nodetool invalidatecidrpermissionscache¶
Invalidates the CIDR permissions cache on the node.
Synopsis¶
nodetool [connection_options] invalidatecidrpermissionscache
Description¶
nodetool invalidatecidrpermissionscache clears the cached CIDR authorization decisions on the node. This forces re-evaluation of CIDR-based permissions for subsequent connection attempts.
The CIDR permissions cache stores the results of IP-to-CIDR-group lookups to improve authorization performance. Invalidating this cache is necessary after modifying CIDR groups to ensure changes take effect immediately.
Examples¶
Basic Usage¶
nodetool invalidatecidrpermissionscache
After CIDR Group Changes¶
# Update CIDR group
nodetool updatecidrgroup app_servers '10.100.0.0/16,10.101.0.0/16'
# Invalidate cache to apply changes immediately
nodetool invalidatecidrpermissionscache
After Dropping a CIDR Group¶
# Remove CIDR group
nodetool dropcidrgroup deprecated_network
# Clear cache
nodetool invalidatecidrpermissionscache
Cluster-Wide Invalidation¶
# Run on all nodes for cluster-wide effect
for host in node1 node2 node3; do
ssh "$host" "nodetool invalidatecidrpermissionscache"
done
When to Use¶
After CIDR Configuration Changes¶
# After any CIDR group modification
nodetool updatecidrgroup new_network '10.200.0.0/16'
nodetool invalidatecidrpermissionscache
Always invalidate the cache after:
- Creating new CIDR groups
- Updating CIDR group ranges
- Dropping CIDR groups
- Modifying role-to-CIDR associations
Immediate Security Response¶
# Block compromised network immediately
nodetool dropcidrgroup compromised_subnet
nodetool invalidatecidrpermissionscache
During security incidents, invalidate the cache to ensure access revocations take effect immediately.
Troubleshooting Authorization Issues¶
# Clear cache to rule out stale data
nodetool invalidatecidrpermissionscache
# Test connection from affected IP
nodetool getcidrgroupsofip 10.50.100.25
Best Practices¶
Cache Invalidation Guidelines
- Run on affected nodes - Execute on all nodes where clients connect
- Include in change procedures - Always invalidate after CIDR modifications
- Monitor after invalidation - Watch for authorization issues after cache clear
- Consider timing - Cache invalidation may briefly increase authorization latency
Non-Persistent Setting
This is a runtime operation only. The cache will automatically rebuild as new authorization checks occur. No configuration changes are persisted.
Cache Behavior
- Cache entries expire based on
permissions_validitysetting - Invalidation clears all cached CIDR authorization decisions
- New entries are cached as clients reconnect or new checks occur
- High connection rates may see brief latency increase after invalidation
Performance Considerations¶
After invalidating the cache:
- First authorization check for each IP requires full evaluation
- Cache rebuilds automatically as checks occur
- Brief increase in authorization latency is normal
- Monitor
cidrfilteringstatsfor cache performance metrics
# Check cache performance after invalidation
nodetool cidrfilteringstats
Related Commands¶
| Command | Relationship |
|---|---|
| cidrfilteringstats | View cache statistics |
| listcidrgroups | List CIDR groups |
| updatecidrgroup | Modify CIDR groups |
| dropcidrgroup | Remove CIDR groups |
| reloadcidrgroupscache | Reload groups from storage |
| invalidatepermissionscache | Clear role permissions cache |