Securing_the_Thrift_Protocol

  <div style="text-align: left;">[[TableOfContents|Table of Contents]] | [[Cassandra_Security_Options|Previous]] | [[Securing_the_Cassandra_JMX_Protocol|Next]] | [[Index|Index]]</div>
  <div style="color: #999999; font-family: sans-serif; font-size: 10pt; text-align: left;">
    <span>[[Cassandra_Configuration_and_Operation|Cassandra Configuration and Operation]]</span> : <span>[[Cassandra_Configuration_Files|Cassandra Configuration Files]]</span> : <span>[[Cassandra_Security_Options|Cassandra Security Options]]</span> : Securing the Thrift Protocol</div>
  <hr />
  <div style="color: #4F81BD; font-family: &amp;quot;Museo For Dell Regular&amp;quot;; font-size: 11pt; font-style: italic; font-weight: bold; margin-bottom: 0pt; margin-top: 10pt;"><span id="wwpID0E0DE0HA">Securing the Thrift Protocol</span></div>
  <div style="font-family: &amp;quot;Museo Sans For Dell Regular&amp;quot;; font-size: 11pt; margin-bottom: 12pt; margin-top: 12pt;"><span id="wwpID0E0CE0HA">The Thrift API is the primary protocol that applications such as Doradus use to communicate with Doradus. By default, Thrift uses an unencrypted connection and allows any process to connect and authenticate. To prevent unauthorized applications from directly accessing Cassandra, you should secure the Thrift API. Cassandra supports TLS-encrypted communication for the Thrift protocol, but Doradus does not currently support it. However, there are two ways to prevent unauthorized access to Cassandra’s Thrift API.</span></div>
  <div style="font-family: &amp;quot;Museo Sans For Dell Regular&amp;quot;; font-size: 11pt; margin-bottom: 12pt; margin-top: 12pt;"><span id="wwpID0E0BE0HA">One way to secure the Thrift connections is to deploy Doradus and Cassandra on a subnet and disallow access to the Thrift port (default 9160) from outside the subnet. This allows free communication between Doradus, Cassandra, and tools used on the subnet, whose access can be restricted to authorized administrators.</span></div>
  <div style="font-family: &amp;quot;Museo Sans For Dell Regular&amp;quot;; font-size: 11pt; margin-bottom: 12pt; margin-top: 12pt;"><span id="wwpID0E0AE0HA">Alternatively, you can use Cassandra’s configurable capability for its authorization and authentication modules. The modules that provide authentication (who can connect) and authorization (what each connection is allowed to do) are defined in the file </span><span style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-weight: normal;">{cassandra_home}/conf/cassandra.yaml</span> as shown below:</div>
  <div style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; margin-bottom: 12pt; margin-left: 18pt; margin-top: 12pt;"><span id="wwpID0E06D0HA"># Authentication backend, implementing IAuthenticator; used to identify users</span></div>
  <div style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; margin-bottom: 12pt; margin-left: 18pt; margin-top: 12pt;"><span id="wwpID0E05D0HA"># Out of the box, Cassandra provides org.apache.cassandra.auth.{AllowAllAuthenticator,</span></div>
  <div style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; margin-bottom: 12pt; margin-left: 18pt; margin-top: 12pt;"><span id="wwpID0E04D0HA"># PasswordAuthenticator}.</span></div>
  <div style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; margin-bottom: 12pt; margin-left: 18pt; margin-top: 12pt;"><span id="wwpID0E03D0HA">#</span></div>
  <div style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; margin-bottom: 12pt; margin-left: 18pt; margin-top: 12pt;"><span id="wwpID0E02D0HA"># - AllowAllAuthenticator performs no checks - set it to disable authentication.</span></div>
  <div style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; margin-bottom: 12pt; margin-left: 18pt; margin-top: 12pt;"><span id="wwpID0E01D0HA"># - PasswordAuthenticator relies on username/password pairs to authenticate</span></div>
  <div style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; margin-bottom: 12pt; margin-left: 18pt; margin-top: 12pt;"><span id="wwpID0E0ZD0HA">#   users. It keeps usernames and hashed passwords in system_auth.credentials table.</span></div>
  <div style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; margin-bottom: 12pt; margin-left: 18pt; margin-top: 12pt;"><span id="wwpID0E0YD0HA">#   Please increase system_auth keyspace replication factor if you use this authenticator.</span></div>
  <div style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; margin-bottom: 12pt; margin-left: 18pt; margin-top: 12pt;"><span id="wwpID0E0XD0HA">authenticator: AllowAllAuthenticator</span></div>
  <div style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; margin-bottom: 12pt; margin-left: 18pt; margin-top: 12pt;"><span id="wwpID0E0WD0HA"> </span></div>
