Securing DSE Search

DSE Search data is completely or partially secured by using DataStax Enterprise security features.

DataStax Enterprise supports secure enterprise search using Apache Solr and Lucene. The security table summarizes the security features of DSE Search and other integrated components. DSE Search data is completely or partially secured by using DataStax Enterprise security features:

  • Object permission management

    Limit access to Solr documents, excluding cached data, to roles that have been granted access permissions. Permission management also secures tables that are used to store Solr data.

  • Transparent data encryption

    Data at rest in Cassandra tables can be encrypted, including DSE Search index encryption. Cached data is not encrypted. Encryption occurs on the Cassandra side and impacts performance slightly.

  • Client-to-node encryption
    Enable SSL to securely configure DSE. You can use SSL to encrypt HTTP access to Solr data and client-to-node encryption on the DSE Search node.
    • Enable SSL client-to-node encryption on the DSE Search node by setting the client_encryption_options in the cassandra.yaml file.
    • install JCE to ensure support for all encryption algorithms.

      Some of the cipher suites in the default set of server_encryption_options in cassandra.yaml are included only in the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files. To ensure support for all encryption algorithms, install the JCE Unlimited Strength Jurisdiction Policy Files.

    • To satisfy specific security requirements with SSL, you can change the IP address for client connections to DSE Search. For example, to isolate a subnet.
  • Use Kerberos authentication for DSE Search in production.

    You can authenticate DSE Search users through Kerberos authentication using Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO). To use the SolrJ API against DSE Search clusters with Kerberos authentication, client applications should use the SolrJ-Auth library and the DataStax Enterprise SolrJ component as described in the solrj-auth-README.md file.

Cassandra password authentication or DataStax Enterprise LDAP authentication

Although you can use HTTP Basic Authentication, it is not recommended for production.

When you use internal Cassandra password authentication, client applications must use HTTP Basic Authentication to provide credentials to Solr services. Due to the stateless nature of HTTP Basic Authentication, the authenticator can have a significant performance impact as the authentication process must be executed on each HTTP request. For this reason, DataStax does not recommend using internal authentication on DSE Search clusters in production. To secure DSE Search in production, enable DataStax Enterprise with Kerberos authentication or search using CQL instead.

The location of the cassandra.yaml file depends on the type of installation:
Installer-Services /etc/dse/cassandra/cassandra.yaml
Package installations /etc/dse/cassandra/cassandra.yaml
Installer-No Services install_location/resources/cassandra/conf/cassandra.yaml
Tarball installations install_location/resources/cassandra/conf/cassandra.yaml
The location of the dse.yaml file depends on the type of installation:
Installer-Services /etc/dse/dse.yaml
Package installations /etc/dse/dse.yaml
Installer-No Services install_location/resources/dse/conf/dse.yaml
Tarball installations install_location/resources/dse/conf/dse.yaml
The default location of the Tomcat server.xml file is the same for all installation types:
Installer-Services and Package installations /etc/dse/resources/tomcat/conf/server.xml
Installer-No Services and Tarball installations /etc/dse/tomcat/conf/server.xml
Note: Security configuration on a DSE Search node is automatic and internal. Additional configuration is not required for Tomcat and Solr. Change your web.xml or server.xml files only for custom advanced setups.

To configure DSE Search to use Cassandra internal authentication:

  1. To enable HTTP Basic authentication for Solr, uncomment and replace PasswordAuthenticator with DseAuthenticator in cassandra.yaml.
    #authenticator: org.apache.cassandra.auth.AllowAllAuthenticator
    authenticator: org.apache.cassandra.auth.DseAuthenticator
    #authenticator: com.datastax.bdp.cassandra.auth.PasswordAuthenticator
    #authenticator: com.datastax.bdp.cassandra.auth.KerberosAuthenticator
  2. Configure the replication strategy for the system_auth keyspace.
  3. Start the server.
  4. In a web browser, go to the service web page. For example, assuming you ran the Wikipedia demo, go to http://localhost:8983/demos/wikipedia/.

    When prompted, provide the Cassandra role and password.