mode MD5 could
not be validated for user master')
When I go back to AllowAllAuthority for a while, create CFs and then
move back to SimpleAuthority (user has <rw> on all CFs) it's working
perfectly to manipulate the data in CFs in this keyspace. But altering
CFs settings still fails.
So, the question is - is it intended to work this way, that user with
"modify-keyspace" permission cannot - sic! - modify the keyspace in
terms of creating/altering CF? Is it a bug, or a feature? If feature -
why? :)
Or maybe this setting is for other purposes and I just don't understand
the idea? ;)
Kind regards,
Michał M.
Re: Memtable.flushAndSignal "hangs" ColumnFamilyStore.maybeSwitchMemtable
on IOException
Posted by Mikael Wikblom <mi...@sitevision.se>.
ok, just find it a bit hard to be forced to shutdown the node in case of
an IOException, but I understand why. The exception occurred because of
a missing native snappy library on the server, but the error only occur
because we initialized a column family incorrectly (we are using
cassandra embedded and are working directly against the internal APIs).
Regards
Mikael Wikblom
On 05/02/2012 03:03 PM, Sylvain Lebresne wrote:
> On Wed, May 2, 2012 at 2:42 PM, Mikael Wikblom
> <mi...@sitevision.se> wrote:
>> Given an IOException in writeSortedContents the latch.countDown() will not
>> be called. Wouldn't it be better to place the latch.countDown() in the
>> finally statement?
> No because having the latch being countDown means 'the sstable has
> been flushed successfully and the data can be safely deleted in the
> commit log', which is not the case if you get an IOException.
>
>> We've had issues with IOExceptions in writeSortedContents when doing a snapshot which hung a thread (and still hangs) for 4 days.
> It would be interesting to know what triggered the IOException. If
> that's due to a bug, then that's the one we should fix in priority. If
> that's you running out of disk-space or something like that, you
> should probably fix that and restart C*.
>
> --
> Sylvain
--
Mikael Wikblom
Software Architect
SiteVision AB
019-217058
mikael.wikblom@sitevision.se
http://www.sitevision.se
Re: Memtable.flushAndSignal "hangs" ColumnFamilyStore.maybeSwitchMemtable
on IOException
Posted by Sylvain Lebresne <sy...@datastax.com>.
On Wed, May 2, 2012 at 2:42 PM, Mikael Wikblom
<mi...@sitevision.se> wrote:
> Given an IOException in writeSortedContents the latch.countDown() will not
> be called. Wouldn't it be better to place the latch.countDown() in the
> finally statement?
No because having the latch being countDown means 'the sstable has
been flushed successfully and the data can be safely deleted in the
commit log', which is not the case if you get an IOException.
> We've had issues with IOExceptions in writeSortedContents when doing a snapshot which hung a thread (and still hangs) for 4 days.
It would be interesting to know what triggered the IOException. If
that's due to a bug, then that's the one we should fix in priority. If
that's you running out of disk-space or something like that, you
should probably fix that and restart C*.
--
Sylvain
Memtable.flushAndSignal "hangs" ColumnFamilyStore.maybeSwitchMemtable
on IOException
Posted by Mikael Wikblom <mi...@sitevision.se>.
Hi,
(cassandra 1.0.8)
Stumbled on a piece of code in Memtable that looks like it could hang a
thread forever.
public void flushAndSignal(final CountDownLatch latch, ExecutorService
writer, final ReplayPosition context)
{
writer.execute(new WrappedRunnable()
{
public void runMayThrow() throws IOException
{
cfs.flushLock.lock();
try
{
if (!cfs.isDropped())
{
SSTableReader sstable =
writeSortedContents(context);
cfs.replaceFlushed(Memtable.this, sstable);
}
}
finally
{
cfs.flushLock.unlock();
}
latch.countDown();
}
});
}
Given an IOException in writeSortedContents the latch.countDown() will
not be called. Wouldn't it be better to place the latch.countDown() in
the finally statement? We've had issues with IOExceptions in
writeSortedContents when doing a snapshot which hung a thread (and still
hangs) for 4 days. The thread hangs in
ColumnFamilyStore.forceBlockingFlush waiting for future.get() because
the latch.await() in ColumnFamilyStore.maybeSwitchMemtable never completes.
Regards
--
Mikael Wikblom
Software Architect
SiteVision AB
019-217058
mikael.wikblom@sitevision.se
http://www.sitevision.se
Re: User authorized for cannot create CFs
Posted by Michal Michalski <mi...@opera.com>.
Thanks for your reply, problem is solved. First, I missunderstood the
modify-keyspace param and then I just missed the fact that I can do simply:
test.<rw>=operator
without any wildcards or so. I even tried this solution before and -
after looking into the source code - I was sure it just has to work, but
it failed baceuse of some other, unrelated error in our app, which I
missed before.
> AFAIK the SimpleAuthenticator, and to some degree authentication (?), has been essentially deprecated as it was considered incomplete and was not under development. This is why the SimpleAuthenticator was moved out to the examples directory in 1.X. I doubt it will be dropped, but (again AFIK) it is not under active development.
Yup, I know it. But we do not use it as a main way of securing our data
or so - we just want to (1) separate the access from different parts of
the system using different users for them and (2) protect ourselves from
accidental writes to improper keyspaces or so. Thus we don't need it to
be working perfectly - I'd say it's a bit like Windows95 login prompt,
which could be closed with Esc button ;) Anyway, even if we threat this
way, we need it to use it comfortably, so it would be a problem for us
to change SimpleAuthenticator to AllowAllAuthority in cassandra.yaml
every time we create/update CF's :)
Anyway, it works now and thanks for your reply :)
Michał
Re: User authorized for cannot create CFs
Posted by aaron morton <aa...@thelastpickle.com>.
What version are you on ?
AFAIK the SimpleAuthenticator, and to some degree authentication (?), has been essentially deprecated as it was considered incomplete and was not under development. This is why the SimpleAuthenticator was moved out to the examples directory in 1.X. I doubt it will be dropped, but (again AFIK) it is not under active development.
If I have things wrong here please let me know.
That said, do you have the exact call that causes the error ? Can you run it with DEBUG logging on the server ? It looks like the error is from an attempt to write to the CF.
Cheers
Aaron
-----------------
Aaron Morton
Freelance Developer
@aaronmorton
http://www.thelastpickle.com
On 18/04/2012, at 12:23 AM, Michal Michalski wrote:
> Hi,
>
> I'm suffering a problem, which maybe is a feature ( ;) ), but for me it's rather an annoying problem. I use SimpleAuthenticator and I have user who should be a kind of Cassandra's keyspace "root" - he should be allowed to do everything. So I set:
>
> <modify-keyspaces>=master
>
> Unluckily, when I try to create CFs (with a script) I get:
>
> pycassa.cassandra.c10.ttypes.InvalidRequestException: InvalidRequestException(why='#<User master groups=[]> does not have permission WRITE for /cassandra/keyspaces/test')
>
> It's not a problem of logging in, because if I provide wrong password I get different error:
>
> pycassa.cassandra.c10.ttypes.AuthenticationException: AuthenticationException(why='Given password in password mode MD5 could not be validated for user master')
>
> When I go back to AllowAllAuthority for a while, create CFs and then move back to SimpleAuthority (user has <rw> on all CFs) it's working perfectly to manipulate the data in CFs in this keyspace. But altering CFs settings still fails.
>
> So, the question is - is it intended to work this way, that user with "modify-keyspace" permission cannot - sic! - modify the keyspace in terms of creating/altering CF? Is it a bug, or a feature? If feature - why? :)
>
> Or maybe this setting is for other purposes and I just don't understand the idea? ;)
>
> Kind regards,
> Michał M.