Cassandra Security: Create User & Authentication with JMX 2019

Cassandra Security 2019: Create, Drop User & Authentication with JMX

Cassandra Security aspect is very essential where the data is of sensitive nature. So this tutorial explains the security procedure and other aspects linked with security of Cassandra nosql database.

There are two main aspects of Cassandra security or the security of any other database engine. The types are listed below.

  • Internal Authentication
  • Authorization based on object permission management

In this Article explain you the following things in detail,

  • Internal Authentication based on internally controlled rolename/passwords
  • Authorization based on object permission management
  • Configure Authentication
  • Authorization
  • Logging in
  • Create New User
  • Authorization
  • Configuring Firewall
  • Enabling JMX Authentication

Internal Authentication Cassandra

Validate the user connection is called Internal authentication in cassandra. The authentication is done using user login and password. Cassandra manage user accounts internally.

Internal Authorization Cassandra

Different type of permissions or privileges for a user in cassandra security setting are dealt in internal authorization. It tells what a specific user can do and what cant. The example is, you can grant a user permission to only read the Cassandra data, or who can write and alter the database or can perform the delete operations

However, there is also a way to control authentication externally with help of Kerberos (it is basically used to manage user credentials) along with LDAP (it is used to store account authoritative information, like what data the user is allowed to access).

A user can grant authorization to authorize other user roles. Roles can be granted to users. CQL commands GRANT and REVOKE are used to manage roles of individual users.

Configure Authentication and Authorization

By default the authentication and authorization is disabled in cassandra configuration. The configuration file in cassandra is ‘cassandra.yaml’. you have to change this file for enabling the cassandra authentication and authorization.

Open “Cassandra.yaml” file in your respective directory and uncomment lines that are related with internal authentication and authorization.

Cassandra Security configuration file changes
Cassandra Security: configuration file changes
  • In this configuration file, authenticator value is set to ‘AllowAllAuthenticator’ by default.
  • Change the authenticator value to ‘com.datastax.bdp.cassandra.auth.PasswordAuthenticator’ for password authentication.
  • Similarly, in yaml file, authorizer value is ‘AllowAllAuthorizor’ by default.
  • Change this value from to ‘com.datastax.bdp.cassandra.auth.CassandraAuthorizor’.

Logging in to cassandra

At this stage you have enabled authentication. Now if request to access a keyspace, an error will be returned by Cassandra.

In apache Cassandra nosql there is a super account with user name ‘cassandra’ and also password ‘cassandra’. A user can do anything by logging in to this Cassandra super account. User have all the privileges who logged in by this account.

Here is the error returned from Cassandra when you not provide the cassandra by default username ‘cassandra’ with the password ‘cassandra’.

cassandra not connecting error
cassandra not connecting error

The second snapshot depict the scenario when you are using the by default username and password. And you are successfully logged in.

Cassandra Security login with username and password
Cassandra Security: login with username and password

The best practice is to change the default password.

Syntax for change of password

alter user cassandra with password 'new password';

Create New User

User can also create a new user with this by default super account ‘cassandra’.

For the purpose of creating the new user name, along with the password is specified whether the user is super (having all the privileges) user or not. Only Super user have the permission to create new users.

Syntax for Creating New User in Cassandra

create user Obama with password 'michel' superuser;

create user Michel with password 'obama';

here is screenshot shows the procedure of creating new user an listing down all the users in cassandra.

Cassandra create new user

Syntax for List All Users

list users;

Drop User in Cassandra

You can drop any user by using the super user account. The screenshot shows the procedure to drop users.

Cassandra drop a user
Cassandra drop user

Syntax for Drop User   

drop user Michel;

Authorization

Authorization in Cassandra security is the process of assigning permission to already created users that what action a cassandra user can perform.

Generic Syntax for Granting Permissions to Users

GRANT permission ON resource TO user

There are following types of permission that can be granted to the user.

  1. CREATE
  2. SELECT
  3. ALTER
  4. Modify
  5. ALL
  6. DROP
  7. AUTHORIZE

Syntax for Granting Permission to Users

Create user Michel with password 'obama';

grant all on University.Student to michel;

revoke all on University.Student from michel;

grant select on University.Student to michel;

A new user ‘michel’ is created with password ‘obama’.

Cassandra security rant permission to user
Grant permission to user

Listing all permission of user

Here is the process of listing all the permission of a user.

List all permission of user
Cassandra security List all permission of user

Syntax for Listing All Permission of a User

list all permissions of Michel;

User can also get list of all the permission on some specific resource in Cassandra security setting. Here is the syntax to get permission list on a table.

list all permissions on University.Student;

Configuring Firewall for Cassandra security

Make sure the following ports including some Cassandra ports must be opened for communication (if your firewall is running). Cassandra uses these ports for communication between nodes. If ports will not be open, apache Cassandra nodes will work as standalone database server rather than joining the Cassandra cluster.

Cassandra Client Ports

Port Number Description
9160 Cassandra Client Port Thrift
  9042 Cassandra Client Port

Cassandra Internode ports

Port Number Description
7000 Port for Cassandra inter node communication
7001 For Cassandra SSL inter node communication
7199 Cassandra JMX monitoring port

Opscenter Public Ports

Port number Description
8888 Opscenter web browser http request
22 SSH Port

Cassandra OpsCenter Ports (For Cassandra Health Monitoring)

Port Number Description
61620 OpsCenter monitoring port.
61621 Cassandra node Opscenter agent port

Enabling JMX Authentication for Cassandra Security

With the default security settings of Cassandra, the only way to access the JMX is from local host. If a user wants to access Cassandra JMX remotely, following changes are required in Cassandra configuration.

Change the LOCAL_JMX setting in Cassandra-env.sh file and enable SSL or authentication.

After enabling JMX authentication in Cassandra-env.sh file, make sure that OpsCenter and nodetool are configured to use authentication.

Procedure for enabling JMX Authentication

There are following steps for enabling JMX authentication.

Step1

In cassandra-env.sh file, update or add the following lines.

JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.authenticate=true"

JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.password.file=/etc/cassandra/jmxremote.password"

Step 2:

Change the LOCAL_JMX setting in Cassandra-env.sh

LOCAL_JMX=no

Step 3:

Copy the file jmxremote.password.template from location /jdk_install_location/lib/management/ to location /etc/cassandra/ and rename file to jmxremote.password.

cp />jdk_install_dir/lib/management/jmxremote.password.template /etc/cassandra/jmxremote.password

Step 4:

Change ownership of the file jmxremote.password to the current user you run Cassandra with and change file permissions to read only. Th syntax is given below

chown cassandra:cassandra /etc/cassandra/jmxremote.password

chmod 400 /etc/cassandra/jmxremote.password

Step 5:

Edit the file jmxremote.password and add the user and password for JMX-compliant utilities as

monitorRole QED

controlRole R&D

cassandra cassandrapassword

Step 6:

Add the current Cassandra user with write and read permission to /jdk_install_location/lib/management/jmxremote.access

monitorRole readonly

cassandra readwrite

controlRole readwrite \

create javax.management.monitor.,javax.management.timer. \

unregister

Step 7:

Restart Cassandra

Step 8:

Run nodetool with your Cassandra username and password. Syntax is given below

$ nodetool status -u cassandra -pw cassandra

Summary

This Article explains Cassandra security in multi prospects. As well as configuring Cassandra configuration file “Cassandra.yaml” for enabling security setting of Cassandra nosql database. Along all the above it also explain the step by step procedure that how to create new user in cassandra, how to grant permission to some specific user, configuration of firewall for Cassandra machines, and so on. In short this is a comprehensive article on complete cassandra security setting.