Authorize HCD client-tool and Spark
This document describes how to authorize HCD client tools and external Spark components to access the database with proper authentication and permissions. HCD is "bring your own Spark" - it does not include its own Spark distribution.
Prerequisites
-
HCD cluster is running and accessible
-
Authentication is enabled on the cluster
-
User has administrative privileges to create roles and grant permissions
Create roles for client tools
Create specific roles for different client tools:
-- Role for HCD client tools
CREATE ROLE hcd_client_tool;
-- Role for Spark applications
CREATE ROLE spark_app;
-- Role for external Spark applications
CREATE ROLE external_spark;
Grant permissions
Grant appropriate permissions to each role:
-- Grant permissions to HCD client tool role
GRANT SELECT ON ALL KEYSPACES TO hcd_client_tool;
GRANT MODIFY ON ALL KEYSPACES TO hcd_client_tool;
-- Grant permissions to Spark application role
GRANT SELECT ON ALL KEYSPACES TO spark_app;
GRANT MODIFY ON ALL KEYSPACES TO spark_app;
GRANT CREATE ON ALL KEYSPACES TO spark_app;
-- Grant permissions to external Spark applications role
GRANT SELECT ON ALL KEYSPACES TO external_spark;
GRANT MODIFY ON ALL KEYSPACES TO external_spark;
GRANT CREATE ON ALL KEYSPACES TO external_spark;
GRANT DROP ON ALL KEYSPACES TO external_spark;
Configure authentication
Ensure that the client tools are configured to use the appropriate authentication method:
-
Internal Authentication: Use username/password
-
LDAP Authentication: Configure LDAP connection settings
-
OIDC Authentication: Configure OIDC provider settings
Test authorization
Verify that the authorization is working correctly:
-- Test connection with client tool role
cqlsh -u hcd_client_tool -p password
-- Test Spark connection
-- Use appropriate Spark configuration with authentication
Security considerations
-
Use strong passwords for all roles.
-
Regularly rotate credentials.
-
Monitor access logs for suspicious activity.
-
Grant only necessary permissions to each role.
-
Consider using SSL/TLS for all connections.
Troubleshooting
The following are common issues that you may encounter:
-
Authentication failures: Verify credentials and authentication configuration
-
Permission denied errors: Check role permissions and ensure proper grants
-
Connection timeouts: Verify network connectivity and firewall settings
Check the following logs for authentication and authorization issues:
-
HCD system logs
-
Authentication service logs
-
Client tool logs