DataStax Enterprise supports secure enterprise graph-database operations. DSE Graph data is completely or partially secured by using DataStax Enterprise security features:
Allow only authenticated users to access DSE Graph data by enabling DSE Unified Authentication on the transactional database and configure credentials in the DSE Graph
remote.yaml, see Using DSE Graph and Gremlin console with Kerberos.
Limit access to graph data by defining roles for DSE Graph keyspaces and tables, see Managing access to DSE Graph keyspaces.
RBAC does not apply to cached data. Setting row-level permissions with row-level access control (RLAC) is not supported for use with DSE Search or DSE Graph.
Grant execute permissions for the
DseGraphRpcobject to the defined roles.
Log and monitor activity for DSE Graph related database resources, see Enabling data auditing in DataStax Enterprise.
Transparent Data Encryption:
Encrypt data in DSE Graph index tables, see Transparent data encryption
Cached data is not encrypted. Encryption may slightly impact performance.
Encrypted database connections using SSL:
Encrypt inflight DSE Graph data. Enable SSL client-to-node encryption on the DSE Graph node by setting the
client_encryption_optionsin the cassandra.yaml file, see Client-to-node encryption.
To configure the Gremlin console to use SSL, when SSL is enabled on the Gremlin Server, edit the
connectionPoolsection of remote.yaml. See Configuring the Gremlin console for Gremlin Server in the remote.yaml file. For related information, refer to the TinkerPop security documentation.
Enabled by default, the Graph sandbox can be configured to allow or disallow execution of Java packages, superclasses, and types, see Graph sandbox.
DSE has the following limitations with Graph authorization:
Limited, as Gremlin queries are not distinguished between query types like CQL.
Permissions are enforced on a per vertex label and registered through CQL at the table level, using individual permissions using CQL.