Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents


Current state: Accepted

Discussion thread:


Released: Unreleased

Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).: Draft


Users onboarding to Cloud have different ways of running and accessing Cassandra servers,


  • One requirement can be, admins/superusers credentials should be allowed only from internal network, to avoid misusing or hacking special privileges from an external cloud which can damage Cluster data
  • If the Cluster is shared by different teams in a organisationorganization, allowing certain teams to access the cluster only from certain regions
  • If an Organisation organization has multiple cloud environments or external networks, another requirement can be, allowing users access to the Cluster only from certain Cloud environment(s)

These requirements may not be possible to fulfil fulfill using network firewalls or security policies, because


To support these scenarios, Cassandra server need ability to restrict users accesses based on incoming request’s IP range, aka, CIDRs. For reference, few other database servers already having similar features - MySql, MariaDB and PostgreSQL.

Note: From here onwards this document refers a ‘region’ as a ‘CIDR group’.


  • Organisations Organizations with on-premise data centers and one or more Cloud environments
  • Organisations Organizations with multiple users/teams sharing the same Cassandra cluster and different users/teams having restricted access from different CIDR groups
  • Organisations Organizations with multiple Cassandra clusters running under the same network, exposed to access from internal and external networks, and different clusters having different access restrictions


  • Ability to restrict individual or set of users accessing C* cluster from different CIDR groups
  • Ability to restrict Cassandra cluster to be accessible only from certain networks when it’s not easy to achieve the same with network security
  • Avoiding usage of credentials/certificates copied from one CIDR group to another, either by mistake or by hacking


Proposed changes highlighted below

  1. Retrieve user details from the incoming request.
  2. Authenticate incoming user, as it’s happening currently. Reject the request If not a valid user
  3. Perform currently existing authorisation authorization checks for the role
  4. Lookup system_auth.cidr_permissions table to retrieve CIDR permissions of the user. If the user has CIDR permissions ‘ALL’, i.e, allowed to access from any CIDR group, Approve the incoming request
  5. Retrieve the source IP from the incoming request.
  6. Lookup our new C* table system_auth.cidr_groups, which maps <CIDR groups to CIDRs>,to resolve the CIDR group of the source IP (Note: this won’t be a simple select query, next section describes the algorithm used to achieve this).
  7. Using CIDR permissions retrieved in step 4, check is incoming user enabled to access from the CIDR group of the incoming IP. If not enabled, reject the request. Otherwise approve the request

The same flow works for both Password based and mTLS based authentications. Incase of mtls based authentication, we will retrieve identity from the incoming certificate, map that identity to a role, and use that role for CIDR checks as listed above.

Proposed Changes

Mapping of CIDR groups to CIDRs

Created a new table system_auth.cidr_groups, which maintains mapping of CIDR groups to CIDRs. Assuming organisations organizations have a way to map their internal CIDR groups to a list of CIDRs. We expect them to have a script/workflow that writes these mappings to the Cassandra table listed below. Organisations Organizations can have automated script/workflow to periodically update this table as and when their network changes.

A CIDR group can be associated with multiple CIDRs. A CIDR group without a deterministic IP range can be added as a wild card entry, for example which matches every IP. We use longest matching prefix algorithm to find the narrowest matching CIDR for the incoming IP and associate it with corresponding CIDR group. For example, assuming below table,


Appendix - CIDRS Interval tree section describes the algorithm used for finding longest matching CIDR for an IP.

Associating roles to CIDR groups

Created a new table system_auth.cidr_permissions, to maintain mapping of roles to CIDR permissions, i.e, a set of CIDR groups that a role is enabled for. Below table is an example.

Code Block
role        | CIDR_GROUPS
roles/user1 | {}
roles/user2 | {'AWS', 'GCP}
roles/user3 | {'Internal'}
roles/user4 | {'AWS'}

Enabling and disabling roles for access from CIDR groups

Create and alter role CQL commands are modified to allow admin/superusers to enable or disable roles for CIDR groups. Here are examples.

Code Block



Feature flag and options in cassandra.yaml file

A new feature flag provided to enable/disable CIDR authorizer.

  • By default AllowAllCIDRAuthorizer is used, which allows any user to access from any CIDR.
  • CassandraCIDRAuthorizer provides MONITOR and ENFORCE modes. ENFORCE mode rejects users accesses from unauthorised unauthorized CIDR groups. Where as, MONITOR mode doesn’t reject incoming connections, instead logs a warning message when an access attempted from unauthorised unauthorized CIDR group. So MONITOR mode is useful to recognise recognize from which CIDR groups a Cassandra cluster being accessed, for example, as an intermediate step during the migration to CIDR authorizer ENFORCE mode.


