There are two types of security in Apache Cassandra and Datastax enterprise.
- Internal Authentication
In this tutorial, you will learn,
- What is Internal Authentication and Authorization
- Configure Authentication and Authorization
- Logging in
- Create New User
- Configuring Firewall
- Enabling JMX Authentication
Internal authentication is basically validating user connection. The user is authenticated with login and password. All the user accounts are managed in Cassandra internally.
Internal authorization deals with user’s permission. It deals with what actions user can be performed. For example, we can give user’s permission such as which user has only data read permission, which user has data write permission and which user has data delete permission.
However, Authentication can also be controlled externally with Kerberos (Kerberos is used to manage credentials securely) and LDAP (LDAP is used for holding authoritative information about the accounts, such as what they’re allowed to access).
External authentication is the authentication that is supported with Kerberos and LDAP. Apache Cassandra does not support external authentication.
Only datastax enterprise supports external authentication with Kerberos and LDAP. Whereas internal authentication is supported both in Apache Cassandra as well as Datastax enterprise.
In Cassandra, by default authentication and authorization options are disabled. You have to configure Cassandra.yaml file for enabling authentication and authorization.
Open Cassandra.yaml file and uncomment lines that deals with internal authentication and authorization.
- In Cassandra.yaml file, by default, authenticator value is ‘AllowAllAuthenticator’. Change this authenticator value from ‘AllowAllAuthenticator’ to ‘com.datastax.bdp.cassandra.auth.PasswordAuthenticator’.
- Similarly, in Cassandra.yaml file, by default, authorizer value will be ‘AllowAllAuthorizor’. Change this authorizer value from ‘AllowAllAuthorizor’ to ‘com.datastax.bdp.cassandra.auth.CassandraAuthorizer’.
Now authentication is enabled, if you try to access any keyspace, Cassandra will return an error.
By default, Cassandra provides the super account with user name ‘cassandra’ and password ‘cassandra’. By logging in to ‘Cassandra’ account, you can do whatever you want.
Let’s see the below screenshot for this, where it will not allow you to login if you are not using the default Cassandra “username” and “password”.
Now, in the second screenshot, you can see after using Cassandra default login credential, you are able to login.
You can also create another user with this account. It is recommended to change the password from the default. Here is the example of login Cassandra user and change default password.
alter user cassandra with password 'newpassword';
New accounts can be created with the ‘Cassandra’ account.
For creating a new user, login, the password is specified along with whether the user is super user or not. Only Super user can create new users.
create user robin with password 'manager' superuser; create user robin with password 'newhire';
You can get a list of all users by the following syntax.
Users can be dropped by the following syntax.
drop user laura;
Authorization is the assigning permission to users that what action a particular user can perform.
Here is the generic syntax for assigning permission to users.
GRANT permission ON resource TO user
There are following types of permission that can be granted to the user.
Here are examples of assigning permission to the user.
Create user laura with password 'newhire'; grant all on dev.emp to laura; revoke all on dev.emp to laura; grant select on dev.emp to laura;
A new user ‘laura’ is created with password ‘newhire’.
Here is the example where user ‘laura’ try to access emp_bonus table. Laura has only permission to access dev.emp and no permission to this table dev.emp_bonus that’s why an error was returned.
select* form emp_bonus;
You can get a list of all permissions that is assigned to the user. Here is the example of getting permission information.
list all permissions of laura;
You can also list all the permission on the resource. Here is the example of getting permission from a table.
list all permissions on dev.emp;
If the firewall is running, following ports must be opened for communication between nodes including some Cassandra ports. If Cassandra ports will not be opened, Cassandra nodes will act as standalone database server rather than joining the database cluster.
Cassandra Client Ports
|9042||Cassandra Client Port|
|9160||Cassandra Client Port Thrift|
Cassandra Internode ports
|7000||Cassandra internode cluster communication|
|7001||Cassandra SSL internode cluster communication|
|7199||Cassandra JMX monitoring port|
|8888||OpsCenter Website. Browser http request.|
Cassandra OpsCenter ports
|61620||OpsCenter monitoring port.|
|61621||Opscenter agent port|
With the default settings of Cassandra, JMX can only be accessed from the localhost. If you want to access JMX remotely, change the LOCAL_JMX setting in Cassandra-env.sh and enable authentication or SSL.
After enabling JMX authentication, make sure OpsCenter and nodetool are configured to use authentication.
There are following steps for enabling JMX authentication.
- In the cassandra-env.sh file, add or update following lines.
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.authenticate=true" JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.password.file=/etc/cassandra/jmxremote.password"
Also, change the LOCAL_JMX setting in Cassandra-env.sh
- Copy the jmxremote.password.template from /jdk_install_location/lib/management/ to /etc/cassandra/ and rename it tojmxremote.password.
cp />jdk_install_dir/lib/management/jmxremote.password.template /etc/cassandra/jmxremote.password
- Change the ownership of jmxremote.password to the user you run Cassandra with and change permission to read only
chown cassandra:cassandra /etc/cassandra/jmxremote.password chmod 400 /etc/cassandra/jmxremote.password
- Edit jmxremote.password and add the user and password for JMX-compliant utilities:
monitorRole QED controlRole R&D cassandra cassandrapassword
- Add the Cassandra user with read and write permission to /jdk_install_location/lib/management/jmxremote.access
monitorRole readonly cassandra readwrite controlRole readwrite \ create javax.management.monitor.,javax.management.timer. \ unregister
- Restart Cassandra
- Run nodetool with the Cassandra user and password.
$ nodetool status -u cassandra -pw cassandra
This tutorial explains about security in Cassandra and configuring Cassandra.yaml file for enabling security. Besides this it also explains how new user account can be created, assignment of permission, configuring the firewall, and so on.