  <div style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; margin-bottom: 12pt; margin-left: 18pt; margin-top: 12pt;"><span id="wwpID0E0VD0HA"># Authorization backend, implementing IAuthorizer; used to limit access/provide permissions</span></div>
  <div style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; margin-bottom: 12pt; margin-left: 18pt; margin-top: 12pt;"><span id="wwpID0E0UD0HA"># Out of the box, Cassandra provides org.apache.cassandra.auth.{AllowAllAuthorizer,</span></div>
  <div style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; margin-bottom: 12pt; margin-left: 18pt; margin-top: 12pt;"><span id="wwpID0E0TD0HA"># CassandraAuthorizer}.</span></div>
  <div style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; margin-bottom: 12pt; margin-left: 18pt; margin-top: 12pt;"><span id="wwpID0E0SD0HA">#</span></div>
  <div style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; margin-bottom: 12pt; margin-left: 18pt; margin-top: 12pt;"><span id="wwpID0E0RD0HA"># - AllowAllAuthorizer allows any action to any user - set it to disable authorization.</span></div>
  <div style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; margin-bottom: 12pt; margin-left: 18pt; margin-top: 12pt;"><span id="wwpID0E0QD0HA"># - CassandraAuthorizer stores permissions in system_auth.permissions table. Please</span></div>
  <div style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; margin-bottom: 12pt; margin-left: 18pt; margin-top: 12pt;"><span id="wwpID0E0PD0HA">#   increase system_auth keyspace replication factor if you use this authorizer.</span></div>
  <div style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; margin-bottom: 12pt; margin-left: 18pt; margin-top: 12pt;"><span id="wwpID0E0OD0HA">authority: AllowAllAuthorizer</span></div>
  <div style="font-family: &amp;quot;Museo Sans For Dell Regular&amp;quot;; font-size: 11pt; margin-bottom: 12pt; margin-top: 12pt;"><span id="wwpID0E0ND0HA">As shown, the default authenticator is </span><span style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-weight: normal;">AllowAllAuthenticator</span>, which allows any process to connect, and the default authority is <span style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-weight: normal;">AllowAllAuthorizer</span>, which allows each connection to perform any Thrift command.</div>
  <div style="font-family: &amp;quot;Museo Sans For Dell Regular&amp;quot;; font-size: 11pt; margin-bottom: 12pt; margin-top: 12pt;"><span id="wwpID0E0MD0HA">A simple user ID/password-based mechanism can be used as described in the </span><span style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-weight: normal;">cassandra.yaml</span> file comments. <span style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-weight: normal;">PasswordAuthenticator</span> can be used to provide password-protected access to Cassandra. Although <span style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-weight: normal;">CassandraAuthorizer</span> can be used to control the types of access allowed by each user, Doradus requires full access to the database so it can make schema changes and read/write data. Therefore, you can change the <span style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-weight: normal;">authenticator</span> to <span style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-weight: normal;">PasswordAuthenticator</span> to restrict access to a password protected, Doradus-specific user while leaving the <span style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-weight: normal;">authority</span> as <span style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-weight: normal;">AllowAllAuthorizer</span> so that all permissions are allowed for the Doradus user.</div>
  <div style="font-family: &amp;quot;Museo Sans For Dell Regular&amp;quot;; font-size: 11pt; margin-bottom: 12pt; margin-top: 12pt;"><span id="wwpID0E0LD0HA">Below is an outline of the steps required to use this strategy:</span></div>
  <div style="margin-left: 18pt;margin-bottom: 12pt; margin-top: 12pt;">
    <table border="0" cellspacing="0" cellpadding="0">
      <tr valign="baseline">
        <td style="width: 18pt"><div style="font-family: &amp;quot;Museo Sans For Dell Regular&amp;quot;; font-size: 11pt;">1.	</div></td>
        <td><div style="font-family: &amp;quot;Museo Sans For Dell Regular&amp;quot;; font-size: 11pt;"><span id="wwpID0E0KD0HA">While Cassandra is not running, update the cassandra.yaml file to change the </span><span style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-weight: normal;">authenticator</span> to <span style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-weight: normal;">PasswordAuthenticator</span>. Example:</div></td>
      </tr>
    </table>
  </div>
