HCD security overview

HCD provides a comprehensive security framework designed for modern enterprise environments. This overview explains the security architecture and key features available in HCD 1.2.

Security architecture

HCD uses a modular security architecture with three main components:

AdvancedAuthenticator

The AdvancedAuthenticator provides flexible authentication support for multiple authentication schemes:

  • Internal authentication: Traditional username/password stored in the database

  • LDAP authentication: Integration with Active Directory and other LDAP services

  • OpenID Connect (OIDC): Modern identity provider integration

The authenticator can be configured to use multiple schemes simultaneously, allowing for gradual migration or hybrid authentication strategies.

AdvancedAuthorizer

The AdvancedAuthorizer provides granular access control with:

  • Role-based access control (RBAC): Permissions granted to roles, which are assigned to users

  • Resource hierarchy: Permissions cascade from higher-level resources to lower-level resources

  • Permission inheritance: Roles can inherit permissions from other roles

AdvancedRoleManager

The AdvancedRoleManager handles role assignment and management:

  • Internal role management: Direct mapping of users to roles

  • LDAP role management: Automatic role assignment based on LDAP group membership

  • OIDC role management: Role assignment from JWT claims

Key security features

Authentication

  • Multiple authentication schemes: Support for internal, LDAP, and OIDC

  • Flexible configuration: Mix and match authentication schemes as needed

  • Enterprise integration: Seamless integration with existing identity systems

  • Modern standards: Support for OIDC and other modern authentication protocols

Authorization

  • Granular permissions: Control access at keyspace, table, and function levels

  • Role hierarchy: Create complex permission structures with role inheritance

  • Separation of duties: Create administrative roles with limited permissions

Encryption

  • Client-to-node encryption: Secure connections between clients and database nodes

  • Node-to-node encryption: Secure internode communication

  • Transparent data encryption: Encrypt data at rest on disk

  • Key management: Support for KMIP and local key management

Auditing

  • Comprehensive logging: Track all database activities

  • Configurable categories: Choose which events to audit

  • Multiple outputs: Log to files or database tables

  • Compliance support: Meet regulatory requirements

Configuration overview

cassandra.yaml configuration

The main security configuration is in the cassandra.yaml file:

authenticator:
  class_name: com.datastax.cassandra.auth.AdvancedAuthenticator
  parameters:
    enabled: true
    default_scheme: internal
    additional_schemes: oidc, ldap
    plain_text_without_ssl: warn

authorizer:
  class_name: com.datastax.cassandra.auth.AdvancedAuthorizer

role_manager:
  class_name: com.datastax.cassandra.auth.AdvancedRoleManager
  parameters:
    mode: internal

Authentication scheme configuration

Each authentication scheme has its own configuration parameters:

Internal Authentication:

  • No additional configuration required

  • Users and passwords stored in the database

LDAP Authentication:

  • Server configuration (ldap_servers)

  • User search settings (ldap_user_search_filter, ldap_user_search_bases)

  • Group lookup configuration (ldap_group_search_* parameters)

  • Connection settings (ldap_connection_use_tls, ldap_connection_use_ssl)

OIDC Authentication:

  • Issuer URL (oidc_issuer)

  • Client configuration (oidc_accepted_audience)

  • JWT claim mapping (oidc_user_name_claim, oidc_user_roles_claims)

  • TLS settings (oidc_use_tls, oidc_truststore_path)

Encryption configuration

Client-to-Node Encryption:

client_encryption_options:
    enabled: true
    keystore: conf/.keystore
    keystore_password: cassandra
    require_client_auth: false

Node-to-Node Encryption:

server_encryption_options:
    internode_encryption: all
    keystore: conf/.keystore
    keystore_password: cassandra
    require_client_auth: false

Transparent Data Encryption:

transparent_data_encryption_options:
    enabled: true
    cipher: AES/CBC/PKCS5Padding
    key_alias: testing:1
    key_provider:
      - class_name: org.apache.cassandra.security.JKSKeyProvider
        parameters:
          - keystore: conf/.keystore
            keystore_password: cassandra
            store_type: JCEKS

Audit logging configuration

audit_logging_options:
    enabled: true
    logger:
      - class_name: BinAuditLogger
    included_categories: QUERY, DML, DDL, AUTH
    excluded_keyspaces: system, system_schema

Default security state

By default, HCD 1.2 has the following security configuration:

  • Authentication: Disabled (authenticator.parameters.enabled: false)

  • Authorization: Disabled (authorizer.parameters.enabled: false)

  • Client-to-node encryption: Disabled (client_encryption_options.enabled: false)

  • Node-to-node encryption: Disabled (server_encryption_options.internode_encryption: none)

  • Transparent data encryption: Disabled (transparent_data_encryption_options.enabled: false)

  • Audit logging: Disabled (audit_logging_options.enabled: false)

Migration from Previous Versions

If you’re migrating from a previous version of HCD or Hyper-Converged Database (HCD):

Authentication Changes

  • AdvancedAuthenticator: Replaces the previous HCD Authenticator

  • OIDC Support: New authentication scheme for modern identity providers

  • Simplified Configuration: More straightforward configuration structure

  • Enhanced Flexibility: Better support for multiple authentication schemes

Authorization Changes

  • AdvancedAuthorizer: Replaces the previous HCD Authorizer

  • Improved Performance: Better caching and performance optimizations

  • Enhanced Features: More granular permission controls

Configuration Changes

  • Unified Configuration: All authentication settings in cassandra.yaml

  • Simplified Structure: Cleaner, more maintainable configuration

  • Better Documentation: Comprehensive configuration examples

Best Practices

Authentication

  • Enable authentication on all nodes

  • Use strong passwords for internal authentication

  • Configure LDAP or OIDC for enterprise integration

  • Implement proper certificate management for OIDC

  • Regular security assessments

Authorization

  • Follow the principle of least privilege

  • Create specific roles for different user types

  • Use role inheritance to simplify management

  • Regularly review and update permissions

  • Implement separation of duties

Encryption

  • Enable encryption for all connections

  • Use strong cipher suites

  • Implement proper key management

  • Regular key rotation

  • Monitor encryption performance

Monitoring

  • Enable comprehensive audit logging

  • Monitor authentication events

  • Track permission changes

  • Implement alerting for security events

  • Regular security reviews

Next steps

To get started with HCD security:

  1. Read the Security FAQ for common questions.

  2. Review the Security checklists for implementation guidance.

  3. Set up Authentication and Authorization.

  4. Configure user accounts and roles.

  5. Set up encryption for data protection.

  6. Enable audit logging for compliance.

For specific authentication schemes:

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2025 DataStax | Privacy policy | Terms of use | Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com