Center for Internet Security Benchmark for Cassandra 4.0
Is anyone here on the list interested in helping out in working on the next version of the benchmark? Would love some assistance and you can potentially get your name on the document as an author :) Feel free to reach out, we're always looking for new contributors, you can check them out here: https://www.cisecurity.org/ Thanks, Joe
Apache Thrift library 0.9.2 update due to security vulnerability?
Hello, a Blackduck security scan of our product detected a security vulnerability in the Apache Thrift library 0.9.2, which is shipped in Cassandra up to 3.11 (haven't checked 4.0), also pointed out here: https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-38295/Apache-Thrift.html Any plans to upgrade the Apache Thrift library? Thanks, Thomas The contents of this e-mail are intended for the named addressee only. It contains information that may be confidential. Unless you are the named addressee or an authorized designee, you may not copy or use it, or disclose it to anyone else. If you received it in error please notify us immediately and then destroy it. Dynatrace Austria GmbH (registration number FN 91482h) is a company registered in Linz whose registered office is at 4040 Linz, Austria, Freist?dterstra?e 313
Security question
'm working on center for internet security (CIS) security becnhmark for Cassandra, is there anyone who'd be interested in helping out with it? Feel free to email me direct at i...@dbsec-it.com and we can discuss, thanks, Joe
Re: Security Updates
Regarding security releases, nothing currently exists to notify users when security related patches are released. At the moment I imagine announcements would only be made in NEWS.txt or on the user mailing list... but only if you're lucky. On 31 January 2018 at 19:18, Michael Shuler <mich...@pbandjelly.org> wrote: > I should also mention the dev@ mailing list - this is where the [VOTE] > emails are sent and you'd get an advanced heads up on upcoming releases, > along with the release emails that are sent to both user@ and dev@. The > dev@ traffic is generally lower than user@, so pretty easy to spot votes > & releases. > > -- > Michael > > On 01/31/2018 01:12 PM, Michael Shuler wrote: > > I usually install cron-apt for Ubuntu & Debian, forward and read root's > > email to be notified of all system upgrades, including Cassandra. > > > > There are likely other utilities for other operating systems, or just a > > cron script that checks for system update & emails would work, too. > > > > Also, it's possible to use something like urlwatch to look for changes > > on http://cassandra.apache.org/download/ or any site, email out a > > notification, etc. Maybe http://fetchrss.com/ or similar would work? > > > > I think there are a multitude of immediate ways to do this, until there > > is a site patch submitted to JIRA for RSS addition. > > > > > - > To unsubscribe, e-mail: user-unsubscr...@cassandra.apache.org > For additional commands, e-mail: user-h...@cassandra.apache.org > >
Re: Security Updates
I should also mention the dev@ mailing list - this is where the [VOTE] emails are sent and you'd get an advanced heads up on upcoming releases, along with the release emails that are sent to both user@ and dev@. The dev@ traffic is generally lower than user@, so pretty easy to spot votes & releases. -- Michael On 01/31/2018 01:12 PM, Michael Shuler wrote: > I usually install cron-apt for Ubuntu & Debian, forward and read root's > email to be notified of all system upgrades, including Cassandra. > > There are likely other utilities for other operating systems, or just a > cron script that checks for system update & emails would work, too. > > Also, it's possible to use something like urlwatch to look for changes > on http://cassandra.apache.org/download/ or any site, email out a > notification, etc. Maybe http://fetchrss.com/ or similar would work? > > I think there are a multitude of immediate ways to do this, until there > is a site patch submitted to JIRA for RSS addition. > - To unsubscribe, e-mail: user-unsubscr...@cassandra.apache.org For additional commands, e-mail: user-h...@cassandra.apache.org
Re: Security Updates
I usually install cron-apt for Ubuntu & Debian, forward and read root's email to be notified of all system upgrades, including Cassandra. There are likely other utilities for other operating systems, or just a cron script that checks for system update & emails would work, too. Also, it's possible to use something like urlwatch to look for changes on http://cassandra.apache.org/download/ or any site, email out a notification, etc. Maybe http://fetchrss.com/ or similar would work? I think there are a multitude of immediate ways to do this, until there is a site patch submitted to JIRA for RSS addition. -- Michael On 01/31/2018 12:22 PM, Rob Oxspring wrote: > Hi, > > As a user of Cassandra I'd like to be able to get notified when there are > security releases so that I can get my installation patched ASAP. For feature > and patch releases I'm happy to come and look at the web page or trawl > through some mail archives, but I'd like for security releases to come and > find me. > > Is there a dedicated mailing list for this? > Or a dedicated list for just announcements without everyday chatter? > An RSS / atom feed would work just as well. > > Thanks, > > Rob Oxspring > > - > To unsubscribe, e-mail: user-unsubscr...@cassandra.apache.org > For additional commands, e-mail: user-h...@cassandra.apache.org > - To unsubscribe, e-mail: user-unsubscr...@cassandra.apache.org For additional commands, e-mail: user-h...@cassandra.apache.org
Security Updates
Hi, As a user of Cassandra I'd like to be able to get notified when there are security releases so that I can get my installation patched ASAP. For feature and patch releases I'm happy to come and look at the web page or trawl through some mail archives, but I'd like for security releases to come and find me. Is there a dedicated mailing list for this? Or a dedicated list for just announcements without everyday chatter? An RSS / atom feed would work just as well. Thanks, Rob Oxspring - To unsubscribe, e-mail: user-unsubscr...@cassandra.apache.org For additional commands, e-mail: user-h...@cassandra.apache.org
