• Glossary
  • Support
  • Downloads
  • DataStax Home
Get Live Help
Expand All
Collapse All

DataStax Enterprise 6.8 Security Guide

    • About DSE Advanced Security
    • Security FAQs
    • Security checklists
    • Securing the environment
      • Securing ports
      • Securing the TMP directory
    • Authentication and authorization
      • Configuring authentication and authorization
        • About DSE Unified Authentication
          • Steps for new deployment
          • Steps for production environments
        • Configuring security keyspaces
        • Setting up Kerberos
          • Kerberos guidelines
          • Enabling JCE Unlimited
            • Removing AES-256
          • Preparing DSE nodes for Kerberos
            • DNS and NTP
            • krb5.conf
            • Principal
            • Keytab
        • Enabling authentication and authorization
          • Defining a Kerberos scheme
          • Defining an LDAP scheme
        • Configuring JMX authentication
        • Configuring cache settings
        • Securing schema information
      • Managing database access
        • About RBAC
        • Setting up logins and users
          • Adding a superuser login
          • Adding database users
          • LDAP users and groups
            • LDAP logins
            • LDAP groups
          • Kerberos principal logins
          • Setting up roles for applications
          • Binding a role to an authentication scheme
        • Assigning permissions
          • Database object permissions
            • Data resources
            • Functions and aggregate resources
            • Search indexes
            • Roles
            • Proxy login and execute
            • Authentication schemes
            • DSE Utilities (MBeans)
            • Analytic applications
            • Remote procedure calls
          • Separation of duties
          • Keyspaces and tables
          • Row Level Access Control (RLAC)
          • Search index permissions
          • DataStax Graph keyspace
          • Spark application permissions
          • DataStax Studio permissions
          • Remote procedure calls
          • DSE client-tool spark
          • JMX MBean permissions
          • Deny (denylist) db object permission
          • Restricting access to data
      • Providing credentials from DSE tools
        • About clients
        • Internal and LDAP authentication
          • Command line
          • File
          • Environment variables
          • Using CQLSH
        • Kerberos
          • JAAS configuration file location
          • Keytab
          • Ticket Cache
          • Spark jobs
          • SSTableLoader
          • Graph and gremlin-console
          • dsetool
          • CQLSH
        • Nodetool
        • JConsole
    • Auditing database activity
      • Enabling database auditing
      • Capturing DSE Search HTTP requests
      • Log formats
      • View events from DSE audit table
    • Transparent data encryption
      • About Transparent Data Encryption
      • Configuring local encryption
        • Setting up local encryption keys
        • Encrypting configuration file properties
        • Encrypting system resources
        • Encrypting tables
        • Rekeying existing data
        • Using tools with TDE-encrypted SSTables
        • Troubleshooting encryption key errors
      • Configuring KMIP encryption
      • Encrypting Search indexes
        • Encrypting new Search indexes
        • Encrypting existing Search indexes
        • Tuning encrypted Search indexes
      • Migrating encrypted tables from earlier versions
      • Bulk loading data between TDE-enabled clusters
    • Configuring SSL
      • Steps for configuring SSL
      • Creating SSL certificates, keystores, and truststores
        • Remote keystore provider
        • Local keystore files
      • Securing node-to-node connections
      • Securing client-to-node connections
        • Configuring JMX on the server side
        • nodetool, nodesync, dsetool, and Advanced Replication
        • JConsole (JMX)
        • SSTableloader
        • Connecting to SSL-enabled nodes using cqlsh
      • Enabling SSL encryption for DSEFS
      • Reference: SSL instruction variables
    • Securing Spark connections
  • DataStax Enterprise 6.8 Security Guide
  • Authentication and authorization
  • Configuring authentication and authorization
  • Securing schema information

Securing schema information

The schema information and corresponding operation information is stored in system and system_schema keyspaces. By default when DSE Unified Authentication is enabled, roles are granted full access to some tables (listed below). To limit which data in these tables a role can display, enable system_keyspaces_filtering and grant DESCRIBE permission on the keyspace. When a role executes a query against a table in the system or system_schema keyspaces, query results return only rows that match the keyspaces with enabled DESCRIBE permissions.

System and schema keyspace filtering does not apply to superusers. Superuser roles have access to all resources except those to which access is denied by a RESTRICT statement.

When system keyspace filtering is disabled, all users have the following access:

Keyspace Table Default access

system

local

FULLNote

peers

FULLNote

size_estimates

Full

available_ranges

Full

sstable_activity

NONE

IndexInfo

NONE

built_views

NONE

views_builds_in_progress

NONE

batches

NONE

paxos

NONE

peer_events

NONE

range_xfers

NONE

compaction_history

NONE

transferred_ranges

NONE

prepared_statements

NONE

repairs

NONE

nodesync_checkpoints

NONE

system_schema

aggregates

Full

columns

Full

dropped_columns

Full

hidden_columns

Full

edges (Graph)

Full

functions

Full

indexes

Full

keyspaces

Full

tables

Full

triggers

Full

types

Full

vertices (Graph)

Full

views

Full

All roles have full access to the local and peers tables even if filtering is enabled.

By default, roles do NOT have access to data in the system_auth, system_traces, and system_distributed keyspaces. To allow access grant SELECT permission on the keyspace or table.

Example

The following uses an internal non-superuser account, martin.

  1. Create internal login role using cqlsh:

    CREATE ROLE martin WITH LOGIN = true AND PASSWORD = 'password';

  2. Login as martin:

    LOGIN martin

  3. Count the number of tables in system_schema.tables that martin can list:

    SELECT count(*) FROM system_schema.tables;

    The results is the number of tables that exist cluster-wide.

     count
-------
    75

(1 rows)

  4. Set system_keyspaces_filtering to true and restart the nodes.

  5. Log in to cqlsh as martin:

    cqlsh -u martin -p password

  6. Count the number of tables in system_schema.tables that martin can list:

    SELECT keyspace_name, count(*) AS tables
FROM system_schema.tables
GROUP BY keyspace_name;

    Assuming martin is not a superuser and does not have DESCRIBE access on any other tables, the account can only list 18 tables.

     keyspace_name | tables
---------------+--------
 system_schema |     10
        system |      8

(2 rows)

  7. To allow martin to see detailed information about cycling tables, grant DESCRIBE access on the cycling keyspace:

    GRANT DESCRIBE ON KEYSPACE cycling TO martin;

  8. Login as martin:

    LOGIN martin

  9. Verify that martin can see the tables in the cycling keyspace:

    SELECT keyspace_name, count(*) AS tables
FROM system_schema.tables
GROUP BY keyspace_name;

    The results show the number of tables that martin is able to list in each keyspace.

     keyspace_name | tables
---------------+--------
       cycling |     25
 system_schema |     10
        system |      8

(3 rows)
Configuring cache settings Managing database access

General Inquiries: +1 (650) 389-6000 info@datastax.com

© DataStax | Privacy policy | Terms of use

DataStax, Titan, and TitanDB are registered trademarks of DataStax, Inc. and its subsidiaries in the United States and/or other countries.

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries.

Kubernetes is the registered trademark of the Linux Foundation.

landing_page landingpage