Apache Cassandra authentication & Encryption

Apache Cassandra
Technical

Apache Cassandra authentication and encryption made easy

June 11, 2015
By Ben Slater

In the past week we have released some major enhancements to the Instaclustr Apache Cassandra provisioning system. These are a major benefit to all users of our service but in particular have been designed to make it easy to use Instaclustr from Heroku.

Many users of Instaclustr have requirements for increased security levels for their clusters. Up until now, we have met those requirements by manually applying the Cassandra configurations necessary to enable password authentication, user authorisation and client communication encryption in Cassandra. While this achieved the end result, it consumes considerable effort from our support team to set this up and makes it harder to maintain the consistent configuration that is a hallmark of our service and allows us to seamlessly undertake node replacements and upgrades.

With our recent release, our provisioning system now supports enabling these security options when creating a cluster. While these enhancement largely manifest themselves as two check box on the create cluster dashboard, they do a lot of work behind the scenes that would most likely add up to several days effort if you were learning the process from scratch and implementing manually. The work our provision system undertakes when you select these options includes:

making the necessary cassandra.yaml changes to enable authorisation, authentication and client encryption;
generating all required certificates (the CA and all certificates are cluster-specific) and making these available for download in the formats required for all major Cassandra drivers;
creating an OpsCenter user in Cassandra cluster and ensuring it only has access to the Cassandra keyspace;
configuring OpsCenter with the required certificates;
enabling the custom Instaclustr authentication class which enables use to have administrator access to the cluster based on a (very long) password which is regenerated every five minutes and only accessible to administrators with SSH access to the server; and
generating example connection code, including cluster-specific values in Java, Python and Ruby.

These enhancements are clearly useful to just about anyone who uses Instaclustr, however they are particularly relevant to anyone who wants to use Instaclustr from Heroku. We have a number of customers doing this already, some at quite high traffic volumes, and it works very well. However, due to the fact that Heroku dynos have variable IPs, it has required manual configuration by our support team to enable these security features and make this work. With these changes, you can now configure an Instaclustr Cassandra cluster to work with Heroku in minutes and without support intervention. We have created a step-by-step tutorial on how to do this which you can view here.

One note on this – the current release does not support authentication or encryption for developer-class nodes due to some technical differences in the setup of these nodes. We expect to release support for enabling authentication on the developer nodes shortly.

IoT Overdrive Part 2: Where Can We Improve?

Instaclustr for Apache ZooKeeper ® 3.7.2 and 3.8.4 are Generally Available

Running the Apache Camel™ HTTP Kafka Source Connector on Instaclustr Managed Apache Kafka®