SlideShare a Scribd company logo

Cassandra and security

Ben Bromhead, profile picture
Ben Bromhead

The document presents a discussion on securing Apache Cassandra, led by Ben Bromhead from Instaclustr, focusing on various security controls and best practices. It addresses the importance of security measures in preventing unauthorized access, maintaining compliance, and protecting user data. Key topics include authentication methods, authorization processes, internode encryption, and strategies for ensuring availability and data integrity in a multi-data center environment.

Software
Related topics:
Information Security
1 of 43
Downloaded 51 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
Securing Cassandra Not as hard as it sounds #CassandraSummit instaclustr.com
Who am I and what do I do? • Ben Bromhead • Co-founder and CTO of Instaclustr -> www.instaclustr.com <sales> • Instaclustr provides Cassandra-as-a-Service in the cloud. • Currently in AWS, Azure and IBM Softlayer with more to come. • We currently manage 150+ nodes for various customers, who do various things with it. </sales>
What this talk will cover • Why do we care about security? • A meandering tour of Cassandra security controls • Tips and tricks
Why do we care about security?
Why do we care about security • Hackers • Compliance… • We now have a information security officer / architect • Some sort of misguided sense of obligation to protecting end user information?
But I run C* behind a firewall… • Stops dumb mistakes (running dev scripts on prod) • Stops malicious internal actors • Multi data-centre clusters (GL with that VPN…) • Run in the cloud?
So what do I need to care about? Confidentiality Integrity Availability
So what do I need to care about? Confidentiality Integrity Availability Consistency PartitionTolerance Availability
So what do I need to care about? Confidentiality Integrity Availability Consistency PartitionTolerance Availability
So what do I need to care about? Confidentiality Integrity Availability Consistency PartitionTolerance Availability
Access Control
Access Control • Authentication: org.apache.cassandra.auth.IAuthenticator • AllowAllAuthenticator - no auth, default • PasswordAuthentication - username and password auth, standard db stuff, uses ISaslAuthenticator • DSE has some others (Kerberos, LDAP)
Access Control • Authentication: org.apache.cassandra.auth.IAuthenti cator • AllowAllAuthenticator - no auth, default
Access Control • Authentication: org.apache.cassandra.auth.IAuthenti cator • AllowAllAuthenticator - no auth, default • PasswordAuthentication - username and password auth, standard db stuff, uses ISaslAuthenticator
Authentication - General flow • ServerConnection maintains QueryState, three states: • UNINITIALIZED • AUTHENTICATION • READY • Driver sends a STARTUP message, then CREDENTIALS/AUTH_RESPONSE. • CredentialsMessage class calls the defined Authenticators authenticate method and then sets the state to ready. • You are then ready to start executing queries and authenticate does not get called again for the life of the connection. The authenticated user gets stored in the ClientState. • If your app uses short lived connections, uses a driver that does not pool them (e.g. php), this will hurt.
Authentication - PasswordAuthentication • CredentialsMessage calls authenticate which is implemented by PasswordAuthentication: • Checks whether you have actually provided a username / password combo • Queries Cassandra with: SELECT salted_hash FROM system_auth.credentials WHERE username = ? • Queries using LOCAL_ONE for all users, except the user “cassandra” which occurs at QUORUM • default system_auth keyspace replication is set to 1… this should be set to all nodes
Access Control • Authorisation: org.apache.cassandra.auth.IAuth orizer • AllowAllAuthorizer - no permissions, default • CassandraAuthorizer - extends IAuthorizer, must be used with PasswordAuthenticator
Authorisation - General flow • CredentialsMessage calls state.getClientState().login(user). Which checks again if the user exists. • ClientState provides an authorize method to get permissions for the logged in user against a specific resource. • Alter, CreateIndex, DropIndex, Insert/Update, Select and Truncate all call hasColumnFamilyAccess (or hasKeyspaceAccess) on the client state to check if an operation is permitted. • If it isn’t an UnauthorizedException is raised
Authentication - CassandraAuthorizer • CassandraAuthorizer gets called to return a set of permissions by Auth. • Auth wraps these calls in a permissions Cache, otherwise the authorizer gets called for every single operation. • CassandraAuthorizer gets passed a user and a resource (keyspace or cf) and returns the permissions it can find for that user, resource pair. • ALL KEYSPACES is treated as the root data resource.
CassandraAuthorizer + PasswordAuthenticator • Run these together • Currently the user lookups and the permissions checks are in the read/write path (even with the permissions cache). • Be vigilant with your system_auth replication and keeping it repaired. • Poorly configured/maintained system_auth keyspace can and will create 0% availability in your other keyspaces… irrespective of their replication factor • Don’t use the cassandra user
