Securing DSE Graph

DSE Graph data is completely or partially secured by using DataStax Enterprise security features.

DataStax Enterprise supports secure enterprise graph-database operations. The security table summarizes the security features of DSE Graph and other integrated components. DSE Graph data is completely or partially secured by using DataStax Enterprise security features:
  • Object permission management

    Limit access to graph keyspaces, excluding cached data, to roles that have been granted access permissions. Permission management also secures tables that are used to store graph data.

  • Transparent data encryption

    Data at rest in Cassandra tables can be encrypted, including DSE Graph index encryption which are built using Cassandra tables. Cached data is not encrypted. Encryption occurs on the Cassandra side and impacts performance slightly.

  • Client-to-node encryption
    You can use SSL to encrypt access to graph data and client-to-node encryption on a DSE Graph node.
    • Enable SSL client-to-node encryption on the DSE Graph node by setting the client_encryption_options in the cassandra.yaml file.
    • Install JCE to ensure support for all encryption algorithms.

      Some of the cipher suites in the default set of server_encryption_options in cassandra.yaml are included only in the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files. To ensure support for all encryption algorithms, install the JCE Unlimited Strength Jurisdiction Policy Files.

  • Use Kerberos authentication for DSE Graph in production.

    You can authenticate DSE Graph users through Kerberos authentication using Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO). To use Kerberos authentication and SSL encryption with the Gremlin console, remote.yaml must be modified to include the following:
    hosts: [hostname-because-it's-kerberos]
username: null
password: null
jaasEntry: DseClient 
# protocol is the the same as the service_principal set in dse.yaml
protocol: your_dse_principal 
connectionPool: {enableSsl: true}
    A password set to null is ignored in the remote.yaml.

Cassandra password authentication or DataStax Enterprise LDAP authentication

DSE Graph authentication is accomplished with DSE Authentication because the underlying storage is Cassandra. CQL and cqlsh are used to grant permissions. Using cqlsh, run the following command after creating roles on three DSE Graph keyspaces to graph permissions for a graph:
  • graphname (name of the graph created that is the keyspace)
  • graphname_pvt (keyspace holding partitioned vertex tables)
  • graphname_system (keyspace for stored shared information)
GRANT <permission type> ON KEYSPACE <graphname> TO <rolename>;
GRANT <permission type> ON KEYSPACE <graphname_pvt> TO <rolename>;
GRANT <permission type> ON KEYSPACE <graphname_system> TO <rolename>;
The following tables show scenarios of how role permissions affect access to graph operations:
Operation Superuser Non-user Plain user, no role All graph permissions
Connection T F F T
Select T F F T
Schema change T F F T
Add vertex T F F T
Create/Drop vertex T,T F,n/a F T,T
Operation CREATE role SELECT role ALTER role MODIFY role
Connection T T T T
Select F T F F
Schema change F F F F
Add vertex F F T T
Create/Drop vertex F F F F
Operation CREATE/SELECT role CREATE/ALTER role CREATE/MODIFY role CREATE/ALTER/DROP role
Connection T T T T
Select T F F F
Schema change F F F T
Add vertex F F T F
Create/Drop vertex F F F F
Note: Connection refers to the ability to connect to the DSE Graph Server.
To use internal Cassandra password authentication, client applications must provide credentials. Credentials are entered in the remote.yaml file to use Gremlin console For instance, the following lines are added:
username: realuser
password: password
connectionPool: {enableSsl: false}
defining the LDAP username and password. A password must be present for internal or LDAP authorization.
Note: LDAP has an internal credential cache, and the setting for this cache can greatly affect the performance of graph queries. The credentials_validity_in_ms is the critical setting in the dse.yamlfile. Setting to 0 will cause DSE to requery LDAP on all operations requiring authentication. An additional setting search_validity_in_seconds will perform better if set to a higher value, such as 30 minutes.

To secure DSE Graph in production, enable DataStax Enterprise with Kerberos authentication, LDAP authentication, or use Cassandra authentication.

The location of the cassandra.yaml file depends on the type of installation:
Installer-Services /etc/dse/cassandra/cassandra.yaml
Package installations /etc/dse/cassandra/cassandra.yaml
Installer-No Services install_location/resources/cassandra/conf/cassandra.yaml
Tarball installations install_location/resources/cassandra/conf/cassandra.yaml
The location of the dse.yaml file depends on the type of installation:
Installer-Services /etc/dse/dse.yaml
Package installations /etc/dse/dse.yaml
Installer-No Services install_location/resources/dse/conf/dse.yaml
Tarball installations install_location/resources/dse/conf/dse.yaml
The location of the remote.yaml file depends on the type of installation:
Installer-Services /etc/dse/graph/gremlin-console/conf/remote.yaml
Package installations /etc/dse/graph/gremlin-console/conf/remote.yaml
Installer-No Services install_location/resources/graph/gremlin-console/conf/remote.yaml
Tarball installations install_location/resources/graph/gremlin-console/conf/remote.yaml