Follow: https://docs.datastax.com/en/opscenter/5.0/opsc/configure/opscEnableSSLpkg.html
Last active
September 26, 2016 15:30
-
-
Save ibspoof/8ea37f282a06edcbba49ba2e8ef6e86b to your computer and use it in GitHub Desktop.
Cassandra Node Security
authenticator: PasswordAuthenticator
authorizer: CassandraAuthorizer
From: http://docs.datastax.com/en/cql/3.1/cql/cql_reference/grant_r.html
CREATE USER IF NOT EXISTS newuser WITH PASSWORD 'password';
GRANT SELECT ON ALL KEYSPACES TO newuser;
GRANT MODIFY ON ALL KEYSPACES TO newuser;
## or for specific keyspace
GRANT SELECT ON KEYSPACE my_keyspace TO newuser;
GRANT MODIFY ON KEYSPACE my_keyspace TO newuser;
Note: Change keyspace system_auth RF to greater number once ACLs are enabled.
- Create the private key (keystore file) using the keytool application. The keytool application is a java application and is located bin directory of the JRE.
keytool -genkey -alias TestCertcassandra -keyalg RSA -keysize 1024 -dname "CN=TestCertcassandra, OU=cass, O=test, C=US" -keystore TestCertcassandra.keystore -storepass cassandra -keypass cassandra -validity 1095
# validity (this is when it will expire in days). The value defined in this example is 3 years.
- Create the public key cert file using the keytool application
keytool -export -alias TestCertcassandra -file TestCertcassandra.cer -keystore TestCertcassandra.keystore -storepass cassandra -keypass cassandra
- Create the truststore file for all cassandra nodes/clients that should be trusted. In our case this will only be one since a global cert is being used
keytool -import -v -trustcacerts -alias TestCertcassandra -file TestCertcassandra.cer -keystore TestCertcassandra.truststore -storepass cassandra -keypass cassandra
- Create a special cert for cqlsh (pkcs12).
keytool -importkeystore -srckeystore TestCertcassandra.keystore -destkeystore CQLSHTestCertcassandra.p12 -deststoretype PKCS12
openssl pkcs12 -in CQLSHTestCertcassandra.p12 -out CQLSHTestCertcassandra.pem -nodes
- Keys
| Cert File | Cert Type | Password | Destination | Used in Application |
|---|---|---|---|---|
| TestCertcassandra.cer | CA | Yes | Client | Drivers |
| TestCertcassandra.keystore | Java Keystore | Yes | C* Server Nodes | Used as the Private Key for C* |
| TestCertcassandra.truststore | Java truststore | Yes | Servers/Clients | Public Keys that are used to identify connecting clients/nodes. Used also by DevCenter and OpsCenter |
| CQLSHTestCertcassandra.p12 | PKCS12 | Yes | Not Used | Not Used |
| CQLSHTestCertcassandra.pem | PEM | No | Servers/Clients | Used by CQLSH and OpsCenter |
- Install Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8 Download
wget --no-cookies --no-check-certificate --header "Cookie: gpw_e24=http%3A%2F%2Fwww.oracle.com%2F; oraclelicense=accept-securebackup-cookie" "http://download.oracle.com/otn-pub/java/jce/8/jce_policy-8.zip"
- Unzip jce_policy-8.zip
unzip jce_policy-8.zip
- Move jars to jre path
cp -a UnlimitedJCEPolicyJDK8/*.jar $JAVA_HOME/jre/lib/security/
- Move TrustStore to dse certificates dir
mv TestCertcassandra.keystore /etc/dse/cassandra/certificates/
mv TestCertcassandra.truststore /etc/dse/cassandra/certificates/
- Setup Cassandra.yaml
server_encryption_options:
internode_encryption: all
keystore: /etc/dse/cassandra/certificates/TestCertcassandra.keystore
keystore_password: cassandra
truststore: /etc/dse/cassandra/certificates/TestCertcassandra.truststore
truststore_password: cassandra
- Enable client to node encryption if needed
# enable or disable client/server encryption.
client_encryption_options:
enabled: true
keystore: /etc/dse/cassandra/certificates/TestCertcassandra.keystore
keystore_password: cassandra
require_client_auth: false
truststore: /etc/dse/cassandra/certificates/TestCertcassandra.truststore
truststore_password: cassandra
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment