Is there any way to restrict access to Cassandra? In mysql users require a username and password before access can be gained, including tools such as workbench. Is there any such system in place or can the CLI and cqlsh tools access Cassandra regardless?
Which version of Cassandra are you using? For 1.2.2 and later, you can authenticate using the PasswordAuthenticator and CassandraAuthorizer as described in the documentation (http://www.datastax.com/docs/1.2/security/native_authentication):
1- Change the cassandra.yaml authenticator setting to PasswordAuthenticator:
authenticator: org.apache.cassandra.auth.PasswordAuthenticator
You will also want to set the auhorizer to CassandraAuthorizer:
authorizer: com.datastax.bdp.cassandra.auth.CassandraAuthorizer
2- Configure the replication factor for the
system_auth
keyspace.3- Restart Cassandra.
A default superuser name and password (cassandra) that you use to start the supported client is stored in Cassandra. For example, to start cqlsh:
./cqlsh -u cassandra -p cassandra
You can now set up user accounts and authorize users to access the database objects by using CQL to grant them permissions on those objects.
Of course, you will want to read the information (in the above link) on how to "Change the superuser password."
Once you've done that, cassandra-cli can be invoked to how cqlsh was in the above example:
./cassandra-cli -u username -pw password
For an overview, you should also check-out the doc: A Quick Tour of Internal Authentication and Authorization Security in DataStax Enterprise and Apache Cassandra
It is the only resource I have found that is related to Authentication:
With version 1.2.2, we’ve delivered internal authentication and authorization that lets you manage login ID’s and passwords inside of Cassandra, as well as who can do what inside a database cluster from an authorization (i.e. permissions) perspective.
Going around, this took me to: DataStax Enterprise 3.0 Documentation Security management section on http://www.datastax.com/docs
DataStax Enterprise 3.0 includes a number of features for securing data. The security framework provides advanced data protection for enterprise-grade databases. You can secure a DataStax Community or DataStax Enterprise cluster using these features.
Internal authentication using login accounts and passwords Object permission management based on the GRANT/REVOKE paradigm Client to node encryption using SSL for data going from the client to the Cassandra cluster
DataStax Enterprise offers additional security, not included in DataStax Community, to enterprises for mission-critical data:
Kerberos authentication: a network authentication protocol that allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner using tickets. You can also set up Kerberos to use LDAP for authentication.
Transparent data encryption: the encoding of data flushed from the memtable in system memory to the SSTables on disk (at rest data) to be unreadable to unauthorized users. Encryption and decryption occurs without user intervention.
Data auditing: the administrator capability to create detailed audit trails of cluster activity.
By the way, DataStax Community – Comparative of DataStax Enterprise Edition and DataStax Community Edition says:
DataStax Community Edition: Contains the latest version of the Cassandra database for real-time data management, plus a free version of DataStax OpsCenter. Not supported for production systems.
Including for DataStax Community Edition:
Security Features General security features
Instead than DataStax Enterprise that mentions:
Security Features General and advanced security features
In conclusion, take a look, security capacities were implemented since 1.2.2 version and maybe you have not to pay at all depending of security parts that you are requiring.
Other Reference: Apache Cassandra 1.2 Documentation - Security section that contains resources about:
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With