DataStax Enterprise 3.0 and later includes a number of features for securing data. The security framework provides advanced data protection for enterprise-grade databases. You can secure a DataStax Community or DataStax Enterprise cluster using these features.
DataStax Enterprise offers additional security, not included in DataStax Community, to enterprises for mission-critical data:
DataStax Enterprise 3.0 uses the versions of CQL available in Cassandra 1.1.x and backports additional CQL security commands from later versions of Cassandra.
Assuming you configure security features, this table describes exactly which data is secured (or not) based on the workload type: real-time Cassandra (DSE/Cassandra), analytics (Hadoop), and DSE/Search (Solr).
|Object permission management||Yes||Partial ||Partial |
|Client to node encryption||Yes ||Yes ||Yes |
|Kerberos authentication||Yes ||Yes||Yes|
|Transparent data encryption||Yes ||Yes||Partial |
|Data auditing||Yes||Partial ||Partial |
 Permissions to access objects stored in Cassandra are checked. The Solr cache and indexes and the Hadoop cache are not under control of Cassandra, and therefore are not checked. You can, however, set up permission checks to occur on column families that store Hadoop or Solr data.
 The inter-node gossip protocol is protected using SSL.
 The Thrift interface between Hadoop and the Cassandra File System (CFS) is SSL-protected. Inter-tracker communication is Kerberos authenticated, but not SSL secured. Hadoop access to Cassandra is SSL- and Kerberos-protected.
 HTTP access to the DSE Search/Solr data is protected using SSL. Internal Solr communication is also protected using SSL.
 The inter-node gossip protocol is not authenticated using Kerberos. If desired, inter-node SSL is used.
 Cassandra commit log data is not encrypted, only at rest data is encrypted.
 Data in DSE/Search Solr column families is encrypted by Cassandra. Encryption has a slight performance impact, but ensures the encryption of original documents after Cassandra permanently stores the documents on disk. However, Solr cache data and Solr index data (metadata) is not encrypted.
 Hadoop and Solr data auditing is done at the Cassandra access level, so requests to access Cassandra data is audited. The inter-node gossip protocol is protected using SSL.
Both the Kerberos and SSL libraries provide authentication, encryption, and integrity protection:
The security table summarizes the security features of DSE Search/Solr and other integrated components. DSE Search data is completely or partially secured by using these DataStax Enterprise security features:
Access to Solr documents, excluding cached data, can be limited to users who have been granted access permissions. Permission management also secures column families used to store Solr data.
Data at rest in Cassandra column families, excluding cached and Solr-indexed data, can be encrypted. Encryption occurs on the Cassandra side and impacts performance slightly.
You can encrypt HTTP access to Solr data and internal Solr communication using SSL. Enable SSL inter-node encryption on the Solr node by setting encryption options in the dse.yaml file as described in Client-to-node encryption.
You can authenticate DSE Search users through Kerberos authentication using Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO).
To configure password authentication for accessing DSE Search/Solr data:
Uncomment the PasswordAuthenticator in cassandra.yaml to enable HTTP Basic authentication for Solr.
#authentication backend, implementing IAuthenticator; used to identify users #authenticator: org.apache.cassandra.auth.AllowAllAuthenticator authenticator: com.datastax.bdp.cassandra.auth.PasswordAuthenticator #authenticator: com.datastax.bdp.cassandra.auth.KerberosAuthenticator
Start the server.
Open a browser, and go to the service web page, for example http://localhost:8983/demos/wikipedia/.
The browser asks you for a Cassandra username and password.