Security

Authentication

Enable authentication in cassandra.yaml using following 2 properties.

authenticator: PasswordAuthenticator
authorizer: CassandraAuthorizer

Login to cqlsh using default password for "cassandra" role

$ cqlsh 127.0.0.1 -u cassandra -p cassandra

Update the existing cassandra

cqlsh> ALTER ROLE cassandra WITH PASSWORD = '<some_secure_pasword>'; 

Create a new role with password for the cassandra role.

cqlsh> CREATE ROLE dba WITH PASSWORD = '<some_secure_pasword>' AND SUPERUSER = true AND LOGIN = true;


Authorization

Cassandra supports role based authorization. From data access point of view, table level permission is the most granular permission allowed in Cassandra. Column level, row level or cell level permissions are not allowed at this moment.

Login to cqlsh using cassandra user name

$ bin/cqlsh -u cassandra -p cassandra
Connected to Test Cluster at 127.0.0.1:9042.
[cqlsh 5.0.1 | Cassandra 3.11.3 | CQL spec 3.4.4 | Native protocol v4]
Use HELP for help.


Create a role name - api.

cassandra@cqlsh> CREATE ROLE api WITH PASSWORD = 'pass123' AND SUPERUSER = true AND LOGIN = true;
cassandra@cqlsh> list roles;

 role      | super | login | options
-----------+-------+-------+---------
       api | False |  True |        {}
 cassandra |  True |  True |        {}


Create a employees keyspace, create two tables and insert some sample records

cassandra@cqlsh> create KEYSPACE employees WITH replication = {'class': 'SimpleStrategy', 'replication_factor': 1};
cassandra@cqlsh> use employees;
cassandra@cqlsh:employees> create table employee(id int primary key, name text);
cassandra@cqlsh:employees> insert into employee(id, name) values (1, 'user 01');
cassandra@cqlsh:employees> create table salary(emp_id int primary key, salary int);
cassandra@cqlsh:employees> insert into salary(emp_id, salary) values (1, 100000);


Grant select permission to employees.employee table but revoke SELECT access from employees.salary.

cassandra@cqlsh:employees> GRANT SELECT ON TABLE employees.employee TO api;
cassandra@cqlsh:employees> REVOKE SELECT ON TABLE employees.salary FROM api;
cassandra@cqlsh:employees> LIST ALL PERMISSIONS OF api;

 role | username | resource                   | permission
------+----------+----------------------------+------------
  api |      api | <table employees.employee> |     SELECT



In another terminal login to cqlsh using api role.

$ bin/cqlsh -u api -p pass123  
[cqlsh 5.0.1 | Cassandra 3.11.3 | CQL spec 3.4.4 | Native protocol v4]
Use HELP for help.
api@cqlsh> use employees;


Try to run select statement on employee table and salary tables.

api@cqlsh:employees> select * from employee;

 id | name
----+---------
  1 | user 01

api@cqlsh:employees> select * from salary;
Unauthorized: Error from server: code=2100 [Unauthorized] message="User api has no SELECT permission on <table employees.salary> or any of its parents"


As expected, we could query employee table but not the salary table.


Permissions can be granted on:

  • CREATE - keyspace, table, function, role, index
  • ALTER - keyspace, table, function, role
  • DROP - keyspace, table, function, role, index
  • SELECT - keyspace, table
  • MODIFY - INSERT, UPDATE, DELETE, TRUNCATE - keyspace, table
  • AUTHORIZE - GRANT PERMISSION, REVOKE PERMISSION - keyspace, table, function, and role
  • DESCRIBE - LIST ROLES
  • EXECUTE - SELECT, INSERT, UPDATE - functions

See here for more details https://docs.datastax.com/en/cql/3.3/cql/cql_using/useSecurePermission.html


Enable Remote JMX

https://docs.datastax.com/en/cassandra/3.0/cassandra/configuration/secureJmxAuthentication.html


SSL Driver for Cassandra

http://blog.amussey.com/post/64036730812/cassandra-20-client-server-ssl-with-datastax