Auth changes in 2.2 • API has changed to support the concept of roles • This includes inheritance! • Roles are first class resources (like keyspaces and tables), so you can grant permissions on certain roles. • AuthZ in Cassandra has finally grown up!
Internode Authentication • Yes it does exist! • Currently the only provided internode authenticator is AllowAll • Can be extended to authenticate based on remoteAddress and port. • No ability atm to use a shared secret or not, at best would support a whitelist
Confidentiality • Internode encryption • Client <> Node encryption • Whole disk encryption ENCRYPTION!!1!
Internode Encryption • Leverages SSLServerSockets from Netty (native) • Server certificate stored in KeyStore, trust certificates stored in TrustStore • If requires_client_auth == true, the client must provide a certificate the SSL context can build a chain of trust back to a cert in the TrustStore. • This can either be the provided certificate itself, or the CA that signed that cert.
Configuring encryption server_encryption_options:          internode_encryption:  none  #  all,  none,  dc,  rack          keystore:  conf/.keystore          keystore_password:  cassandra          truststore:  conf/.truststore          truststore_password:  cassandra
Configuring encryption server_encryption_options:          internode_encryption:  none  #  all,  none,  dc,  rack          keystore:  conf/.keystore          keystore_password:  cassandra          truststore:  conf/.truststore          truststore_password:  cassandra
Configuring encryption server_encryption_options:   …          protocol:  TLS  #  TLSv1.2,  SSLv3.0  etc          algorithm:  SunX509  #  PKIK          store_type:  JKS  #  support  for  different   keystrokes          cipher_suites:  [TLS_RSA_WITH_AES_128_CBC_SHA,…]          require_client_auth:  true
Configuring encryption • Strongly recommend you download the full strength JCE otherwise Cassandra will not start with the default cipher suites • Distribute the CA public cert in the truststore rather than individual public certificates. • troubleshooting certificate issues? use the openssl client
Client Encryption • Pretty much the same as internode encryption under the hood. • Supports require_client_auth as well • Must be able to build a chain of trust to a valid certificate within the truststore • Does not actually set the AuthenticatedUser based on certificate CN or anything like that
Configuring client drivers for encryption • Your driver will want the its certificates in either PEM, DER or as a Keystore. Learn to love the openssl cli • Cqlsh in some recent versions of Cassandra struggles with requires_client_auth. • Just use stunnel and plaintext cqlsh
At rest encryption • Whole disk/volume • dmcrypt/LUKS • DSE Transparent Data Encryption (TDE) • SSTable encryption • In app encryption
At rest encryption • dmcrypt/LUKS - up to a few % difference in throughput, minimal cpu load if using cpus with AES-NI instruction set • DSE SSTable encryption, we haven’t done any benchmarking but according to DS there is a slight hit on perf. • In app -> Variable… makes slice queries really hard
At rest encryption • dmcrypt/LUKS -> Up to 8 keys per block device, Requires key management at boot or via crypttab • DSE TDE, now supports external KMIP servers for external key management. • In app -> Key management -> roll your own
At rest encryption • Should I do it? • PCI? Yup probably • Otherwise… the threats it protects against are fairly low risk • Vulnerable to cold memory attacks (litterally cool ram modules, to persist state). • Decryption key kept in memory • You need to trust your DC/Cloud provider
Application Level Cryptography • Encrypt data on the client side before writing to Cassandra • Most secure, most amount of work
Availability • This should be pretty simple right? RF = 1,000,000 • There are a few things to keep in mind that an unauthenticated attacker / unprivileged user can do to make things interesting.
Availability • native_transport_max_threads …
Availability • native_transport_max_threads is by default set to 128 • unauthenticated messages will take up one of these threads • use client-auth as the SSL handler will drop the connection before the message is dropped into the worker pool
Availability
Availability • System_auth keyspace replication • Every new session queries this keyspace • Every new request queries either system_auth or the permissions cache • Increase the credential cache time • Increase your system_auth rf
Availability • Resource Scheduler • Default - none • RoundRobin • implements a throttle limit - number of requests in flight • Weight by keyspace
Addendum - JMX Security • JMX Security • Pre Cassandra 2.0.14 - Wide open! • Post Cassandra 2.0.14 • Bind to localhost only • JVM_OPTS="$JVM_OPTS - Dcom.sun.management.jmxremote.authenticate=true" • JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.password.file=/ etc/cassandra/jmxremote.password"
Go forth and conquer! Questions? … not get conquered

More Related Content

PDF
Securing Cassandra The Right Way
DataStax Academy
 
PDF
Hardening cassandra for compliance or paranoia
zznate
 
PDF
Hardening cassandra q2_2016
zznate
 
PDF
Cassandra Day London 2015: Securing Cassandra and DataStax Enterprise
DataStax Academy
 
PPTX
Kafka Security
Sriharsha Chintalapani
 
PDF
Seattle C* Meetup: Hardening cassandra for compliance or paranoia
zznate
 
PDF
Kafka security ssl
Heng-Xiu Xu
 
PPTX
Apache Kafka Security
DataWorks Summit/Hadoop Summit
 
Securing Cassandra The Right Way
DataStax Academy
 
Hardening cassandra for compliance or paranoia
zznate
 
Hardening cassandra q2_2016
zznate
 
Cassandra Day London 2015: Securing Cassandra and DataStax Enterprise
DataStax Academy
 
Kafka Security
Sriharsha Chintalapani
 
Seattle C* Meetup: Hardening cassandra for compliance or paranoia
zznate
 
Kafka security ssl
Heng-Xiu Xu
 
Apache Kafka Security
DataWorks Summit/Hadoop Summit
 

What's hot (17)

PDF
Training Slides: 302 - Securing Your Cluster With SSL
Continuent
 
PDF
The Unintended Risks of Trusting Active Directory
Will Schroeder
 
PDF
Securing Kafka
confluent
 
PDF
Paris FOD meetup - kafka security 101
Abdelkrim Hadjidj
 
PDF
Dynamic Database Credentials: Security Contingency Planning
Sean Chittenden
 
PPTX
Apache Knox setup and hive and hdfs Access using KNOX
Abhishek Mallick
 
PDF
Secret Management with Hashicorp’s Vault
AWS Germany
 
PDF
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Jeff Horwitz
 
PPTX
Techdays Finland 2018 - Building secure cloud applications with Azure Key Vault
Tom Kerkhove
 
PPTX
Hashicorp Vault ppt
Shrey Agarwal
 
PPTX
Managing your secrets in a cloud environment
Taswar Bhatti
 
PDF
Managing secrets at scale
Alex Schoof
 
PDF
Attacking and Defending Kubernetes - Nithin Jois
OWASP Hacker Thursday
 
PPTX
Golden ticket, pass the ticket mi tm kerberos attacks explained
Peter Swedin
 
PDF
Openstack 101
POSSCON
 
PDF
Using Vault to decouple MySQL Secrets
Derek Downey
 
PDF
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Outlyer
 
Training Slides: 302 - Securing Your Cluster With SSL
Continuent
 
The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Securing Kafka
confluent
 
Paris FOD meetup - kafka security 101
Abdelkrim Hadjidj
 
Dynamic Database Credentials: Security Contingency Planning
Sean Chittenden
 
Apache Knox setup and hive and hdfs Access using KNOX
Abhishek Mallick
 
Secret Management with Hashicorp’s Vault
AWS Germany
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Jeff Horwitz
 
