HCD security overview
HCD provides a comprehensive security framework designed for modern enterprise environments. This overview explains the security architecture and key features available in HCD 1.2.
Security architecture
HCD uses a modular security architecture with three main components:
AdvancedAuthenticator
The AdvancedAuthenticator provides flexible authentication support for multiple authentication schemes:
-
Internal authentication: Traditional username/password stored in the database
-
LDAP authentication: Integration with Active Directory and other LDAP services
-
OpenID Connect (OIDC): Modern identity provider integration
The authenticator can be configured to use multiple schemes simultaneously, allowing for gradual migration or hybrid authentication strategies.
AdvancedAuthorizer
The AdvancedAuthorizer provides granular access control with:
-
Role-based access control (RBAC): Permissions granted to roles, which are assigned to users
-
Resource hierarchy: Permissions cascade from higher-level resources to lower-level resources
-
Permission inheritance: Roles can inherit permissions from other roles
AdvancedRoleManager
The AdvancedRoleManager handles role assignment and management:
-
Internal role management: Direct mapping of users to roles
-
LDAP role management: Automatic role assignment based on LDAP group membership
-
OIDC role management: Role assignment from JWT claims
Key security features
Authentication
-
Multiple authentication schemes: Support for internal, LDAP, and OIDC
-
Flexible configuration: Mix and match authentication schemes as needed
-
Enterprise integration: Seamless integration with existing identity systems
-
Modern standards: Support for OIDC and other modern authentication protocols
Authorization
-
Granular permissions: Control access at keyspace, table, and function levels
-
Role hierarchy: Create complex permission structures with role inheritance
-
Separation of duties: Create administrative roles with limited permissions
Encryption
-
Client-to-node encryption: Secure connections between clients and database nodes
-
Node-to-node encryption: Secure internode communication
-
Transparent data encryption: Encrypt data at rest on disk
-
Key management: Support for KMIP and local key management
Auditing
-
Comprehensive logging: Track all database activities
-
Configurable categories: Choose which events to audit
-
Multiple outputs: Log to files or database tables
-
Compliance support: Meet regulatory requirements
Configuration overview
cassandra.yaml configuration
The main security configuration is in the cassandra.yaml
file:
authenticator:
class_name: com.datastax.cassandra.auth.AdvancedAuthenticator
parameters:
enabled: true
default_scheme: internal
additional_schemes: oidc, ldap
plain_text_without_ssl: warn
authorizer:
class_name: com.datastax.cassandra.auth.AdvancedAuthorizer
role_manager:
class_name: com.datastax.cassandra.auth.AdvancedRoleManager
parameters:
mode: internal
Authentication scheme configuration
Each authentication scheme has its own configuration parameters:
Internal Authentication:
-
No additional configuration required
-
Users and passwords stored in the database
LDAP Authentication:
-
Server configuration (
ldap_servers
) -
User search settings (
ldap_user_search_filter
,ldap_user_search_bases
) -
Group lookup configuration (
ldap_group_search_*
parameters) -
Connection settings (
ldap_connection_use_tls
,ldap_connection_use_ssl
)
OIDC Authentication:
-
Issuer URL (
oidc_issuer
) -
Client configuration (
oidc_accepted_audience
) -
JWT claim mapping (
oidc_user_name_claim
,oidc_user_roles_claims
) -
TLS settings (
oidc_use_tls
,oidc_truststore_path
)
Encryption configuration
Client-to-Node Encryption:
client_encryption_options:
enabled: true
keystore: conf/.keystore
keystore_password: cassandra
require_client_auth: false
Node-to-Node Encryption:
server_encryption_options:
internode_encryption: all
keystore: conf/.keystore
keystore_password: cassandra
require_client_auth: false
Transparent Data Encryption:
transparent_data_encryption_options:
enabled: true
cipher: AES/CBC/PKCS5Padding
key_alias: testing:1
key_provider:
- class_name: org.apache.cassandra.security.JKSKeyProvider
parameters:
- keystore: conf/.keystore
keystore_password: cassandra
store_type: JCEKS
Audit logging configuration
audit_logging_options:
enabled: true
logger:
- class_name: BinAuditLogger
included_categories: QUERY, DML, DDL, AUTH
excluded_keyspaces: system, system_schema
Default security state
By default, HCD 1.2 has the following security configuration:
-
Authentication: Disabled (
authenticator.parameters.enabled: false
) -
Authorization: Disabled (
authorizer.parameters.enabled: false
) -
Client-to-node encryption: Disabled (
client_encryption_options.enabled: false
) -
Node-to-node encryption: Disabled (
server_encryption_options.internode_encryption: none
) -
Transparent data encryption: Disabled (
transparent_data_encryption_options.enabled: false
) -
Audit logging: Disabled (
audit_logging_options.enabled: false
)
Migration from Previous Versions
If you’re migrating from a previous version of HCD or Hyper-Converged Database (HCD):
Authentication Changes
-
AdvancedAuthenticator: Replaces the previous HCD Authenticator
-
OIDC Support: New authentication scheme for modern identity providers
-
Simplified Configuration: More straightforward configuration structure
-
Enhanced Flexibility: Better support for multiple authentication schemes
Authorization Changes
-
AdvancedAuthorizer: Replaces the previous HCD Authorizer
-
Improved Performance: Better caching and performance optimizations
-
Enhanced Features: More granular permission controls
Configuration Changes
-
Unified Configuration: All authentication settings in cassandra.yaml
-
Simplified Structure: Cleaner, more maintainable configuration
-
Better Documentation: Comprehensive configuration examples
Best Practices
Authentication
-
Enable authentication on all nodes
-
Use strong passwords for internal authentication
-
Configure LDAP or OIDC for enterprise integration
-
Implement proper certificate management for OIDC
-
Regular security assessments
Authorization
-
Follow the principle of least privilege
-
Create specific roles for different user types
-
Use role inheritance to simplify management
-
Regularly review and update permissions
-
Implement separation of duties
Encryption
-
Enable encryption for all connections
-
Use strong cipher suites
-
Implement proper key management
-
Regular key rotation
-
Monitor encryption performance
Monitoring
-
Enable comprehensive audit logging
-
Monitor authentication events
-
Track permission changes
-
Implement alerting for security events
-
Regular security reviews
Next steps
To get started with HCD security:
-
Read the Security FAQ for common questions.
-
Review the Security checklists for implementation guidance.
-
Set up Authentication and Authorization.
-
Configure user accounts and roles.
-
Set up encryption for data protection.
-
Enable audit logging for compliance.
For specific authentication schemes: