Using the Cassandra bulk loader in a secure environment 

The Cassandra bulk loader is the sstableloader tool.

The Cassandra bulk loader is the sstableloader tool. The command-line options for configuring secure sstableloader operations using Kerberos have changed slightly. If you run sstableloader from a DataStax Enterprise node that has been configured for Kerberos or client-to-node/node-to-node encryption using SSL, no additional configuration is needed for securing sstableloader operations. The sstableloader tool will pick up all required options from the configured node automatically, so no further configuration is needed. On an unconfigured developer machine, however, configure Kerberos or SSL as follows:

Kerberos 

If you have not configured Kerberos on a DataStax Enterprise node, but you want to run sstableloader in a secure Kerberos environment, set the options on the command line as follows:

  • To use credentials from default ticket cache, no extra options are necessary. sstableloader will do the right thing.

  • To set the keytab location through system properties, use this example as a guide to setting the options:

    JVM_OPTS="-Dkerberos.use.keytab=true \
        -Dkerberos.keytab=/home/dse/cassandra.keytab \
        -Dkerberos.client.principal=cassandra@LOCAL.DEV" \
        resources/cassandra/bin/sstableloader -d 192.168.56.102 /var/lib/cassandra/data/Keyspace1/Standard1
  • To set Kerberos options using the JAAS config, use this example as a guide to setting the options:

    JVM_OPTS="-Dkerberos.use.config.file=true \
        -Djava.security.auth.login.config=/home/dse/keytab-basic-jaas.conf" \
        resources/cassandra/bin/sstableloader -d 192.168.56.102 /var/lib/cassandra/data/Keyspace1/Standard1
  • In the JAAS config, /home/dse/keytab-basic-jaas.conf, set these options:

    Client {
      com.sun.security.auth.module.Krb5LoginModule required
        useKeyTab=true
        keyTab="/home/dse/cassandra.keytab"
        principal="cassandra@LOCAL.DEV";
    };

Client- and node-to-node encryption using SSL 

If you have not configured SSL on a DataStax Enterprise node, but you want to run sstableloader in a secure SSL environment, you can use the sstableloader script from Apache Cassandra to load SSTables into a cluster with client-to-node/node-to-node SSL encryption enabled. Use the following basic options:

resources/cassandra/bin/sstableloader -d 192.168.56.102 /var/lib/cassandra/data/Keyspace1/Standard1 \
  -tf org.apache.cassandra.thrift.SSLTransportFactory \
  -ts /path/to/truststore \
  -tspw truststore_password

If you want to configure require_client_auth=true on the target, set these additional options:

resources/cassandra/bin/sstableloader -d 192.168.56.102 /var/lib/cassandra/data/Keyspace1/Standard1 \
  -tf org.apache.cassandra.thrift.SSLTransportFactory \
  -ts /path/to/truststore \
  -tspw truststore_password \
  -ks /path/to/keystore \
  -kspw keystore_password