Techdays Finland 2018 - Building secure cloud applications with Azure Key Vault
Tom Kerkhove
 
Hashicorp Vault ppt
Shrey Agarwal
 
Managing your secrets in a cloud environment
Taswar Bhatti
 
Managing secrets at scale
Alex Schoof
 
Attacking and Defending Kubernetes - Nithin Jois
OWASP Hacker Thursday
 
Golden ticket, pass the ticket mi tm kerberos attacks explained
Peter Swedin
 
Openstack 101
POSSCON
 
Using Vault to decouple MySQL Secrets
Derek Downey
 
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Outlyer
 
Ad

Viewers also liked (8)

PDF
Cassandra SF 2015 - Repeatable, Scalable, Reliable, Observable Cassandra
aaronmorton
 
PDF
Pythian: My First 100 days with a Cassandra Cluster
DataStax Academy
 
PPTX
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...
Kevin Minder
 
PPTX
Cassandra Summit 2015: Real World DTCS For Operators
Jeff Jirsa
 
PDF
Cassandra Summit 2015 - A Change of Seasons
Eiti Kimura
 
PPTX
Apache Ranger
Rommel Garcia
 
PDF
Ficstar Software: Cassandra Installation to Optimization
DataStax Academy
 
PPTX
Securing Hadoop with Apache Ranger
DataWorks Summit
 
Cassandra SF 2015 - Repeatable, Scalable, Reliable, Observable Cassandra
aaronmorton
 
Pythian: My First 100 days with a Cassandra Cluster
DataStax Academy
 
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...
Kevin Minder
 
Cassandra Summit 2015: Real World DTCS For Operators
Jeff Jirsa
 
Cassandra Summit 2015 - A Change of Seasons
Eiti Kimura
 
Apache Ranger
Rommel Garcia
 
Ficstar Software: Cassandra Installation to Optimization
DataStax Academy
 
Securing Hadoop with Apache Ranger
DataWorks Summit
 
Ad

Similar to Cassandra and security (20)

PDF
Securing Cassandra for Compliance
DataStax
 
PDF
201504 securing cassandraanddse
Johnny Miller
 
PPTX
Cassandra Lunch #92: Securing Apache Cassandra - Managing Roles and Permissions
Anant Corporation
 
PDF
Cassandra Security Configuration
Braja Krishna Das
 
PPTX
Cassandra
rezabehzadi3
 
PPTX
Cassandra Lunch #90: Securing Apache Cassandra
Anant Corporation
 
PDF
The Promise and Perils of Encrypting Cassandra Data (Ameesh Divatia, Baffle, ...
DataStax
 
PDF
Slides Cassandra
hamidd77
 
PPTX
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax
 
PDF
The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).
DataStax Academy
 
PDF
Building a fence around your Hadoop cluster
larsfrancke
 
PDF
Analyzing The Security Features Of Apache Cassandra Database
AlirezaAzhdari2
 
PDF
Tokyo Cassandra Summit 2014: Apache Cassandra 2.0 + 2.1 by Jonathan Ellis
DataStax Academy
 
PDF
Tokyo cassandra conference 2014
jbellis
 
PPTX
Attacking Big Data Land
Jeremy Brown
 
PDF
An Introduction to Apache Cassandra
Saeid Zebardast
 
PDF
Things YouShould Be Doing When Using Cassandra Drivers
Rebecca Mills
 
PPTX
DataStax | DSE: Bring Your Own Spark (with Enterprise Security) (Artem Aliev)...
DataStax
 
PDF
How to Bulletproof Your Scylla Deployment
ScyllaDB
 
PDF
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
confluent
 
Securing Cassandra for Compliance
DataStax
 
201504 securing cassandraanddse
Johnny Miller
 
Cassandra Lunch #92: Securing Apache Cassandra - Managing Roles and Permissions
Anant Corporation
 
Cassandra Security Configuration
Braja Krishna Das
 
Cassandra
rezabehzadi3
 
Cassandra Lunch #90: Securing Apache Cassandra
Anant Corporation
 
The Promise and Perils of Encrypting Cassandra Data (Ameesh Divatia, Baffle, ...
DataStax
 
Slides Cassandra
hamidd77
 
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax
 
The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).
DataStax Academy
 
Building a fence around your Hadoop cluster
larsfrancke
 
Analyzing The Security Features Of Apache Cassandra Database
AlirezaAzhdari2
 
Tokyo Cassandra Summit 2014: Apache Cassandra 2.0 + 2.1 by Jonathan Ellis
DataStax Academy
 
Tokyo cassandra conference 2014
jbellis
 
Attacking Big Data Land
Jeremy Brown
 
An Introduction to Apache Cassandra
Saeid Zebardast
 
Things YouShould Be Doing When Using Cassandra Drivers
Rebecca Mills
 
DataStax | DSE: Bring Your Own Spark (with Enterprise Security) (Artem Aliev)...
DataStax
 
How to Bulletproof Your Scylla Deployment
ScyllaDB
 
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
confluent
 

Recently uploaded (20)

PDF
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
PPTX
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
PPTX
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
PPTX
AMADEUS TRAVEL AGENT SOFTWARE | AMADEUS TICKETING SYSTEM
philipnathen82
 
PPTX
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
PDF
AutoCAD Professional Crack 2025 With License Key
youngle786g
 
PDF
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
PDF
wealthsignaloriginal-com-DS-text-... (1).pdf
skmiani786
 
PDF
17 Powerful Integrations Your Next-Gen MLM Software Needs
ventaforcemlmsoftwar
 
PDF
Digital Systems & Binary Numbers (comprehensive )
fyfhqfhtv2
 
PPTX
Advanced SystemCare Ultimate Crack + Portable (2025)
adanataj41
 
PDF
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
PDF
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
PPTX
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
PDF
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
PPTX
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
PPTX
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
PDF
medical staffing services at VALiNTRY
Tiyan Grayson
 
PDF
Complete Guide to Website Development in Malaysia for SMEs
Asian Business Services & Technologies
 
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
AMADEUS TRAVEL AGENT SOFTWARE | AMADEUS TICKETING SYSTEM
philipnathen82
 
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
AutoCAD Professional Crack 2025 With License Key
youngle786g
 
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
wealthsignaloriginal-com-DS-text-... (1).pdf
skmiani786
 
17 Powerful Integrations Your Next-Gen MLM Software Needs
ventaforcemlmsoftwar
 
Digital Systems & Binary Numbers (comprehensive )
fyfhqfhtv2
 
Advanced SystemCare Ultimate Crack + Portable (2025)
adanataj41
 
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
medical staffing services at VALiNTRY
Tiyan Grayson
 
Complete Guide to Website Development in Malaysia for SMEs
Asian Business Services & Technologies
 

