Configuring firewall port access
If a firewall runs on the nodes in the Cassandra or DataStax Enterprise cluster, open up ports to allow communication between the nodes.
All network security starts with strict and proper firewall rules on interfaces that are exposed to the internet, allowing only the absolute minimum traffic in or out of your network. Firewall security is especially important when running your infrastructure in a public cloud. Wherever you run your clusters, DataStax strongly recommends to run a firewall on all nodes in your Cassandra or DataStax Enterprise cluster.
Begin with a restrictive configuration that blocks all traffic except SSH. Then, open up the following ports to allow communication between the nodes, including certain Cassandra ports. If these ports are not opened, the node acts as a standalone database server rather than joining the database cluster when you start Cassandra (or Hadoop in DataStax Enterprise) on a node.
All network security starts with strict and proper firewall rules on interfaces that are exposed to the internet, allowing only the absolute minimum traffic in or out of your network. Firewall security is especially important when running your infrastructure in a public cloud. Wherever you run your clusters, DataStax strongly recommends to run a firewall on all nodes in your Cassandra or DataStax Enterprise cluster.
Begin with a restrictive configuration that blocks all traffic except SSH. Then, open up the following ports to allow communication between the nodes, including certain Cassandra ports. If these ports are not opened, the node acts as a standalone database server rather than joining the database cluster when you start Cassandra (or Hadoop in DataStax Enterprise) on a node.
Procedure
Package installations | /etc/dse/cassandra/cassandra.yaml |
Tarball installations | install_location/resources/cassandra/conf/cassandra.yaml |
Port | Description | Configurable in |
---|---|---|
Public Facing Ports |
||
22 | SSH (default) | See your OS documentation on sshd. |
DataStax Enterprise public ports |
||
4040 | Spark application web site port. | |
7080 | Spark Master web site port. | spark-env.sh |
7081 | Spark Worker web site port. | spark-env.sh |
8012 | Hadoop Job Tracker client port. The Job Tracker listens on this port for job submissions and communications from Task Trackers; allows traffic from each analytics node in a cluster. | cassandra.yaml |
8983 | Solr port and Demo applications web site port (Portfolio, Search, Search log, Weather Sensors) | |
8090 | Spark Jobserver REST API port. | See Spark Jobserver. |
9999 | Spark Jobserver JMX port. Only required if Spark Jobserver is running and remote access to JMX is required. | |
18080 | Spark application history server web site port. Only required if Spark application history server is running. Can be changed with the spark.history.ui.port setting. | See Spark history server. |
50030 | Hadoop Job Tracker web site port. The Job Tracker listens on this port for HTTP requests. If initiated from the OpsCenter, these requests are proxied through the opscenterd daemon; otherwise, they come directly from the browser. [1] | mapred-site.xml using the mapred.job.tracker.http.address property. |
50060 | Hadoop Task Tracker web site port. Each Task Tracker listens on this port for HTTP requests coming directly from the browser and not proxied by the opscenterd daemon. [1] | mapred-site.xml using the mapred.task.tracker.http.address property. |
OpsCenter public ports |
||
8888 | OpsCenter web site port. The opscenterd daemon listens on this port for HTTP requests coming directly from the browser. [1] | opscenterd.conf |
Inter-node Ports |
||
Cassandra inter-node ports |
||
1024 - 65355 | JMX reconnection/loopback ports. Please read the description for port 7199. | |
7000 | Cassandra inter-node cluster communication port. | cassandra.yaml
See storage_port. |
7001 | Cassandra SSL inter-node cluster communication port. | cassandra.yaml See ssl_storage_port. |
7199 | Cassandra JMX monitoring port. | cassandra-env.sh
See JMX options in Tuning Java resources. |
9160 | Cassandra client port (Thrift) port. OpsCenter agents makes Thrift requests to their local node on this port. Additionally, the port can be used by the opscenterd daemon to make Thrift requests to each node in the cluster. | cassandra.yaml
See rpc_port. |
DataStax Enterprise inter-node ports |
||
7077 | Spark Master inter-node communication port. | dse.yaml |
8984 | Solr inter-node communication port. | dse.yaml |
9042 | CQL native clients port. | cassandra.yaml |
9290 | Hadoop Job Tracker Thrift port. The Job Tracker listens on this port for Thrift requests coming from the opscenterd daemon. | |
10000 | Hive server port. | Set with the -p option in the
dse hive --service hiveserver -p
port command or
configure in
hive-site.xml. |
10000 | Spark SQL Thrift server port. Only required if Spark SQL Thrift server is running. | Set with the -p option with the Spark SQL Thrift server. |
OpsCenter specific inter-node |
||
50031 | OpsCenter HTTP proxy for Job Tracker port. The opscenterd daemon listens on this port for incoming HTTP requests from the browser when viewing the Hadoop Job Tracker page directly. [1] | |
61620 | OpsCenter monitoring port. The opscenterd daemon listens on this port for TCP traffic coming from the agent. [1] | |
61621 | OpsCenter agent port. The agents listen on this port for SSL traffic initiated by OpsCenter. [1] |
For use with Spark, the default location of the hive-site.xml file is:
Installer-Services and Package installations | /etc/dse/spark/hive-site.xml |
Installer-No Services and Tarball installations | install_location/resources/spark/conf/hive-site.xml |
For use with Hive, the default location of the hive-site.xml file is:
Installer-Services and Package installations | /etc/dse/hive/hive-site.xml |
Installer-No Services and Tarball installations | install_location/resources/hive/conf/hive-site.xml |
Installer-Services | /etc/dse/dse.yaml |
Package installations | /etc/dse/dse.yaml |
Installer-No Services | install_location/resources/dse/conf/dse.yaml |
Tarball installations | install_location/resources/dse/conf/dse.yaml |