Cassandra JMX Authentication & Authorization: Create User

There are two types of security in Apache Cassandra and Datastax enterprise.

  • Internal Authentication
  • Authorization

What is Internal Authentication and Authorization

Internal authentication is basically validating user connection. The user is authenticated with login and password. All the user accounts are managed in Cassandra internally.

Internal authorization deals with user’s permission. It deals with what actions user can be performed. For example, we can give user’s permission such as which user has only data read permission, which user has data write permission and which user has data delete permission.

However, Authentication can also be controlled externally with Kerberos (Kerberos is used to manage credentials securely) and LDAP (LDAP is used for holding authoritative information about the accounts, such as what they’re allowed to access).

External authentication is the authentication that is supported with Kerberos and LDAP. Apache Cassandra does not support external authentication.

Only datastax enterprise supports external authentication with Kerberos and LDAP. Whereas internal authentication is supported both in Apache Cassandra as well as Datastax enterprise.

Configure Authentication and Authorization

In Cassandra, by default authentication and authorization options are disabled. You have to configure Cassandra.yaml file for enabling authentication and authorization.

Open Cassandra.yaml file and uncomment lines that deals with internal authentication and authorization.

Configure Authentication and Authorization

  • In Cassandra.yaml file, by default, authenticator value is ‘AllowAllAuthenticator’. Change this authenticator value from ‘AllowAllAuthenticator’ to ‘com.datastax.bdp.cassandra.auth.PasswordAuthenticator’.
  • Similarly, in Cassandra.yaml file, by default, authorizer value will be ‘AllowAllAuthorizor’. Change this authorizer value from ‘AllowAllAuthorizor’ to ‘com.datastax.bdp.cassandra.auth.CassandraAuthorizer’.

Logging in

Now authentication is enabled, if you try to access any keyspace, Cassandra will return an error.

By default, Cassandra provides the super account with user name ‘cassandra’ and password ‘cassandra’. By logging in to ‘Cassandra’ account, you can do whatever you want.

Let’s see the below screenshot for this, where it will not allow you to login if you are not using the default Cassandra “username” and “password”.

Logging in

Now, in the second screenshot, you can see after using Cassandra default login credential, you are able to login.

You can also create another user with this account. It is recommended to change the password from the default. Here is the example of login Cassandra user and change default password.

Logging in

alter user cassandra with password 'newpassword';

Create New User

New accounts can be created with the ‘Cassandra’ account.

For creating a new user, login, the password is specified along with whether the user is super user or not. Only Super user can create new users.

create user robin with password 'manager' superuser;
create user robin with password 'newhire';

You can get a list of all users by the following syntax.

list users;

Create New User

Users can be dropped by the following syntax.

drop user laura;

Authorization

Authorization is the assigning permission to users that what action a particular user can perform.

Here is the generic syntax for assigning permission to users.

GRANT permission ON resource TO user

There are following types of permission that can be granted to the user.

  1. ALL
  2. ALTER
  3. AUTHORIZIZE
  4. CREATE
  5. DROP
  6. MODIFY
  7. SELECT

Here are examples of assigning permission to the user.

Create user laura with password 'newhire'; 
grant all on dev.emp to laura;
revoke all on dev.emp to laura;
grant select on dev.emp to laura;

A new user ‘laura’ is created with password ‘newhire’.

Here is the example where user ‘laura’ try to access emp_bonus table. Laura has only permission to access dev.emp and no permission to this table dev.emp_bonus that’s why an error was returned.

Authorization

select* form emp_bonus;

You can get a list of all permissions that is assigned to the user. Here is the example of getting permission information.

Authorization

list all permissions of laura;

You can also list all the permission on the resource. Here is the example of getting permission from a table.

Authorization

list all permissions on dev.emp;

Configuring Firewall

If the firewall is running, following ports must be opened for communication between nodes including some Cassandra ports. If Cassandra ports will not be opened, Cassandra nodes will act as standalone database server rather than joining the database cluster.

Cassandra Client Ports

Port Number Description
9042 Cassandra Client Port
9160 Cassandra Client Port Thrift

Cassandra Internode ports

Port Number Description
7000 Cassandra internode cluster communication
7001 Cassandra SSL internode cluster communication
7199 Cassandra JMX monitoring port

Public Ports

Port Number Description
22 SSH port
8888 OpsCenter Website. Browser http request.

Cassandra OpsCenter ports

Port Number Description
61620 OpsCenter monitoring port.
61621 Opscenter agent port

Enabling JMX Authentication

With the default settings of Cassandra, JMX can only be accessed from the localhost. If you want to access JMX remotely, change the LOCAL_JMX setting in Cassandra-env.sh and enable authentication or SSL.

After enabling JMX authentication, make sure OpsCenter and nodetool are configured to use authentication.

Procedure

There are following steps for enabling JMX authentication.

  1. In the cassandra-env.sh file, add or update following lines.
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.authenticate=true"
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.password.file=/etc/cassandra/jmxremote.password"

Also, change the LOCAL_JMX setting in Cassandra-env.sh

LOCAL_JMX=no
  1. Copy the jmxremote.password.template from /jdk_install_location/lib/management/ to /etc/cassandra/ and rename it tojmxremote.password.
cp />jdk_install_dir/lib/management/jmxremote.password.template /etc/cassandra/jmxremote.password
  1. Change the ownership of jmxremote.password to the user you run Cassandra with and change permission to read only
chown cassandra:cassandra /etc/cassandra/jmxremote.password 
chmod 400 /etc/cassandra/jmxremote.password
  1. Edit jmxremote.password and add the user and password for JMX-compliant utilities:
monitorRole QED 
controlRole R&D 
cassandra cassandrapassword
  1. Add the Cassandra user with read and write permission to /jdk_install_location/lib/management/jmxremote.access
monitorRole readonly
cassandra readwrite
controlRole readwrite \
create javax.management.monitor.,javax.management.timer. \ 
unregister
  1. Restart Cassandra
  2. Run nodetool with the Cassandra user and password.
$ nodetool status -u cassandra -pw cassandra

Summary

This tutorial explains about security in Cassandra and configuring Cassandra.yaml file for enabling security. Besides this it also explains how new user account can be created, assignment of permission, configuring the firewall, and so on.