Cassandra and security

  • 1. Securing Cassandra Not as hard as it sounds #CassandraSummit instaclustr.com
  • 2. Who am I and what do I do? • Ben Bromhead • Co-founder and CTO of Instaclustr -> www.instaclustr.com <sales> • Instaclustr provides Cassandra-as-a-Service in the cloud. • Currently in AWS, Azure and IBM Softlayer with more to come. • We currently manage 150+ nodes for various customers, who do various things with it. </sales>
  • 3. What this talk will cover • Why do we care about security? • A meandering tour of Cassandra security controls • Tips and tricks
  • 4. Why do we care about security?
  • 5. Why do we care about security • Hackers • Compliance… • We now have a information security officer / architect • Some sort of misguided sense of obligation to protecting end user information?
  • 6. But I run C* behind a firewall… • Stops dumb mistakes (running dev scripts on prod) • Stops malicious internal actors • Multi data-centre clusters (GL with that VPN…) • Run in the cloud?
  • 7. So what do I need to care about? Confidentiality Integrity Availability
  • 8. So what do I need to care about? Confidentiality Integrity Availability Consistency PartitionTolerance Availability
  • 9. So what do I need to care about? Confidentiality Integrity Availability Consistency PartitionTolerance Availability
  • 10. So what do I need to care about? Confidentiality Integrity Availability Consistency PartitionTolerance Availability
  • 12. Access Control • Authentication: org.apache.cassandra.auth.IAuthenticator • AllowAllAuthenticator - no auth, default • PasswordAuthentication - username and password auth, standard db stuff, uses ISaslAuthenticator • DSE has some others (Kerberos, LDAP)
  • 14. Access Control • Authentication: org.apache.cassandra.auth.IAuthenti cator • AllowAllAuthenticator - no auth, default • PasswordAuthentication - username and password auth, standard db stuff, uses ISaslAuthenticator
  • 15. Authentication - General flow • ServerConnection maintains QueryState, three states: • UNINITIALIZED • AUTHENTICATION • READY • Driver sends a STARTUP message, then CREDENTIALS/AUTH_RESPONSE. • CredentialsMessage class calls the defined Authenticators authenticate method and then sets the state to ready. • You are then ready to start executing queries and authenticate does not get called again for the life of the connection. The authenticated user gets stored in the ClientState. • If your app uses short lived connections, uses a driver that does not pool them (e.g. php), this will hurt.
  • 16. Authentication - PasswordAuthentication • CredentialsMessage calls authenticate which is implemented by PasswordAuthentication: • Checks whether you have actually provided a username / password combo • Queries Cassandra with: SELECT salted_hash FROM system_auth.credentials WHERE username = ? • Queries using LOCAL_ONE for all users, except the user “cassandra” which occurs at QUORUM • default system_auth keyspace replication is set to 1… this should be set to all nodes
  • 17. Access Control • Authorisation: org.apache.cassandra.auth.IAuth orizer • AllowAllAuthorizer - no permissions, default • CassandraAuthorizer - extends IAuthorizer, must be used with PasswordAuthenticator
  • 18. Authorisation - General flow • CredentialsMessage calls state.getClientState().login(user). Which checks again if the user exists. • ClientState provides an authorize method to get permissions for the logged in user against a specific resource. • Alter, CreateIndex, DropIndex, Insert/Update, Select and Truncate all call hasColumnFamilyAccess (or hasKeyspaceAccess) on the client state to check if an operation is permitted. • If it isn’t an UnauthorizedException is raised
  • 19. Authentication - CassandraAuthorizer • CassandraAuthorizer gets called to return a set of permissions by Auth. • Auth wraps these calls in a permissions Cache, otherwise the authorizer gets called for every single operation. • CassandraAuthorizer gets passed a user and a resource (keyspace or cf) and returns the permissions it can find for that user, resource pair. • ALL KEYSPACES is treated as the root data resource.
  • 20. CassandraAuthorizer + PasswordAuthenticator • Run these together • Currently the user lookups and the permissions checks are in the read/write path (even with the permissions cache). • Be vigilant with your system_auth replication and keeping it repaired. • Poorly configured/maintained system_auth keyspace can and will create 0% availability in your other keyspaces… irrespective of their replication factor • Don’t use the cassandra user
  • 21. Auth changes in 2.2 • API has changed to support the concept of roles • This includes inheritance! • Roles are first class resources (like keyspaces and tables), so you can grant permissions on certain roles. • AuthZ in Cassandra has finally grown up!
