Authorization in Cassandra

Authorization in Cassandra 

Authorization in Cassandra is disabled by default. This grants all permissions to all roles. But disabling authorization is not used in production deployment. Cassandra has role based access control and using this we can configure proper access profile and schema access limitations.
To enable authorization we must enable authorizer in cassandra.yaml file.
By default:


After enabling authorization:


Now restart the node using the following command:
ndoetool drain; nodetool stopdaemon; cassandra

Once we enable authorization we have to start creating roles. 

Let's create a dba role, which has to have all the permissions on all the keyspaces.
Create an sales_admin role, which has to have all permissions on that particular keysapce.
Create an read_only role, which has to have only select access on all the keyspace.

High level roles as place holder for all roles.

create role 'dba_role' with login=false;
create role 'sales_admin' login=false;
create role 'read_only' with login=false;

--Granting all permissions to 'dba_role' role.

grant all permissions on all keyspaces to 'dba_role';
grant all permissions on all functions to 'dba_role';
grant all permissions on all roles to 'dba_role';

--Granting select,create & modify to sales_admin.

grant select on keyspace sales to 'sales_admin';
grant create on keyspace sales to 'sales_admin';
grant modify on keyspace sales to 'sales_admin';

--Real only access on all keypspaces.

grant select on all keypspaces to 'read_only';

Let's say a dba joined a organization:
>> Creating Role create role KKR with password='password' and login=true;
>> Granting permissions  grant 'dba_role' to KKR;
>> Listing permissions list all permissions of KKR;

Let's say a keyspace admin joined a organization:
>> Creating Role create role Kanthi with password='password' and login='true';
>> Granting Permission  grant 'sales_admin' to Kanthi;
>> Listing permissions list all permissions of Kanthi;

Read_only user
>> Creating a read_only user
>> Granting permissions to read_only  grant 'read_only' to Kanthi Rekha;

The above roles must be created in system_auth keyspace.

Comments

Post a Comment

Popular posts from this blog

Cassandra Reaper Configuration

Image
Cassandra Reaper  Reaper is an open source tool that aims to schedule and orchestrate repairs of Apache Cassandra clusters. It improves the existing nodetool repair process by Splitting repair jobs into smaller tunable segments. Handling back-pressure through monitoring running repairs and pending compactions. Adding ability to pause or cancel repairs and track progress precisely. It also gives us a simple web interface to schedule, run, pause or stop the repair process. Cassandra Reaper Configuration >> The main prerequisite to configure reaper is there must be some backend system to store the reaper data.  >> These may be: In-Memory Cassanda PostgresQL H2 Astra >> I'm choosing Cassandra as my backend. For that I must have Cassandra running on my machine. >> Then visit this website http://cassandra-reaper.io/docs/ to know about the detailed documentation  >> I downloaded rpm from the below link: >> Reaper download     ...
Read more

Authentication in Cassandra

Image
Authentication in Cassandra Authentication in Cassandra is disabled by default. Which allows any one on your network to connect to the database.  To enable authentication we must make changes in the main configuration file in Cassandra, the "Cassandra.yaml" file.  The default file: Changes to perform in cassandra.yaml file in order to enable authentication: Make the above changes and save the file. The changes to make effect on the node we must restart the node. Command used for restarting the node: nodetool drain; nodetool stopdaemon; cassandra  Now if we try to connect with the database. It throws the following error. Now it is asking for username and password. The default username and password after enabling authentication is  username = cassandra password = cassandra cqlsh -u cassandra -p cassandra Every one who uses Cassandra knows about this default username and password. So, if we continue with the same user and password then there is no need of enabling authe...
Read more