Securing the sstableloader in an unsecure environment

Steps (for a development environment) to configure the sstableloader (Cassandra bulk loader) with Kerberos or SSL.

The sstableloader tool is also called Cassandra bulk loader. If you run sstableloader from a DataStax Enterprise node that has been configured for Kerberos or client-to-node/node-to-node encryption using SSL, no additional configuration is needed for securing sstableloader operations. The sstableloader tool will pick up all required options from the configured node automatically, so no further configuration is needed. On an unconfigured development machine, however, configure Kerberos or SSL as follows:

Securing the sstableloader for Kerberos 

If you have not configured Kerberos on a DataStax Enterprise node, but you want to run sstableloader in a secure Kerberos environment, set the options on the command line as follows:

  • To use credentials from default ticket cache, no extra options are necessary. sstableloader will do the right thing.

  • To set the keytab location through system properties, use this example as a guide to setting the options:

    JVM_OPTS="-Dkerberos.use.keytab=true \
        -Dkerberos.keytab=/home/dse/cassandra.keytab \
        -Dkerberos.client.principal=cassandra@LOCAL.DEV" \
        resources/cassandra/bin/sstableloader -d 192.168.56.102 /var/lib/cassandra/data/Keyspace1/Standard1
  • To set Kerberos options using the JAAS config, use this example as a guide to setting the options:

    JVM_OPTS="-Dkerberos.use.config.file=true \
        -Djava.security.auth.login.config=/home/dse/keytab-basic-jaas.conf" \
        resources/cassandra/bin/sstableloader -d 192.168.56.102 /var/lib/cassandra/data/Keyspace1/Standard1
  • In the JAAS config, /home/dse/keytab-basic-jaas.conf, set these options:

    Client {
      com.sun.security.auth.module.Krb5LoginModule required
        useKeyTab=true
        keyTab="/home/dse/cassandra.keytab"
        principal="cassandra@LOCAL.DEV";
    };

Securing the sstableloader for SSL 

If you have not configured SSL on a DataStax Enterprise node, but you want to run sstableloader in a secure SSL environment, you can use the sstableloader script from Apache Cassandra to load SSTables into a cluster with client-to-node/node-to-node SSL encryption enabled. Use the following basic options:

resources/cassandra/bin/sstableloader -d 192.168.56.102 /var/lib/cassandra/data/Keyspace1/Standard1 \
  -tf org.apache.cassandra.thrift.SSLTransportFactory \
  -ts /path/to/truststore \
  -tspw truststore_password

If you want to configure require_client_auth=true on the target, set these additional options:

resources/cassandra/bin/sstableloader -d 192.168.56.102 /var/lib/cassandra/data/Keyspace1/Standard1 \
  -tf org.apache.cassandra.thrift.SSLTransportFactory \
  -ts /path/to/truststore \
  -tspw truststore_password \
  -ks /path/to/keystore \
  -kspw keystore_password