Security
Authentication
Enable authentication in cassandra.yaml using following 2 properties.
authenticator: PasswordAuthenticator
authorizer: CassandraAuthorizer
Login to cqlsh using default password for "cassandra" role
$ cqlsh 127.0.0.1 -u cassandra -p cassandra
Update the existing cassandra
cqlsh> ALTER ROLE cassandra WITH PASSWORD = '<some_secure_pasword>';
Create a new role with password for the cassandra role.
cqlsh> CREATE ROLE dba WITH PASSWORD = '<some_secure_pasword>' AND SUPERUSER = true AND LOGIN = true;
Authorization
Cassandra supports role based authorization. From data access point of view, table level permission is the most granular permission allowed in Cassandra. Column level, row level or cell level permissions are not allowed at this moment.
Login to cqlsh using cassandra user name
$ bin/cqlsh -u cassandra -p cassandra
Connected to Test Cluster at 127.0.0.1:9042.
[cqlsh 5.0.1 | Cassandra 3.11.3 | CQL spec 3.4.4 | Native protocol v4]
Use HELP for help.
Create a role name - api.
cassandra@cqlsh> CREATE ROLE api WITH PASSWORD = 'pass123' AND SUPERUSER = false AND LOGIN = true;
cassandra@cqlsh> list roles;
role | super | login | options
-----------+-------+-------+---------
api | False | True | {}
cassandra | True | True | {}
Create a employees keyspace, create two tables and insert some sample records
cassandra@cqlsh> create KEYSPACE employees WITH replication = {'class': 'SimpleStrategy', 'replication_factor': 1};
cassandra@cqlsh> use employees;
cassandra@cqlsh:employees> create table employee(id int primary key, name text);
cassandra@cqlsh:employees> insert into employee(id, name) values (1, 'user 01');
cassandra@cqlsh:employees> create table salary(emp_id int primary key, salary int);
cassandra@cqlsh:employees> insert into salary(emp_id, salary) values (1, 100000);
Grant select permission to employees.employee table but revoke SELECT access from employees.salary.
cassandra@cqlsh:employees> GRANT SELECT ON TABLE employees.employee TO api;
cassandra@cqlsh:employees> REVOKE SELECT ON TABLE employees.salary FROM api;
cassandra@cqlsh:employees> LIST ALL PERMISSIONS OF api;
role | username | resource | permission
------+----------+----------------------------+------------
api | api | <table employees.employee> | SELECT
In another terminal login to cqlsh using api role.
$ bin/cqlsh -u api -p pass123
[cqlsh 5.0.1 | Cassandra 3.11.3 | CQL spec 3.4.4 | Native protocol v4]
Use HELP for help.
api@cqlsh> use employees;
Try to run select statement on employee table and salary tables.
api@cqlsh:employees> select * from employee;
id | name
----+---------
1 | user 01
api@cqlsh:employees> select * from salary;
Unauthorized: Error from server: code=2100 [Unauthorized] message="User api has no SELECT permission on <table employees.salary> or any of its parents"
As expected, we could query employee table but not the salary table.
Permissions can be granted on:
CREATE - keyspace, table, function, role, index
ALTER - keyspace, table, function, role
DROP - keyspace, table, function, role, index
SELECT - keyspace, table
MODIFY - INSERT, UPDATE, DELETE, TRUNCATE - keyspace, table
AUTHORIZE - GRANT PERMISSION, REVOKE PERMISSION - keyspace, table, function, and role
DESCRIBE - LIST ROLES
EXECUTE - SELECT, INSERT, UPDATE - functions
See here for more details https://docs.datastax.com/en/cql/3.3/cql/cql_using/useSecurePermission.html
Enable Remote JMX
https://docs.datastax.com/en/cassandra/3.0/cassandra/configuration/secureJmxAuthentication.html
SSL Driver for Cassandra
http://blog.amussey.com/post/64036730812/cassandra-20-client-server-ssl-with-datastax