Code Block
# CIDR authorization backend, implementing ICIDRAuthorizer; used to restrict user
# access from certain CIDRs
# Out of the box, Cassandra provides org.apache.cassandra.auth.{AllowAllCIDRAuthorizer,
# CassandraCIDRAuthorizer}.
# - AllowAllCIDRAuthorizer allows access from any CIDR to any user - set it to disable CIDR authorization.
# - CassandraCIDRAuthorizer stores user's CIDR permissions in system_auth.cidr_permissions table. Please
# increase system_auth keyspace replication factor if you use this authorizer, otherwise any changes to
# system_auth tables being used by this feature may be lost when a host goes down.
class_name: AllowAllCIDRAuthorizer
# Below parameters are used only when CIDR authorizer is enabled
# parameters:
# CIDR authorizer when enabled, i.e, CassandraCIDRAuthorizer, is applicable for non-superusers only by default.
# Set this setting to true, to enable CIDR authorization for superusers as well.
# Note: CIDR checks cannot be performed for JMX calls
# cidr_checks_for_superusers: true

# CIDR authorizer when enabled, supports MONITOR and ENFORCE modes. Default mode is MONITOR
# In MONITOR mode, CIDR checks are NOT enforced. Instead, CIDR groups of users accesses are logged using
# nospamlogger. A warning message would be logged if a user accesses from unauthorized CIDR group (but access won't
# be rejected). An info message would be logged otherwise.
# In ENFORCE mode, CIDR checks are enforced, i.e, users accesses would be rejected if attempted from unauthorized
# CIDR groups.
# cidr_authorizer_mode: MONITOR

# Refresh interval for CIDR groups cache, this value is considered in minutes
# cidr_groups_cache_refresh_interval: 5

# Maximum number of entries an IP to CIDR groups cache can accommodate
# ip_cache_max_size: 100

New CQL data type - CIDR


Code Block
CREATE TABLE system_auth.cidr_groups (
cidr_group text PRIMARY KEY,
cidrs_list frozen<set<tuple<inet, smallint>>>

After introducing the new CQL data type CIDR, we will modify the code to create a new table with new data type. Schema of the table after introducing new data type would be as below.

Code Block
CREATE TABLE system_auth.cidr_groups_mapping (
cidr_group text PRIMARY KEY,
cidrs_list frozen<set<CIDR>>


to CIDR groups cache can accommodate
# ip_cache_max_size: 100

Compatibility, Deprecation, and Migration Plan

  • Upgrade from older C* version to new (with this feature) shouldn’t be impacted because
    • Only new tables introduced with this feature, schema of existing tables remains unchanged
    • New feature flag introduced, behaviour behavior of existing feature flags remains unchanged
    • By default CIDR filtering is disabled, so existing clusters upgrades can be smooth without manual intervention
  • Default behaviour behavior for new and existing roles with CIDR authorizer
    • Super users: By default super users are allowed to access from all CIDR groups. So there is no change in default behaviourbehavior, unless cidr_checks_for_superusers is enabled
    • Exiting users: All existing users, will continue to have access from all CIDR groups, without a change in existing behaviourbehavior, as long as alter role command not ran on them to enable/disable CIDR groups explicitly
    • New users: New users created using existing ‘create role’ command , i.e, without using the new clause ‘ACCESS FROM CIDRS’ to explicitly restrict CIDR groups, will have access from all CIDR groups. So there is no change in default behaviour behavior when using existing commands
  • New clusters creation will have CIDR filtering disabled in cassandra.yaml file by default, so no manual action needed for default behaviourbehavior
  • Inter node authentication code doesn’t have ‘User’ and doesn’t perform roles/permissions checks, hence shouldn’t be impacted by CIDR filtering authorizer

New or Changed Public Interfaces

New error message

Below error message would be seen by a user trying to access the cluster and not having access from that IP (i.e, associated CIDR group)


Code Block
% python3 localhost -u user1 -p user1

Connection error: ('Unable to connect to any servers', {'::1:9042': ConnectionRefusedError(61, "Tried connecting to [('::1', 9042, 0, 0)]. Last error: Connection refused"),
'': Unauthorized('Error from server: code=2100 [Unauthorized] message="You do not have access from this IP"')})

Changes to CQL commands

'Create role’ command modified to be able to add CIDR permissions during the role creation. Below options added to the existing command:


Code Block

ALTER ROLE role1 with ACCESS FROM CIDRS { 'internal' }; 

Changes to nodetool commands

New nodetool command provided to add/update a CIDR group name to CIDRs mapping


Code Block
nodetool cidrfilteringstats

New virtual tables

New virtual tables provided to list metrics of CIDR filtering authorizer. Below is the sample output of these tables.


