HCD security overview

HCD provides a comprehensive security framework designed for modern enterprise environments. This overview explains the security architecture and key features available in HCD 1.2.

Security architecture

HCD uses a modular security architecture with three main components:

  • AdvancedAuthenticator

  • AdvancedAuthorizer

  • AdvancedRoleManager

AdvancedAuthenticator

The AdvancedAuthenticator provides flexible authentication support for multiple authentication schemes:

  • Internal authentication: Traditional username/password stored in the database

  • LDAP authentication: Integration with Active Directory and other LDAP services

  • OpenID Connect (OIDC): Modern identity provider integration

The authenticator can configure multiple schemes simultaneously, enabling gradual migration or hybrid authentication strategies.

AdvancedAuthorizer

The AdvancedAuthorizer provides granular access control with:

  • Role-based access control (RBAC): Permissions granted to roles, which are assigned to users

  • Resource hierarchy: Permissions cascade from higher-level resources to lower-level resources

  • Permission inheritance: Roles can inherit permissions from other roles

AdvancedRoleManager

The AdvancedRoleManager handles role assignment and management:

  • Internal role management: Direct mapping of users to roles

  • LDAP role management: Automatic role assignment based on LDAP group membership

  • OIDC role management: Role assignment from JWT claims

Key security features

HCD provides four core security capabilities: authentication, authorization, encryption, and auditing.

Authentication

HCD supports multiple authentication schemes:

  • Internal authentication: Support for internal, LDAP, and OIDC

  • Flexible configuration: Mix and match authentication schemes as needed

  • Enterprise integration: Seamless integration with existing identity systems

  • Modern standards: Support for OIDC and other modern authentication protocols

Authorization

HCD delivers granular access control:

  • Granular permissions: Control access at keyspace, table, and function levels

  • Role hierarchy: Create complex permission structures with role inheritance

  • Separation of duties: Create administrative roles with limited permissions

Encryption

HCD secures data through multiple encryption layers:

  • Client-to-node encryption: Secure connections between clients and database nodes

  • Node-to-node encryption: Secure internode communication

  • Transparent data encryption: Encrypt data at rest on disk

  • Key management: Support for KMIP and local key management

Auditing

HCD provides comprehensive audit capabilities:

  • Comprehensive logging: Track all database activities

  • Configurable categories: Choose which events to audit

  • Multiple outputs: Log to files or database tables

  • Compliance support: Meet regulatory requirements

Configuration overview

The following sections describe how to configure the security features.

cassandra.yaml configuration

The main security configuration resides in the cassandra.yaml file:

authenticator:
  class_name: com.datastax.cassandra.auth.AdvancedAuthenticator
  parameters:
    enabled: true
    default_scheme: internal
    additional_schemes: oidc, ldap
    plain_text_without_ssl: warn

authorizer:
  class_name: com.datastax.cassandra.auth.AdvancedAuthorizer

role_manager:
  class_name: com.datastax.cassandra.auth.AdvancedRoleManager
  parameters:
    mode: internal

Authentication scheme configuration

Each authentication scheme requires specific configuration parameters:

Internal Authentication:

  • No additional configuration required

  • Users and passwords stored in the database

LDAP Authentication:

  • Server configuration (ldap_servers)

  • User search settings (ldap_user_search_filter, ldap_user_search_bases)

  • Group lookup configuration (ldap_group_search_* parameters)

  • Connection settings (ldap_connection_use_tls, ldap_connection_use_ssl)

OIDC Authentication:

  • Issuer URL (oidc_issuer)

  • Client configuration (oidc_accepted_audience)

  • JWT claim mapping (oidc_user_name_claim, oidc_user_roles_claims)

  • TLS settings (oidc_use_tls, oidc_truststore_path)

Encryption configuration

Client-to-Node Encryption:

client_encryption_options:
    enabled: true
    keystore: conf/.keystore
    keystore_password: cassandra
    require_client_auth: false

Node-to-Node Encryption:

server_encryption_options:
    internode_encryption: all
    keystore: conf/.keystore
    keystore_password: cassandra
    require_client_auth: false

Transparent Data Encryption:

transparent_data_encryption_options:
    enabled: true
    cipher: AES/CBC/PKCS5Padding
    key_alias: testing:1
    key_provider:
      - class_name: org.apache.cassandra.security.JKSKeyProvider
        parameters:
          - keystore: conf/.keystore
            keystore_password: cassandra
            store_type: JCEKS

Audit logging configuration

audit_logging_options:
    enabled: true
    logger:
      - class_name: BinAuditLogger
    included_categories: QUERY, DML, DDL, AUTH
    excluded_keyspaces: system, system_schema

Default security state

HCD 1.2 ships with the following default security configuration:

  • Authentication: Disabled (authenticator.parameters.enabled: false)

  • Authorization: Disabled (authorizer.parameters.enabled: false)

  • Client-to-node encryption: Disabled (client_encryption_options.enabled: false)

  • Node-to-node encryption: Disabled (server_encryption_options.internode_encryption: none)

  • Transparent data encryption: Disabled (transparent_data_encryption_options.enabled: false)

  • Audit logging: Disabled (audit_logging_options.enabled: false)

Migration from previous versions

If you migrate from a previous version of HCD, the following changes may affect your configuration:

Authentication changes

  • AdvancedAuthenticator: Replaces the previous HCD Authenticator

  • OIDC Support: New authentication scheme for modern identity providers

  • Simplified Configuration: More straightforward configuration structure

  • Enhanced Flexibility: Better support for multiple authentication schemes

Authorization changes

  • AdvancedAuthorizer: Replaces the previous HCD Authorizer

  • Improved Performance: Better caching and performance optimizations

  • Enhanced Features: More granular permission controls

Configuration changes

  • Unified Configuration: All authentication settings in cassandra.yaml

  • Simplified Structure: Cleaner, more maintainable configuration

  • Better Documentation: Comprehensive configuration examples

Best practices

Follow these best practices for HCD security:

Authentication

  • Enable authentication on all nodes.

  • Use strong passwords for internal authentication.

  • Configure LDAP or OIDC for enterprise integration.

  • Implement proper certificate management for OIDC.

  • Conduct regular security assessments.

Authorization

  • Follow the principle of least privilege.

  • Create specific roles for different user types.

  • Use role inheritance to simplify management.

  • Regularly review and update permissions.

  • Implement separation of duties.

Encryption

  • Enable encryption for all connections.

  • Use strong cipher suites.

  • Implement proper key management.

  • Rotate keys regularly.

  • Monitor encryption performance.

Monitoring

  • Enable comprehensive audit logging.

  • Monitor authentication events.

  • Track permission changes.

  • Implement alerting for security events.

  • Conduct regular security reviews.

Next steps

To get started with HCD security:

For specific authentication schemes:

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2025 DataStax, an IBM Company | Privacy policy | Terms of use | Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com