Security In Cassandra


Security is becoming big concern among BigData and NoSQL technologist.But Cassandra takes care of all security concerns.

Cassandra provides 3 main ways to secure your data –

  1. Internal Authentication
  2. Object Permission Management
  3. Client to Node Encryption

In this blog we will talk about how we can secure our data in Cassandra cluster using Internal Authentications and Object Permission Management.

Internal Authentication Using login accounts and Permission Management

Internal Authentication is mainly based upon created login accounts.Cassandra stores usernames and encrypted passwords in system_auth.credentials table.It works for all sort of client applications like – cqlsh, Cassandra drivers certified by DataStax, Cassandra-cli etc.

Steps to configure Internal Authentication and Authorizations in Cassandra

  1. Change the authentication in cassandra.yaml.By default its AllowAllAuthenticator which means by default there is no authentication and Cassandra allows everyone to connect to Cassandra cluster.
    authenticator: PasswordAuthenticator
  2. Increase the Replication Factor for system_auth Keyspace to number of nodes in cluster.
    ALTER KEYSPACE [your_keyspace] WITH REPLICATION = {‘class’ : ‘NetworkTopologyStrategy’, ‘DC1’ : [N- Number of nodes in your cluster]};

    If we use the default value of 1, and if node with the only replica goes down, we will not be able to log into the cluster because the system_auth keyspace is not replicated.

  3. Restart your Cassandra cluster nodes and connect to it through cqlsh using default superuser’s username and password.cassandra_auth1
  4.  Create another superuser.
    CREATE USER vijayendra WITH PASSWORD 'vijay123' SUPERUSER;
  5. Connect Cassandra cluster through cqlsh using new super user.
    cassandra_auth2
  6. Now we can takeaway super user status from Cassandra default user.
    ALTER USER cassandra WITH PASSWORD 'whatever' NOSUPERUSER;
  7. Create another user (not super user).
    CREATE USER vijay WITH PASSWORD 'vijay';
  8. Change the authorizer in cassandra.yaml.By default its AllowAllAuthorizer which means by default Cassandra allows every action to every user.
    authorizer: CassandraAuthorizer
  9. Restart the Cassandra cluster and again connect using cqlsh with earlier created super user.
  10. Change the authorization of user vijay on 1 table to select only using grant command.
    grant select permission on table tradelevelstorage[Your Table Name] to vijay;
  11. Run select query on tradelevelstorage , you will get the results but when you will try to run the update query you will get authorization exception

.cassandra_auth3

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s