Securing DSE Search
DSE Search data is completely or partially secured by using DataStax Enterprise security features.
DataStax Enterprise supports secure enterprise search using Apache Solr and Lucene. The security table summarizes the security features of DSE Search and other integrated components. DSE Search data is completely or partially secured by using DataStax Enterprise security features:
- Object permission
management
Limit access to Solr documents, excluding cached data, to roles that have been granted access permissions. Permission management also secures tables that are used to store Solr data.
- Transparent data encryption
Data at rest in Cassandra tables can be encrypted, including DSE Search index encryption. Cached data is not encrypted. Encryption occurs on the Cassandra side and impacts performance slightly.
- Client-to-node
encryptionEnable SSL to securely configure DSE. You can use SSL to encrypt HTTP access to Solr data and client-to-node encryption on the DSE Search node.
- Enable SSL client-to-node encryption on the DSE Search node by setting the
client_encryption_options
in the cassandra.yaml file. - install JCE to ensure support for all
encryption algorithms.
Some of the cipher suites in the default set of server_encryption_options in cassandra.yaml are included only in the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files. To ensure support for all encryption algorithms, install the JCE Unlimited Strength Jurisdiction Policy Files.
- To satisfy specific security requirements with SSL, you can change the IP address for client connections to DSE Search. For example, to isolate a subnet.
- Enable SSL client-to-node encryption on the DSE Search node by setting the
-
Use Kerberos authentication for DSE Search in production.
You can authenticate DSE Search users through Kerberos authentication using Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO). To use the SolrJ API against DSE Search clusters with Kerberos authentication, client applications should use the SolrJ-Auth library and the DataStax Enterprise SolrJ component as described in the solrj-auth-README.md file.
Cassandra password authentication or DataStax Enterprise LDAP authentication
Although you can use HTTP Basic Authentication, it is not recommended for production.
When you use internal Cassandra password authentication, client applications must use HTTP Basic Authentication to provide credentials to Solr services. Due to the stateless nature of HTTP Basic Authentication, the authenticator can have a significant performance impact as the authentication process must be executed on each HTTP request. For this reason, DataStax does not recommend using internal authentication on DSE Search clusters in production. To secure DSE Search in production, enable DataStax Enterprise with Kerberos authentication or search using CQL instead.
Installer-Services | /etc/dse/cassandra/cassandra.yaml |
Package installations | /etc/dse/cassandra/cassandra.yaml |
Installer-No Services | install_location/resources/cassandra/conf/cassandra.yaml |
Tarball installations | install_location/resources/cassandra/conf/cassandra.yaml |
Installer-Services | /etc/dse/dse.yaml |
Package installations | /etc/dse/dse.yaml |
Installer-No Services | install_location/resources/dse/conf/dse.yaml |
Tarball installations | install_location/resources/dse/conf/dse.yaml |
Installer-Services and Package installations | /etc/dse/resources/tomcat/conf/server.xml |
Installer-No Services and Tarball installations | /etc/dse/tomcat/conf/server.xml |
To configure DSE Search to use Cassandra internal authentication:
- To enable HTTP Basic authentication for Solr, uncomment and replace PasswordAuthenticator
with DseAuthenticator in
cassandra.yaml.
#authenticator: org.apache.cassandra.auth.AllowAllAuthenticator authenticator: org.apache.cassandra.auth.DseAuthenticator #authenticator: com.datastax.bdp.cassandra.auth.PasswordAuthenticator #authenticator: com.datastax.bdp.cassandra.auth.KerberosAuthenticator
- Configure the replication strategy for the system_auth keyspace.
- Start the server.
- In a web browser, go to the service web page. For example, assuming you ran the Wikipedia demo, go to
http://localhost:8983/demos/wikipedia/.
When prompted, provide the Cassandra role and password.