I recently came across an issue where by my user Keyspace was replicated by 3 (I have 3 nodes) but my system_auth was default to 1, we also use authentication, I then lost 2 of my nodes and because authentication wasn’t replicated I couldn’t log in.
Once I resolved the issue, and got the nodes back up, I could then log back in, I too asked the community what was going on , and I was pointed to this http://docs.datastax.com/en/datastax_enterprise/4.8/datastax_enterprise/sec/secConfSysAuthKeyspRepl.html it clearly states the following Attention: To prevent a potential problem logging into a secure cluster, set the replication factor of the system_auth and dse_security keyspaces to a value that is greater than 1. In a multi-node cluster, using the default of 1 prevents logging into any node when the node that stores the user data is down. From: Chuck Reynolds [mailto:creyno...@ancestry.com] Sent: 30 August 2017 16:51 To: user@cassandra.apache.org Subject: system_auth replication factor in Cassandra 2.1 So I’ve read that if your using authentication in Cassandra 2.1 that your replication factor should match the number of nodes in your datacenter. Is that true? I have two datacenter cluster, 135 nodes in datacenter 1 & 227 nodes in an AWS datacenter. Why do I want to replicate the system_auth table that many times? What are the benefits and disadvantages of matching the number of nodes as opposed to the standard replication factor of 3? The reason I’m asking the question is because it seems like I’m getting a lot of authentication errors now and they seem to happen more under load. Also, querying the system_auth table from cqlsh to get the users seems to now timeout. Any help would be greatly appreciated. Thanks ________________________________________________________________________ This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy it. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. Tradeweb reserves the right to monitor all e-mail communications through its networks. If you do not wish to receive marketing emails about our products / services, please let us know by contacting us, either by email at contac...@tradeweb.com or by writing to us at the registered office of Tradeweb in the UK, which is: Tradeweb Europe Limited (company number 3912826), 1 Fore Street Avenue London EC2Y 9DT. To see our privacy policy, visit our website @ www.tradeweb.com.