  • 22. Internode Authentication • Yes it does exist! • Currently the only provided internode authenticator is AllowAll • Can be extended to authenticate based on remoteAddress and port. • No ability atm to use a shared secret or not, at best would support a whitelist
  • 23. Confidentiality • Internode encryption • Client <> Node encryption • Whole disk encryption ENCRYPTION!!1!
  • 24. Internode Encryption • Leverages SSLServerSockets from Netty (native) • Server certificate stored in KeyStore, trust certificates stored in TrustStore • If requires_client_auth == true, the client must provide a certificate the SSL context can build a chain of trust back to a cert in the TrustStore. • This can either be the provided certificate itself, or the CA that signed that cert.
  • 25. Configuring encryption server_encryption_options:          internode_encryption:  none  #  all,  none,  dc,  rack          keystore:  conf/.keystore          keystore_password:  cassandra          truststore:  conf/.truststore          truststore_password:  cassandra
  • 26. Configuring encryption server_encryption_options:          internode_encryption:  none  #  all,  none,  dc,  rack          keystore:  conf/.keystore          keystore_password:  cassandra          truststore:  conf/.truststore          truststore_password:  cassandra
  • 27. Configuring encryption server_encryption_options:   …          protocol:  TLS  #  TLSv1.2,  SSLv3.0  etc          algorithm:  SunX509  #  PKIK          store_type:  JKS  #  support  for  different   keystrokes          cipher_suites:  [TLS_RSA_WITH_AES_128_CBC_SHA,…]          require_client_auth:  true
  • 28. Configuring encryption • Strongly recommend you download the full strength JCE otherwise Cassandra will not start with the default cipher suites • Distribute the CA public cert in the truststore rather than individual public certificates. • troubleshooting certificate issues? use the openssl client
  • 29. Client Encryption • Pretty much the same as internode encryption under the hood. • Supports require_client_auth as well • Must be able to build a chain of trust to a valid certificate within the truststore • Does not actually set the AuthenticatedUser based on certificate CN or anything like that
  • 30. Configuring client drivers for encryption • Your driver will want the its certificates in either PEM, DER or as a Keystore. Learn to love the openssl cli • Cqlsh in some recent versions of Cassandra struggles with requires_client_auth. • Just use stunnel and plaintext cqlsh
  • 31. At rest encryption • Whole disk/volume • dmcrypt/LUKS • DSE Transparent Data Encryption (TDE) • SSTable encryption • In app encryption
  • 32. At rest encryption • dmcrypt/LUKS - up to a few % difference in throughput, minimal cpu load if using cpus with AES-NI instruction set • DSE SSTable encryption, we haven’t done any benchmarking but according to DS there is a slight hit on perf. • In app -> Variable… makes slice queries really hard
  • 33. At rest encryption • dmcrypt/LUKS -> Up to 8 keys per block device, Requires key management at boot or via crypttab • DSE TDE, now supports external KMIP servers for external key management. • In app -> Key management -> roll your own
  • 34. At rest encryption • Should I do it? • PCI? Yup probably • Otherwise… the threats it protects against are fairly low risk • Vulnerable to cold memory attacks (litterally cool ram modules, to persist state). • Decryption key kept in memory • You need to trust your DC/Cloud provider
  • 35. Application Level Cryptography • Encrypt data on the client side before writing to Cassandra • Most secure, most amount of work
  • 36. Availability • This should be pretty simple right? RF = 1,000,000 • There are a few things to keep in mind that an unauthenticated attacker / unprivileged user can do to make things interesting.
  • 38. Availability • native_transport_max_threads is by default set to 128 • unauthenticated messages will take up one of these threads • use client-auth as the SSL handler will drop the connection before the message is dropped into the worker pool
  • 40. Availability • System_auth keyspace replication • Every new session queries this keyspace • Every new request queries either system_auth or the permissions cache • Increase the credential cache time • Increase your system_auth rf
  • 41. Availability • Resource Scheduler • Default - none • RoundRobin • implements a throttle limit - number of requests in flight • Weight by keyspace
  • 42. Addendum - JMX Security • JMX Security • Pre Cassandra 2.0.14 - Wide open! • Post Cassandra 2.0.14 • Bind to localhost only • JVM_OPTS="$JVM_OPTS - Dcom.sun.management.jmxremote.authenticate=true" • JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.password.file=/ etc/cassandra/jmxremote.password"
  • 43. Go forth and conquer! Questions? … not get conquered