• Glossary
  • Support
  • Downloads
  • DataStax Home
Get Live Help
Expand All
Collapse All

DataStax Astra DB Serverless Documentation

    • Overview
      • Release notes
      • Astra DB FAQs
      • Astra DB Architecture FAQ
      • Astra DB glossary
      • Get support
    • Getting Started
      • Grant a user access
      • Load and retrieve data
        • Use DSBulk to load data
        • Use Data Loader in Astra Portal
      • Connect a driver
      • Build sample apps
      • Use integrations
    • Planning
      • Plan options
      • Database regions
    • Securing
      • Security highlights
      • Security guidelines
      • Default user permissions
      • Change your password
      • Reset your password
      • Authentication and Authorization
      • Astra DB Plugin for HashiCorp Vault
    • Connecting
      • Connecting private endpoints
        • AWS Private Link
        • Azure Private Link
        • GCP Private Endpoints
        • Connecting custom DNS
      • Connecting Change Data Capture (CDC)
      • Connecting CQL console
      • Connect the Spark Cassandra Connector to Astra
      • Drivers for Astra DB
        • Connecting C++ driver
        • Connecting C# driver
        • Connecting Java driver
        • Connecting Node.js driver
        • Connecting Python driver
        • Connecting Legacy drivers
        • Drivers retry policies
      • Get Secure Connect Bundle
    • Migrating
      • Components
      • FAQs
      • Preliminary steps
        • Feasibility checks
        • Deployment and infrastructure considerations
        • Create target environment for migration
        • Understand rollback options
      • Phase 1: Deploy ZDM Proxy and connect client applications
        • Set up the ZDM Proxy Automation with ZDM Utility
        • Deploy the ZDM Proxy and monitoring
        • Configure Transport Layer Security
        • Connect client applications to ZDM Proxy
        • Leverage metrics provided by ZDM Proxy
        • Manage your ZDM Proxy instances
      • Phase 2: Migrate and validate data
      • Phase 3: Enable asynchronous dual reads
      • Phase 4: Change read routing to Target
      • Phase 5: Connect client applications directly to Target
      • Troubleshooting
        • Troubleshooting tips
        • Troubleshooting scenarios
      • Glossary
      • Contribution guidelines
      • Release Notes
    • Managing
      • Managing your organization
        • User permissions
        • Pricing and billing
        • Audit Logs
        • Bring Your Own Key
          • BYOK AWS Astra Portal
          • BYOK GCP Astra Portal
          • BYOK AWS DevOps API
          • BYOK GCP DevOps API
        • Configuring SSO
          • Configure SSO for Microsoft Azure AD
          • Configure SSO for Okta
          • Configure SSO for OneLogin
      • Managing your database
        • Create your database
        • View your databases
        • Database statuses
        • Use DSBulk to load data
        • Use Data Loader in Astra Portal
        • Monitor your databases
        • Export metrics to third party
          • Export metrics via Astra Portal
          • Export metrics via DevOps API
        • Manage access lists
        • Manage multiple keyspaces
        • Using multiple regions
        • Terminate your database
      • Managing with DevOps API
        • Managing database lifecycle
        • Managing roles
        • Managing users
        • Managing tokens
        • Managing BYOK AWS
        • Managing BYOK GCP
        • Managing access list
        • Managing multiple regions
        • Get private endpoints
        • AWS PrivateLink
        • Azure PrivateLink
        • GCP Private Service
    • Astra CLI
    • Astra Block
      • Quickstart
      • FAQ
      • Data model
      • About NFTs
    • Developing with Stargate APIs
      • Develop with REST
      • Develop with Document
      • Develop with GraphQL
        • Develop with GraphQL (CQL-first)
        • Develop with GraphQL (Schema-first)
      • Develop with gRPC
        • gRPC Rust client
        • gRPC Go client
        • gRPC Node.js client
        • gRPC Java client
      • Develop with CQL
      • Tooling Resources
      • Node.js Document API client
      • Node.js REST API client
    • Stargate QuickStarts
      • Document API QuickStart
      • REST API QuickStart
      • GraphQL API CQL-first QuickStart
    • API References
      • DevOps REST API v2
      • Stargate Document API v2
      • Stargate REST API v2
  • DataStax Astra DB Serverless Documentation
  • Securing

Securing Astra DB

Because security is a priority for all modern cloud applications, DataStax has implemented several protocols to ensure security remains a priority.

DataStax Astra DB is secured by default, including encryption over the wire and at rest. DataStax Astra DB instances are SOC2 Type2-compliant.

For details on Astra DB security, check out the Astra DB Security Whitepaper.

The following sections discuss security policies that are specific to Astra DB. To view security protocols implemented across DataStax, see Security assurance on the DataStax website.

Default Astra DB user permissions

When creating an DataStax Astra DB database, the default user is created with the required permissions to manage the created keyspace. This default user is not equivalent to the cassandra superuser. However, the default user is granted the following permissions in the keyspace created on the database:

  • Create, select, modify, drop, and describe database objects, including keyspaces, tables, and roles

  • Grant the same or lesser permissions to additional user roles

  • Create and drop additional user roles

You must be the default user to create additional users within the selected keyspace.

Security guidelines

Because security is a priority for all modern cloud applications, DataStax has implemented several protocols to ensure security remains a priority.

DataStax Astra DB is a SOC2 Type2-compliant database that is secured by default including encryption over the wire and at rest.

For details on Astra DB security, check out the Astra DB Security Whitepaper.

The following sections discuss security policies that are specific to Astra DB. To view security protocols implemented across DataStax, see Security Assurance.

Change your login password

Complete the following steps if you know your login password for the DataStax Astra Portal and want to change it.

Procedure

  1. Open a browser, navigate to Astra DB.

  2. Click the link, Forgot Password?. Type your email/username in the Forgot Your Password? dialog box.

  3. Click Reset My Password. A password reset link is sent to the email address associated with your account. If the email address you entered is found in the database, a message is sent to that address with a link to reset your password. The link expires within 15 minutes.

  4. In the password reset email, select Link to account update to reset your password.

  5. Select Click here to proceed.

  6. In the Update Password window, enter a new password, confirm the password, and select Submit to change your password.

Result

Your new password is recorded and can be used for subsequent logins to Astra Portal. Use your new password to log in.

Reset your password

Complete the following steps if you forgot or lost your password and want to reset it.

Procedure

  1. Open a browser, and navigate to DataStax Astra DB, and log in.

  2. Go to the left navigation, and click your avatar. Select Account Settings.

  3. In the Reset Your Password window, enter the email address associated with your account, then select Confirm. A password reset link is sent to the specified email address. The link expires within 15 minutes.

Result

Your password is reset and you are logged in to Astra DB.

Security highlights

More authentication options

On 4 March 2021, we updated Astra authentication to simplify how you connect with your database. Free and serverless databases were migrated to free plans with a $25 credit that renews each month. If your database was included in this migration, you will need to reset your database password.

Changes to your Astra database password

As of 4 March 2021, your existing database username and password will not work for your upgraded serverless databases. You will need to generate an application token to connect to your database with cqlsh, your existing driver, or any of our gRPC or REST or GraphQL APIs. To access your database via cqlsh or your existing driver, you will need to use the “Client ID” and “Client Secret” pair, that can be found when generating the application token, in place of your username and password respectively. This same Client ID and Client Secret pair can also be used as before when generating tokens to use with the gRPC or REST or GraphQL APIs or you can use the new “Token” generated as part of the application token. The new Token can be used in place of the existing authorization token generated by making a request to https://${ASTRA_DB_ID}-${ASTRA_DB_REGION}.apps.astra.datastax.com/api/rest/v1/auth. There is also one final option for authentication which is to use your existing Astra username and password in lieu of the previously mentioned Client ID and Client Secret but this is only recommended for development and testing use cases, not in production.

Easily manage complex user roles

To improve your security, you now have control over your user groups with custom roles and can assign roles by organization, database, keyspace, or tables. Your existing CQL roles will be mapped into new roles and can continue to be used in your local CQLSH. Other existing permissions have been mapped to an equivalent role with the same access.
You can also set up an application token for each role to interact with the gRPC, Document, REST, and GraphQL APIs. If you are connecting to your database using a driver, you will need to download a new secure connect bundle.
To continue using the DevOps API, you must regenerate your service account token.

Astra DB Plugin for HashiCorp Vault

DataStax Astra DB Plugin for HashiCorp Vault is an open-source project that adds dynamic token lifecycle management features for Astra DB. Due to the nature of the Astra DB object hierarchy, by default, API tokens are not associated with specific users and currently the tokens do not have metadata descriptions.

For more details, see the full Astra DB Plugin for HashiCorp Vault documentation in the plugin’s open-source GitHub repo.

Without the plugin, it’s easy to lose track of:

  • Who created tokens

  • The purpose of each token

  • Which tokens are being used actively

Consequently, there’s no audit trail of who has downloaded and used tokens, and there’s no tracking regarding who may have manually shared tokens with others.

Astra DB Plugin for HashiCorp Vault solves these security management issues. To ensure that your token ownership and usage are well understood, the plugin gives you the ability to associate metadata with tokens—such as the user who created each token, and what it is being used for. The plugin also logs who has accessed the tokens and provides dynamic token management.

Specifically, you can:

  • Define a default lease time

  • Create new tokens with lease settings

  • List tokens by each one’s Client ID

  • View lease details

  • List all leases

  • Renew a lease

  • Revoke a token/lease before the lease expires

  • Delete a token

What is Hashi Vault?

HashiCorp Vault is a widely-used solution across the tech industry. It’s an identity-based secrets and encryption management system. HashiCorp Vault from HashiCorp provides key-value encryption services that are gated by authentication and authorization methods. Access to tokens, secrets, and other sensitive data are securely stored, managed, and tightly controlled. Audit trails are provided. HashiCorp Vault is also extensible via a variety of interfaces, allowing plugins (including Astra DB Plugin for HashiCorp Vault) to contribute to this ecosystem.

What’s next?

See the full Astra DB Plugin for HashiCorp Vault documentation in the plugin’s open-source GitHub repo.

Database regions Security highlights

General Inquiries: +1 (650) 389-6000 info@datastax.com

© DataStax | Privacy policy | Terms of use

DataStax, Titan, and TitanDB are registered trademarks of DataStax, Inc. and its subsidiaries in the United States and/or other countries.

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries.

Kubernetes is the registered trademark of the Linux Foundation.

landing_page landingpage