  <div style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; margin-bottom: 12pt; margin-left: 54pt; margin-top: 12pt;"><span id="wwpID0E0JD0HA">authenticator: </span><span style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-weight: normal;">PasswordAuthenticator</span></div>
  <div style="margin-left: 18pt;margin-bottom: 12pt; margin-top: 12pt;">
    <table border="0" cellspacing="0" cellpadding="0">
      <tr valign="baseline">
        <td style="width: 18pt"><div style="font-family: &amp;quot;Museo Sans For Dell Regular&amp;quot;; font-size: 11pt;">2.	</div></td>
        <td><div style="font-family: &amp;quot;Museo Sans For Dell Regular&amp;quot;; font-size: 11pt;"><span id="wwpID0E0ID0HA">Save the file and start Cassandra. Because it requires at least one super user, Cassandra will create a default user “cassandra” with password “cassandra”. You can see this in its log with a message such as the following:</span></div></td>
      </tr>
    </table>
  </div>
  <div style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; margin-bottom: 12pt; margin-left: 54pt; margin-top: 12pt;"><span id="wwpID0E0HD0HA">INFO 09:11:10,659 PasswordAuthenticator created default user 'cassandra'</span></div>
  <div style="margin-left: 18pt;margin-bottom: 12pt; margin-top: 12pt;">
    <table border="0" cellspacing="0" cellpadding="0">
      <tr valign="baseline">
        <td style="width: 18pt"><div style="font-family: &amp;quot;Museo Sans For Dell Regular&amp;quot;; font-size: 11pt;">3.	</div></td>
        <td><div style="font-family: &amp;quot;Museo Sans For Dell Regular&amp;quot;; font-size: 11pt;"><span id="wwpID0E0GD0HA">Run the CQL shell application (</span><span style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-weight: normal;">cqlsh</span>) in Cassandra’s bin directory, logging on with the default user. Example:</div></td>
      </tr>
    </table>
  </div>
  <div style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; margin-bottom: 12pt; margin-left: 54pt; margin-top: 12pt;"><span id="wwpID0E0FD0HA">cd </span><span style="font-style: italic;">{cassandra_home}</span</bin</div>> <div style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; margin-bottom: 12pt; margin-left: 54pt; margin-top: 12pt;"><span id="wwpID0E0ED0HA">cqlsh -u cassandra -p cassandra</span></div>
  <div style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; margin-bottom: 12pt; margin-left: 54pt; margin-top: 12pt;"><span id="wwpID0E0DD0HA">Connected to </span><span style="color: #0000FF;">Test Cluster</span> at localhost:9160.</div>
  <div style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; margin-bottom: 12pt; margin-left: 54pt; margin-top: 12pt;"><span id="wwpID0E0CD0HA">&#91;cqlsh 3.1.2 | Cassandra 1.2.6 | CQL spec 3.0.0 | Thrift protocol 19.36.0&#93;</span></div>
  <div style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; margin-bottom: 12pt; margin-left: 54pt; margin-top: 12pt;"><span id="wwpID0E0BD0HA">Use HELP for help.</span></div>
  <div style="margin-left: 18pt;margin-bottom: 12pt; margin-top: 12pt;">
    <table border="0" cellspacing="0" cellpadding="0">
      <tr valign="baseline">
        <td style="width: 18pt"><div style="font-family: &amp;quot;Museo Sans For Dell Regular&amp;quot;; font-size: 11pt;">4.	</div></td>
        <td><div style="font-family: &amp;quot;Museo Sans For Dell Regular&amp;quot;; font-size: 11pt;"><span id="wwpID0E0AD0HA">Create a new super user for Doradus. Then, change the password for the default ‘cassandra’  to something obscure so that it can no longer be used. Example:</span></div></td>
      </tr>
    </table>
  </div>
  <div style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; margin-bottom: 12pt; margin-left: 54pt; margin-top: 12pt;"><span id="wwpID0E06C0HA">cqlsh&gt; create user SuperDory with password 'Alpha1' superuser;</span></div>
  <div style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; margin-bottom: 12pt; margin-left: 54pt; margin-top: 12pt;"><span id="wwpID0E05C0HA">cqlsh&gt; alter user cassandra with password 'Ajcj2846%!6';</span></div>
  <div style="font-family: &amp;quot;Museo Sans For Dell Regular&amp;quot;; font-size: 11pt; margin-bottom: 12pt; margin-left: 36pt; margin-top: 12pt;"><span id="wwpID0E04C0HA">You can verify that the new user has been created by querying the </span><span style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-weight: normal;">users</span> ColumnFamily in the <span style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-weight: normal;">system_auth</span> Keyspace. Example:</div>
  <div style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; margin-bottom: 12pt; margin-left: 54pt; margin-top: 12pt;"><span id="wwpID0E03C0HA">cqlsh&gt; select * from system_auth.users;</span></div>
