DSE Graph security checklist

DataStax Enterprise supports secure enterprise graph-database operations. DSE Graph data is completely or partially secured by using DataStax Enterprise security features:

  • Authentication:

    Allow only authenticated users to access DSE Graph data by enabling DSE Unified Authentication on the transactional database and configure credentials in the DSE Graph remote.yaml. See Using DSE Graph and Gremlin console with Kerberos.

    The location of the remote.yaml file depends on the type of installation:

    Package installations

    /etc/dse/graph/gremlin-console/conf/remote.yaml

    Tarball installations

    <installation_location>/resources/graph/gremlin-console/conf/remote.yaml

  • Authorization:

    Limit access to graph data by defining roles for DSE Graph keyspaces and tables. See Controlling access to DataStax Graph keyspaces.

    RBAC does not apply to cached data. Setting row-level permissions with row-level access control (RLAC) is not supported for use with DSE Search or DSE Graph.

    Grant execute permissions for the DseGraphRpc object to the defined roles.

  • Audit activity:

    Log and monitor activity for DSE Graph related database resources. See Setting up database auditing.

  • Transparent Data Encryption:

    Encrypt data in DSE Graph index tables. See Transparent data encryption

    Cached data is not encrypted. Encryption may slightly impact performance.

  • Encrypted database connections using SSL:

    Encrypt inflight DSE Graph data. Enable SSL client-to-node encryption on the DSE Graph node by setting the client_encryption_options in the cassandra.yaml file, see Client-to-node encryption.

    The location of the cassandra.yaml file depends on the type of installation:

Package installations

/etc/dse/cassandra/cassandra.yaml

Tarball installations

<installation_location>/resources/cassandra/conf/cassandra.yaml

To configure the Gremlin console to use SSL when SSL is enabled on the Gremlin Server, edit the connectionPool section of remote.yaml. See https:/docs.datastax.com/en/dse/6.8/dse-admin/datastax_enterprise/config/configRemoteYaml.html#configRemoteYaml__enableSslParameter[remote.yaml configuration file]. For related information, refer to the TinkerPop security documentation.

  • Graph sandbox:

    Enabled by default, the Graph sandbox can be configured to allow or disallow execution of Java packages, superclasses, and types. See https:/docs.datastax.com/en/dse/6.8/dse-admin/datastax_enterprise/graph/config/configGraphOverview.html#configGraphSecuritySettings__sandbox[Graph sandbox].

Restriction:

DSE has the following limitations with Graph authorization:

  • Limited, as Gremlin queries are not distinguished between query types like CQL.

  • Permissions are enforced on a per vertex label and registered through CQL at the table level, using individual permissions using CQL.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com