From 543fb6a2dbfa8b89356e082be4f14173ef1da836 Mon Sep 17 00:00:00 2001 From: Andrzej Jackowski Date: Wed, 22 Apr 2026 09:08:46 +0200 Subject: [PATCH] audit: start maintenance socket after audit storage Without this, there is a window after startup where queries on the maintenance socket bypass auditing because audit storage is not yet initialized. Fixes SCYLLADB-1615 --- main.cc | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/main.cc b/main.cc index b81beb2dfd..94c273a818 100644 --- a/main.cc +++ b/main.cc @@ -2352,15 +2352,6 @@ To start the scylla server proper, simply invoke as: scylla server (or just scyl }).get(); stop_signal.ready(false); - if (cfg->maintenance_socket() != "ignore") { - // Enable role operations now that node joined the cluster - maintenance_auth_service.invoke_on_all([](auth::service& svc) { - return auth::ensure_role_operations_are_enabled(svc); - }).get(); - - start_cql(*cql_maintenance_server_ctl, stop_maintenance_cql, "maintenance native server"); - } - // At this point, `locator::topology` should be stable, i.e. we should have complete information // about the layout of the cluster (= list of nodes along with the racks/DCs). startlog.info("Verifying that all of the keyspaces are RF-rack-valid"); @@ -2379,6 +2370,15 @@ To start the scylla server proper, simply invoke as: scylla server (or just scyl audit::audit::stop_storage().get(); }); + if (cfg->maintenance_socket() != "ignore") { + // Enable role operations now that node joined the cluster + maintenance_auth_service.invoke_on_all([](auth::service& svc) { + return auth::ensure_role_operations_are_enabled(svc); + }).get(); + + start_cql(*cql_maintenance_server_ctl, stop_maintenance_cql, "maintenance native server"); + } + // Semantic validation of sstable compression parameters from config. // Adding here (i.e., after `join_cluster`) to ensure that the // required SSTABLE_COMPRESSION_DICTS cluster feature has been negotiated.