cassandra Security Configuring internal authorization


Example

By default each user will be able to access all data in Cassandra. You'll have to configuring a different authorizer in your cassandra.yaml to grant individual object permissions to your users.

# Grant all permissions to all users
# authorizer: AllowAllAuthorizer

# Use object permissions managed internally by Cassandra
authorizer: CassandraAuthorizer

Permissions for individual users will be store in the internal system_auth keyspace. You should change the replication settings in case you haven't already done so while enabling password based authentication.

For SimpleStrategy (where N is the number of nodes in your cluster):

ALTER KEYSPACE system_auth WITH replication = {'class': 'SimpleStrategy', 'replication_factor': N};

For NetworkTopologyStrategy (where N is the number of nodes in the corresponding data center):

ALTER KEYSPACE system_auth WITH replication =  { 'class' : 'NetworkTopologyStrategy', 'datacenter1' : N };

Restart each node after the changes described above. You'll now be able to set permissions using e.g. the following commands.

Grants all permissions for specified keyspace and role:

GRANT ALL ON KEYSPACE keyspace_name TO role_name;

Grant read permissions on all keyspaces:

GRANT SELECT ON ALL KEYSPACES TO role_name;

Allow execution of INSERT, UPDATE, DELETE and TRUNCATE statements on a certain keyspace:

GRANT MODIFY ON KEYSPACE keyspace_name TO role_name;

Allow changing keyspaces, tables and indices for certain keyspace:

GRANT ALTER ON KEYSPACE keyspace_name TO role_name;

Please note that permissions will be cached for permissions_validity_in_ms (cassandra.yaml) and changes might not be effective instantly.