Re: Session timeout

Jack, I updated my document with all the security gaps I was able to discover (see the second table, below the fist one). I also moved the document to Google Docs from Word doc, shared on Google Drive, following Matt's suggestion. Please, see the updated link: https://docs.google.com/document/d/1

Re: Session timeout

Jack, This document doesn't cover all the areas where user will need to get engaged in explicit mitigation, it only covers those, I wasn't sure about. But - you are making a good point here. Let me update the document with the rest of the gaps, so community would have a complete list here. Thanks

Re: Session timeout

Thanks! A useful contribution, no matter what the outcome. I trust your ability to read of the doc, so I don't expect a lot of change to the responses, but we'll see. At a minimum, it will probably be good to have doc to highlight areas where users will need to engage in explicit mitigation efforts

Re: Session timeout

Robert, Jack, Bryan, As you suggested, I put together document, titled Cassandra_Security_Topics_to_Discuss, put it on Google Drive and shared it with everybody on this list. The document contains list of questions I have on Cassandra, my take on it, and has a place for notes Community would like

Re: Session timeout

ose companies will probably answer some of your questions for free if you > post on these mailing lists. They’ll likely answer even more if you pay > them. > > > > From: oleg yusim > Reply-To: "user@cassandra.apache.org" > Date: Friday, January 29, 2016 at 9:16 AM &g

Re: Session timeout

To throw my (unsolicited) 2 cents into the ring, Oleg, you work for a well-funded and fairly large company. You are certainly free to continue using the list and asking for community support (I am definitely not in any position to tell you otherwise, anyway), but that community support is by defini

Re: Session timeout

On Fri, Jan 29, 2016 at 3:12 PM, Jack Krupansky wrote: > One last time, I'll simply renew my objection to the way you are abusing > this list. > FWIW, while I appreciate that OP (Oleg) is attempting to do a service for the community, I agree that the flood of single topic, context-lacking posts

Re: Session timeout

One last time, I'll simply renew my objection to the way you are abusing this list. You'll hear no further reply from me and I will begin marking any more of your excessive inquiries as spam. If others in the community wish to do your security review for you one item at a time, that is their prerog

Re: Session timeout

Jack, I have to note, Cassandra documentation the way it stays now, is not nearly detailed enough. For instance: https://docs.datastax.com/en/cassandra/2.1/cassandra/configuration/configLoggingLevels_r.html is all Cassandra has to say about logging. The reason why I bring my questions to the maili

Re: Session timeout

No offense, but my suggestion here is that you write up a preliminary list of your own answers based on your own reading of the doc, specs, and white papers (and source code) and post that list, like on Google Docs, for people to review in bulk, rather than force all Cassandra users on this list to

Re: Session timeout

Jack, Appreciate the links. As I mentioned, I looked over both DSE and Cassandra sets of documentation, and ran some experiments on my Cassandra installation. What I'm bringing here is something I couldn't find definitive answer for in any of the above-mentioned sources. For instance, regarding l

Re: Session timeout

There is some more detail on DSE Security in this white paper: http://www.datastax.com/wp-content/uploads/2014/04/WP-DataStax-Enterprise-SOX-Compliance.pdf It mentions auditing, for example. I think you were asking abut that earlier. There may be some additional info or discussion related to secu

Re: Session timeout

Alex, No offense are taken, your question is absolutely legit. As we used to joke in security world "putting on my black hat"/"putting on my white hat" - i.e. same set of questions I would be asking for hacking and protecting the product. So, I commend you for being careful here. Now, at that par

Re: Session timeout

On Fri, Jan 29, 2016 at 8:17 AM, oleg yusim wrote: > Thanks for encouraging me, I kind of grew a bit desperate. I'm security > person, not a Cassandra expert, and doing security assessment of Cassandra > DB, I have to rely on community heavily. I will put together a composed > version of all my p

Re: Session timeout

estions for free if you > post on these mailing lists. They’ll likely answer even more if you pay > them. > > > > From: oleg yusim > Reply-To: "user@cassandra.apache.org" > Date: Friday, January 29, 2016 at 9:16 AM > To: "user@cassandra.apache.org" > Subject: Re: Sessio

Re: Session timeout

e.org" Date: Friday, January 29, 2016 at 9:16 AM To: "user@cassandra.apache.org" Subject: Re: Session timeout Jon, I suspected something like that. I did a bit of learning on Cassandra before starting my assessment, and I understand that you are right, and it is generally no

Re: Session timeout

Jon, I suspected something like that. I did a bit of learning on Cassandra before starting my assessment, and I understand that you are right, and it is generally not used like that. However (taking off my developer hat and putting on my security architect hat), from the security point of view th

Re: Session timeout

I think the reason why most of your queries aren't being answered is because you're asking questions that most people don't have the answer to. On the automatic disconnect, anyone using Cassandra in prod doesn't really need to think about it because we're always running queries, perhaps millions a

Re: Session timeout

Hi Carlos, Thanks for encouraging me, I kind of grew a bit desperate. I'm security person, not a Cassandra expert, and doing security assessment of Cassandra DB, I have to rely on community heavily. I will put together a composed version of all my previous queries, will title it "Security assessme

Re: Session timeout

I've been in this community and mailing list quite a while now and it's hard to find questions without answer. There are lots of good experts willing to help here. If you don't see you question answered I'd advice you to send it again, because its also true that the mailing list has quite a lot of

Re: Session timeout

Not a problem, Carlos, at least you tried :) I have overall a big problem with my queries to Cassandra community. Most of them are not getting answered. Oleg On Fri, Jan 29, 2016 at 8:03 AM, Carlos Alonso wrote: > Oh, I thought you meant read/write timeout, not session timeout due to > inactivi

Re: Session timeout

Oh, I thought you meant read/write timeout, not session timeout due to inactivity... Not sure there's such option. Sorry Carlos Alonso | Software Engineer | @calonso On 29 January 2016 at 13:35, oleg yusim wrote: > Carlos, > > I went through Java and Python driver

Re: Session timeout

Carlos, I went through Java and Python drivers... didn't find anything like that. Can you bring me example from your Ruby driver? Let me also make sure we are on the same page - I'm talking about session timeout due to inactivity, not read timeout or something like that. Thanks, Oleg On Fri, Ja

Re: Session timeout

I personally don't use the Java but the Ruby driver, but I'm pretty sure you'll be able to find it in the docs: https://github.com/datastax/java-driver Carlos Alonso | Software Engineer | @calonso On 29 January 2016 at 13:15, oleg yusim wrote: > Hi Carlos, > > Than

Re: Session timeout

Hi Carlos, Thanks for your anwer. Can you, please, get me a bit me information? What is the driver? JDBC? What is the name of configuration file? Thanks, Oleg On Fri, Jan 29, 2016 at 5:12 AM, Carlos Alonso wrote: > Hi Oleg. > > The drivers have builtin the timeout configurable functionality.

Re: Session timeout

Hi Oleg. The drivers have builtin the timeout configurable functionality. Hope it helps. Carlos Alonso | Software Engineer | @calonso On 28 January 2016 at 22:18, oleg yusim wrote: > Greetings, > > Does Cassandra support session timeout? If so, where can I find t