  <div style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; margin-bottom: 12pt; margin-left: 54pt; margin-top: 12pt;"><span id="wwpID0E02C0HA"> </span></div>
  <div style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; margin-bottom: 12pt; margin-left: 54pt; margin-top: 12pt;"><span id="wwpID0E01C0HA"> </span><span style="color: #FF00FF;">name</span>      | <span style="color: #FF00FF;">super</span></div>
  <div style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; margin-bottom: 12pt; margin-left: 54pt; margin-top: 12pt;"><span id="wwpID0E0ZC0HA">-----------+-------</span></div>
  <div style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; margin-bottom: 12pt; margin-left: 54pt; margin-top: 12pt;"><span id="wwpID0E0YC0HA"> </span><span style="color: #808000;">SuperDory</span> |  <span style="color: #408000;">True</span></div>
  <div style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; margin-bottom: 12pt; margin-left: 54pt; margin-top: 12pt;"><span id="wwpID0E0XC0HA"> </span><span style="color: #808000;">cassandra</span> |  <span style="color: #408000;">True</span></div>
  <div style="margin-left: 18pt;margin-bottom: 12pt; margin-top: 12pt;">
    <table border="0" cellspacing="0" cellpadding="0">
      <tr valign="baseline">
        <td style="width: 18pt"><div style="font-family: &amp;quot;Museo Sans For Dell Regular&amp;quot;; font-size: 11pt;">5.	</div></td>
        <td><div style="font-family: &amp;quot;Museo Sans For Dell Regular&amp;quot;; font-size: 11pt;"><span id="wwpID0E0WC0HA">As described in the previous section </span><span style="font-weight: bold;">[[Using_a_Secured_Thrift_API|Using a Secured Thrift API]]</span>, be sure to update <span style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-weight: normal;">doradus.yaml</span> to set <span style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-weight: normal;">dbauthenticator</span> to <span style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-weight: normal;">com.dell.doradus.server.SimpleAuthenticator</span>, and set the <span style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-weight: normal;">dbuser</span> and <span style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-weight: normal;">dbpassword</span> options in <span style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-weight: normal;">passwd.properties</span> to match the new user and password created above.</div></td>
      </tr>
    </table>
  </div>
  <div style="margin-left: 18pt;margin-bottom: 12pt; margin-top: 12pt;">
    <table border="0" cellspacing="0" cellpadding="0">
      <tr valign="baseline">
        <td style="width: 18pt"><div style="font-family: &amp;quot;Museo Sans For Dell Regular&amp;quot;; font-size: 11pt;">6.	</div></td>
        <td><div style="font-family: &amp;quot;Museo Sans For Dell Regular&amp;quot;; font-size: 11pt;"><span id="wwpID0E0VC0HA">Start Doradus. It will use the new user ID and password you defined for all Cassandra connections.</span></div></td>
      </tr>
    </table>
  </div>
  <div style="font-family: &amp;quot;Museo Sans For Dell Regular&amp;quot;; font-size: 11pt; margin-bottom: 12pt; margin-top: 12pt;"><span id="wwpID0E0UC0HA">Note that in a multi-node cluster, you should also increase the replication factor of the </span><span style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-weight: normal;">system_auth</span> Keyspace so that records in the <span style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-weight: normal;">users</span> ColumnFamily are replicated to multiple systems. This can be done with the following CQL command:</div>
  <div style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; margin-bottom: 12pt; margin-left: 18pt; margin-top: 12pt;"><span id="wwpID0E0TC0HA">ALTER KEYSPACE "system_auth" WITH REPLICATION = {'class':'SimpleStrategy', 'replication_factor':3};</span></div>
  <div style="font-family: &amp;quot;Museo Sans For Dell Regular&amp;quot;; font-size: 11pt; margin-bottom: 12pt; margin-top: 12pt;"><span id="wwpID0E0SC0HA">For more information on using the </span><span style="color: #4A442A; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-weight: normal;">PasswordAuthenticator</span>, see Cassandra documentation such as the following:</div>
  <div style="font-family: &amp;quot;Museo Sans For Dell Regular&amp;quot;; font-size: 11pt; margin-bottom: 12pt; margin-left: 18pt; margin-top: 12pt;"><span style="color: #0000FF; text-decoration: underline;"><span id="wwpID0E0RC0HA">[[http://www.datastax.com/documentation/cassandra/1.2/webhelp/index.html#cassandra/security/security_config_native_authenticate_t.html|http://www.datastax.com/documentation/cassandra/1.2/webhelp/index.html#cassandra/security/security_config_native_authenticate_t.html]]</span></span></div>