nodetool dropcidrgroup¶
Cassandra 5.0+
This command is available in Cassandra 5.0 and later.
Removes a CIDR group from the cluster.
Synopsis¶
nodetool [connection_options] dropcidrgroup <group_name>
Description¶
nodetool dropcidrgroup removes a CIDR group definition from the cluster. Once dropped, the group can no longer be used for IP-based access control.
Persistent Change
Unlike many nodetool commands, this change is persistent across node restarts. CIDR groups are stored in the system_auth.cidr_groups table, which is replicated across the cluster. Once a group is dropped, it remains deleted until explicitly recreated.
Important Behavior
Dropping a CIDR group removes the group definition from system_auth.cidr_groups but does not automatically remove references to the group from role permissions in system_auth.cidr_permissions. Roles that reference the dropped group will have an invalid group reference. Update role permissions to remove group references before or after dropping the group.
Arguments¶
| Argument | Description |
|---|---|
group_name |
The name of the CIDR group to remove |
Examples¶
Basic Usage¶
nodetool dropcidrgroup deprecated_network
Safe Removal Process¶
# 1. Check current groups
nodetool listcidrgroups
# 2. Verify the group to be removed
nodetool getcidrgroupsofip 10.99.0.1
# 3. Remove the group
nodetool dropcidrgroup old_office_network
# 4. Invalidate cache to ensure immediate effect
nodetool invalidatecidrpermissionscache
# 5. Verify removal
nodetool listcidrgroups
When to Use¶
Decommission Network Ranges¶
# Remove CIDR group for decommissioned network
nodetool dropcidrgroup legacy_datacenter
Use when network ranges are no longer valid or have been decommissioned.
Clean Up Unused Groups¶
# Remove unused CIDR groups
nodetool dropcidrgroup test_network
Remove groups created for testing or that are no longer needed.
Security Response¶
# Remove compromised network range
nodetool dropcidrgroup compromised_subnet
nodetool invalidatecidrpermissionscache
Quickly revoke access from a network range during a security incident.
Best Practices¶
Pre-Drop Checklist
Before dropping a CIDR group:
- Identify dependent roles - Check which roles reference this group
- Update role permissions - Remove group references from roles first
- Notify stakeholders - Inform teams that may be affected
- Test in staging - Verify impact in non-production first
- Plan for rollback - Document group configuration for recovery if needed
Safe Removal Process
# Document current configuration
nodetool listcidrgroups > cidr_groups_backup.txt
# Remove group
nodetool dropcidrgroup <group_name>
# Clear cache for immediate effect
nodetool invalidatecidrpermissionscache
Recovery
If a group is dropped accidentally, recreate it using:
nodetool updatecidrgroup <group_name> '<cidr_range>'
Restore each CIDR range that was part of the original group.
Related Commands¶
| Command | Relationship |
|---|---|
| listcidrgroups | List all CIDR groups |
| updatecidrgroup | Create or modify groups |
| getcidrgroupsofip | Check IP group membership |
| invalidatecidrpermissionscache | Clear CIDR cache |
| cidrfilteringstats | View filtering statistics |