Code Block
cqlsh> select * from system_views.cidr_filtering_metrics_counts;
name                                                       | value
CIDR groups cache reload count                             | 2
Number of CIDR accesses accepted from CIDR group - aws     | 15
Number of CIDR accesses accepted from CIDR group - gcp     | 30
Number of CIDR accesses rejected from CIDR group - gcp     | 6

cqlsh> select * from system_views.cidr_filtering_metrics_latencies;
name                                         | max   | p50th | p95th | p999th | p99th
CIDR checks latency (ns)                     | 24601 | 1     | 11864 | 24601  | 24601
CIDR groups cache reload latency (ns)        | 42510 | 42510 | 42510 | 42510  | 42510
Lookup IP in CIDR groups cache latency (ns)  | 1     | 1     | 1     | 1      | 1

Test Plan

  • Unit tests added to test the new and changed code
  • Ran Cassandra server with CIDR filtering disabled and tested no change in existing behaviourbehavior
  • Ran Cassandra server with CIDR filtering enabled, populated CIDR groups mappings, created users with different CIDR permissions and tested users accesses. Verified CIDR authorizer working as expected
  • Developed JMH benchmark to measure impact of CIDR authorizer on Cassandra server authorization latency (Please see Benchmarks section)
  • Plan is to run Cassandra upgrade test, from older version to new version with this feature and ensure no change in the functionality for existing usersClients to C* server compatibility testing will be done after introducing new CQL data type CIDR.


Below are results of benchmark of CIDR authorizer in ENFORCE mode (measured using JMH benchmark test on single C* instance). This score indicates additional nanoseconds to the current latency during C* server authorization path, when CIDR authorizer is enabled.

Code Block
Benchmark                                              Mode  Score      Error   Units
CIDRAuthorizerBench.benchCidrAuthorizer_InvalidLogin   avgt  979.823 ±  8.837   ns/op
CIDRAuthorizerBench.benchCidrAuthorizer_ValidLogin     avgt  1076.707 ± 14.199  ns/op

InvalidLogin - benchmarks the case of unsuccessful CIDR access
ValidLogin - benchmarks the case of successful CIDR access

Potential Improvements

Currently we are maintaining explicitly enabled CIDR permissions for a user. This can be extended to also maintain explicitly denied CIDR permissions for a user. For example, if a user is allowed to access from all but one CIDR group, instead of explicitly enabling that user for all but one, can use deny list to restrict only from one CIDR group

Rejected Alternatives

Explored an option of using identity and location information of a mtls certificate for doing CIDR filtering. But it’s not reliable as it’s possible to copy a mtls certificate to a different location. Also, this approach restricts CIDR filtering only to mtls based authentication

Appendix - CIDRs Interval tree

(Suggested and implemented by Yifan Cai  )

CIDRs interval tree is a variant of interval tree. Each node contains a CIDR and a value. In this specific case, the value is CIDR group name(s). A node has left children array and the right children array.
- The left children's CIDRs are either less than the starting IP of parent or overlaps with the parent node.
- The right children's CIDRs are either greater than the ending IP of the parent or overlaps with the parent node.
Note that the nodes that overlap with the parent node are included in both left and right children arrays.

The tree organizes nodes by placing non-overlapping CIDRs at the same level. In general, CIDRs with the same net mask do not overlap, hence are placed in the same level. CIDRs with different net mask may overlap, hence placed at different levels in the tree. In addition to this, there is an optimisation optimization to promote a CIDR to an upper level, if it is not overlapping with any CIDR in the parent level, that means, in such cases a CIDR with different net mask can co-locate in the same level with other CIDRs.

Levels closer to the root contains CIDRs with higher net mask value. Net mask value decreases as levels further down from the root. i.e, Nearer the level to the root, the narrower the CIDR, meaning matching the longer IP prefix.


Code Block
Assume below CIDRs
"",  (i.e, IP range -, netmask 10)
"",  (i.e, IP range -, netmask 20)
"",        (i.e, IP range -, netmask 0)
""       (i.e, IP range -, netmask 10)

The resulting interval tree looks like below. CIDR interval tree root points to level0 array.

level0     [ ( -, 10)  ( -, 20) ]
                      /                 \              /  \
level1               /             ( -, 10)
                    /                     /  \
level2            ( -, 0)

Note: In the above example, ideally CIDRs with netmask 20 should be at level 0, CIDRS with netmask 10 should be at level 1, CIDRs with net mask 0 should be at level 2. But due to the optimisationoptimization, as ( -, 10) does not have any overlapping CIDR, it is moved up a level
