DataStax Enterprise supports secure enterprise graph-database operations. DSE Graph data is completely or partially secured by using DataStax Enterprise security features:
Allow only authenticated users to access DSE Graph data by enabling DSE Unified Authentication on the transactional database and configure credentials in the DSE Graph
remote.yaml. See Using DSE Graph and Gremlin console with Kerberos.
The location of the
remote.yamlfile depends on the type of installation:
Limit access to graph data by defining roles for DSE Graph keyspaces and tables. See Controlling access to DataStax Graph keyspaces.
RBAC does not apply to cached data. Setting row-level permissions with row-level access control (RLAC) is not supported for use with DSE Search or DSE Graph.
Grant execute permissions for the
DseGraphRpcobject to the defined roles.
Log and monitor activity for DSE Graph related database resources. See Setting up database auditing.
Transparent Data Encryption:
Encrypt data in DSE Graph index tables. See Transparent data encryption
Cached data is not encrypted. Encryption may slightly impact performance.
Encrypted database connections using SSL:
Encrypt inflight DSE Graph data. Enable SSL client-to-node encryption on the DSE Graph node by setting the
client_encryption_optionsin the cassandra.yaml file, see Client-to-node encryption.
The location of the
cassandra.yamlfile depends on the type of installation:
To configure the Gremlin console to use SSL when SSL is enabled on the Gremlin Server, edit the
Enabled by default, the Graph sandbox can be configured to allow or disallow execution of Java packages, superclasses, and types. See https:/docs.datastax.com/en/dse/6.8/dse-admin/datastax_enterprise/graph/config/configGraphOverview.html#configGraphSecuritySettings__sandbox[Graph sandbox].
DSE has the following limitations with Graph authorization:
Limited, as Gremlin queries are not distinguished between query types like CQL.
Permissions are enforced on a per vertex label and registered through CQL at the table level, using individual permissions using CQL.