HCD security overview
HCD provides a comprehensive security framework designed for modern enterprise environments. This overview explains the security architecture and key features available in HCD 1.2.
Security architecture
HCD uses a modular security architecture with three main components:
-
AdvancedAuthenticator
-
AdvancedAuthorizer
-
AdvancedRoleManager
AdvancedAuthenticator
The AdvancedAuthenticator provides flexible authentication support for multiple authentication schemes:
-
Internal authentication: Traditional username/password stored in the database
-
LDAP authentication: Integration with Active Directory and other LDAP services
-
OpenID Connect (OIDC): Modern identity provider integration
The authenticator can configure multiple schemes simultaneously, enabling gradual migration or hybrid authentication strategies.
AdvancedAuthorizer
The AdvancedAuthorizer provides granular access control with:
-
Role-based access control (RBAC): Permissions granted to roles, which are assigned to users
-
Resource hierarchy: Permissions cascade from higher-level resources to lower-level resources
-
Permission inheritance: Roles can inherit permissions from other roles
AdvancedRoleManager
The AdvancedRoleManager handles role assignment and management:
-
Internal role management: Direct mapping of users to roles
-
LDAP role management: Automatic role assignment based on LDAP group membership
-
OIDC role management: Role assignment from JWT claims
Key security features
HCD provides four core security capabilities: authentication, authorization, encryption, and auditing.
Authentication
HCD supports multiple authentication schemes:
Authorization
HCD delivers granular access control:
-
Granular permissions: Control access at keyspace, table, and function levels
-
Role hierarchy: Create complex permission structures with role inheritance
-
Separation of duties: Create administrative roles with limited permissions
Encryption
HCD secures data through multiple encryption layers:
-
Client-to-node encryption: Secure connections between clients and database nodes
-
Node-to-node encryption: Secure internode communication
-
Transparent data encryption: Encrypt data at rest on disk
-
Key management: Support for KMIP and local key management
Auditing
HCD provides comprehensive audit capabilities:
-
Comprehensive logging: Track all database activities
-
Configurable categories: Choose which events to audit
-
Multiple outputs: Log to files or database tables
-
Compliance support: Meet regulatory requirements
Configuration overview
The following sections describe how to configure the security features.
cassandra.yaml configuration
The main security configuration resides in the cassandra.yaml
file:
authenticator:
class_name: com.datastax.cassandra.auth.AdvancedAuthenticator
parameters:
enabled: true
default_scheme: internal
additional_schemes: oidc, ldap
plain_text_without_ssl: warn
authorizer:
class_name: com.datastax.cassandra.auth.AdvancedAuthorizer
role_manager:
class_name: com.datastax.cassandra.auth.AdvancedRoleManager
parameters:
mode: internal
Authentication scheme configuration
Each authentication scheme requires specific configuration parameters:
Internal Authentication:
-
No additional configuration required
-
Users and passwords stored in the database
LDAP Authentication:
-
Server configuration (
ldap_servers
) -
User search settings (
ldap_user_search_filter
,ldap_user_search_bases
) -
Group lookup configuration (
ldap_group_search_*
parameters) -
Connection settings (
ldap_connection_use_tls
,ldap_connection_use_ssl
)
OIDC Authentication:
-
Issuer URL (
oidc_issuer
) -
Client configuration (
oidc_accepted_audience
) -
JWT claim mapping (
oidc_user_name_claim
,oidc_user_roles_claims
) -
TLS settings (
oidc_use_tls
,oidc_truststore_path
)
Encryption configuration
Client-to-Node Encryption:
client_encryption_options:
enabled: true
keystore: conf/.keystore
keystore_password: cassandra
require_client_auth: false
Node-to-Node Encryption:
server_encryption_options:
internode_encryption: all
keystore: conf/.keystore
keystore_password: cassandra
require_client_auth: false
Transparent Data Encryption:
transparent_data_encryption_options:
enabled: true
cipher: AES/CBC/PKCS5Padding
key_alias: testing:1
key_provider:
- class_name: org.apache.cassandra.security.JKSKeyProvider
parameters:
- keystore: conf/.keystore
keystore_password: cassandra
store_type: JCEKS
Audit logging configuration
audit_logging_options:
enabled: true
logger:
- class_name: BinAuditLogger
included_categories: QUERY, DML, DDL, AUTH
excluded_keyspaces: system, system_schema
Default security state
HCD 1.2 ships with the following default security configuration:
-
Authentication: Disabled (
authenticator.parameters.enabled: false
) -
Authorization: Disabled (
authorizer.parameters.enabled: false
) -
Client-to-node encryption: Disabled (
client_encryption_options.enabled: false
) -
Node-to-node encryption: Disabled (
server_encryption_options.internode_encryption: none
) -
Transparent data encryption: Disabled (
transparent_data_encryption_options.enabled: false
) -
Audit logging: Disabled (
audit_logging_options.enabled: false
)
Migration from previous versions
If you migrate from a previous version of HCD, the following changes may affect your configuration:
Authentication changes
-
AdvancedAuthenticator: Replaces the previous HCD Authenticator
-
OIDC Support: New authentication scheme for modern identity providers
-
Simplified Configuration: More straightforward configuration structure
-
Enhanced Flexibility: Better support for multiple authentication schemes
Authorization changes
-
AdvancedAuthorizer: Replaces the previous HCD Authorizer
-
Improved Performance: Better caching and performance optimizations
-
Enhanced Features: More granular permission controls
Configuration changes
-
Unified Configuration: All authentication settings in cassandra.yaml
-
Simplified Structure: Cleaner, more maintainable configuration
-
Better Documentation: Comprehensive configuration examples
Best practices
Follow these best practices for HCD security:
Authentication
-
Enable authentication on all nodes.
-
Use strong passwords for internal authentication.
-
Configure LDAP or OIDC for enterprise integration.
-
Implement proper certificate management for OIDC.
-
Conduct regular security assessments.
Authorization
-
Follow the principle of least privilege.
-
Create specific roles for different user types.
-
Use role inheritance to simplify management.
-
Regularly review and update permissions.
-
Implement separation of duties.
Encryption
-
Enable encryption for all connections.
-
Use strong cipher suites.
-
Implement proper key management.
-
Rotate keys regularly.
-
Monitor encryption performance.
Monitoring
-
Enable comprehensive audit logging.
-
Monitor authentication events.
-
Track permission changes.
-
Implement alerting for security events.
-
Conduct regular security reviews.
Next steps
To get started with HCD security:
-
Read the Security FAQ for common questions.
-
Review the Security checklists for implementation guidance.
-
Set up Authentication and Authorization.
-
Configure user accounts and roles.
-
Set up encryption for data protection.
-
Enable audit logging for compliance.
For specific authentication schemes: