Securing DSE Graph
DSE Graph data is completely or partially secured by using DataStax Enterprise security features.
- Object permission management
Limit access to graph keyspaces, excluding cached data, to roles that have been granted access permissions. Permission management also secures tables that are used to store graph data.
- Transparent data encryption
Data at rest in Cassandra tables can be encrypted, including DSE Graph index encryption which are built using Cassandra tables. Cached data is not encrypted. Encryption occurs on the Cassandra side and impacts performance slightly.
- Client-to-node encryptionYou can use SSL to encrypt access to graph data and client-to-node encryption on a DSE Graph node.
- Enable SSL client-to-node encryption on the DSE Graph node by setting the
client_encryption_options
in the cassandra.yaml file. - Install JCE to ensure support for all
encryption algorithms.
Some of the cipher suites in the default set of server_encryption_options in cassandra.yaml are included only in the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files. To ensure support for all encryption algorithms, install the JCE Unlimited Strength Jurisdiction Policy Files.
- Enable SSL client-to-node encryption on the DSE Graph node by setting the
-
Use Kerberos authentication for DSE Graph in production.
You can authenticate DSE Graph users through Kerberos authentication using Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO). To use Kerberos authentication and SSL encryption with the Gremlin console, remote.yaml must be modified to include the following:
A password set tohosts: [hostname-because-it's-kerberos] username: null password: null jaasEntry: DseClient # protocol is the the same as the service_principal set in dse.yaml protocol: your_dse_principal connectionPool: {enableSsl: true}
null
is ignored in the remote.yaml.
Cassandra password authentication or DataStax Enterprise LDAP authentication
- graphname (name of the graph created that is the keyspace)
- graphname_pvt (keyspace holding partitioned vertex tables)
- graphname_system (keyspace for stored shared information)
GRANT <permission type> ON KEYSPACE <graphname> TO <rolename>;
GRANT <permission type> ON KEYSPACE <graphname_pvt> TO <rolename>;
GRANT <permission type> ON KEYSPACE <graphname_system> TO <rolename>;
Operation | Superuser | Non-user | Plain user, no role | All graph permissions |
---|---|---|---|---|
Connection | T | F | F | T |
Select | T | F | F | T |
Schema change | T | F | F | T |
Add vertex | T | F | F | T |
Create/Drop vertex | T,T | F,n/a | F | T,T |
Operation | CREATE role | SELECT role | ALTER role | MODIFY role |
---|---|---|---|---|
Connection | T | T | T | T |
Select | F | T | F | F |
Schema change | F | F | F | F |
Add vertex | F | F | T | T |
Create/Drop vertex | F | F | F | F |
Operation | CREATE/SELECT role | CREATE/ALTER role | CREATE/MODIFY role | CREATE/ALTER/DROP role |
---|---|---|---|---|
Connection | T | T | T | T |
Select | T | F | F | F |
Schema change | F | F | F | T |
Add vertex | F | F | T | F |
Create/Drop vertex | F | F | F | F |
username: realuser
password: password
connectionPool: {enableSsl: false}
defining the LDAP username and password. A password must be present for internal or LDAP
authorization.credentials_validity_in_ms
is the critical setting in the
dse.yamlfile. Setting to 0 will cause DSE to requery LDAP on
all operations requiring authentication. An additional setting
search_validity_in_seconds
will perform better if set to a higher value, such
as 30 minutes.To secure DSE Graph in production, enable DataStax Enterprise with Kerberos authentication, LDAP authentication, or use Cassandra authentication.
Installer-Services | /etc/dse/cassandra/cassandra.yaml |
Package installations | /etc/dse/cassandra/cassandra.yaml |
Installer-No Services | install_location/resources/cassandra/conf/cassandra.yaml |
Tarball installations | install_location/resources/cassandra/conf/cassandra.yaml |
Installer-Services | /etc/dse/dse.yaml |
Package installations | /etc/dse/dse.yaml |
Installer-No Services | install_location/resources/dse/conf/dse.yaml |
Tarball installations | install_location/resources/dse/conf/dse.yaml |
Installer-Services | /etc/dse/graph/gremlin-console/conf/remote.yaml |
Package installations | /etc/dse/graph/gremlin-console/conf/remote.yaml |
Installer-No Services | install_location/resources/graph/gremlin-console/conf/remote.yaml |
Tarball installations | install_location/resources/graph/gremlin-console/conf/remote.yaml |