Re: Internal Security - Authentication & Authorization
> > Here is what I have pieced together. Please let me know if I am on the > right track. You're more or less right regarding the built in authenticator/authorizer/role manager (which are usually referred to as "internal" as they store their data in Cassandra tables). One important thing to note is that using the default superuser credentials (i.e. logging in as 'cassandra') will make these reads happen at QUORUM, not LOCAL_ONE, which is one of the reasons you shouldn't use those credentials after initial setup. There are 2 settings which govern the lifetime of cached auth data. Once an item has been cached, it becomes eligible for refresh after the update interval has passed. A get from the cache will trigger this refresh, which happens in the background and while it's running, the old (maybe stale) entry is served from the cache. When the validity period expires for a cache entry, it is removed from the cache and subsequent reads trigger a blocking fetch from storage. There is further detail in the docs here: http://cassandra.apache.org/doc/latest/operating/security.html If NOT EXISTS will use SERIAL consistency This isn't actually true. Because internal storage is just one implementation of role/user management, it doesn't rely on LWT. Instead, the configured role manager is consulted before executing the statement, which is similar to how IF NOT EXISTS in schema updates work. On Tue, Mar 14, 2017 at 11:44 PM, Jai Bheemsen Rao Dhanwada < jaibheem...@gmail.com> wrote: > I have similar question. when we create users or roles what is the > consistency level used? > > I know, If NOT EXISTS will use SERIAL consistency. what consistency will > be used if just use CREATE USER ? > > On Mon, Mar 13, 2017 at 7:09 PM, Jacob Shadix> wrote: > >> I'm looking for a deeper understanding of how Cassandra interacts with >> the system_auth keyspace to authenticate/authorize users. >> >> Here is what I have pieced together. Please let me know if I am on the >> right track. >> >> A user attempts to connect to Cassandra. Cassandra checks against >> system_auth for that user @ LOCAL_ONE - - If the user exists, a connection >> is established. When CQL is executed, C* again checks system_auth for that >> user @ LOCAL_ONE to determine if it has the correct privileges to perform >> the CQL. If so, it executes the CQL and the permissions are stored in a >> cache. During the cache validity timeframe, future requests for ANY user >> stored in the cache do not require a lookup against system_auth. After the >> cache validity runs out, any new requests will require a lookup against >> system_auth. >> >> -- Jacob Shadix >> > >
Re: Internal Security - Authentication & Authorization
Jacob, seems you are on the right track however my understanding is that only the user that was auth'd has their permissions/roles/creds cached. Also. Cassandra will query at QUORUM for the "cassandra" user, and at LOCAL_ONE for *all* other users. This is the same for creating users/roles.
Re: Internal Security - Authentication & Authorization
I have similar question. when we create users or roles what is the consistency level used? I know, If NOT EXISTS will use SERIAL consistency. what consistency will be used if just use CREATE USER ? On Mon, Mar 13, 2017 at 7:09 PM, Jacob Shadixwrote: > I'm looking for a deeper understanding of how Cassandra interacts with the > system_auth keyspace to authenticate/authorize users. > > Here is what I have pieced together. Please let me know if I am on the > right track. > > A user attempts to connect to Cassandra. Cassandra checks against > system_auth for that user @ LOCAL_ONE - - If the user exists, a connection > is established. When CQL is executed, C* again checks system_auth for that > user @ LOCAL_ONE to determine if it has the correct privileges to perform > the CQL. If so, it executes the CQL and the permissions are stored in a > cache. During the cache validity timeframe, future requests for ANY user > stored in the cache do not require a lookup against system_auth. After the > cache validity runs out, any new requests will require a lookup against > system_auth. > > -- Jacob Shadix >
Internal Security - Authentication & Authorization
I'm looking for a deeper understanding of how Cassandra interacts with the system_auth keyspace to authenticate/authorize users. Here is what I have pieced together. Please let me know if I am on the right track. A user attempts to connect to Cassandra. Cassandra checks against system_auth for that user @ LOCAL_ONE - - If the user exists, a connection is established. When CQL is executed, C* again checks system_auth for that user @ LOCAL_ONE to determine if it has the correct privileges to perform the CQL. If so, it executes the CQL and the permissions are stored in a cache. During the cache validity timeframe, future requests for ANY user stored in the cache do not require a lookup against system_auth. After the cache validity runs out, any new requests will require a lookup against system_auth. -- Jacob Shadix
Re: Security assessment of Cassandra
Just following up... Oleg, have you gotten a satisfactory level of feedback from the community on the security assessment issues? And if there is any sort of final assessment that can be publicly accessed, that would be great. -- Jack Krupansky On Thu, Feb 11, 2016 at 3:29 PM, oleg yusim <olegyu...@gmail.com> wrote: > Greetings, > > Performing security assessment of Cassandra with the goal of generating > STIG for Cassandra (iase.disa.mil/stigs/Pages/a-z.aspx) I ran across some > questions regarding the way certain security features are implemented (or > not) in Cassandra. > > I composed the list of questions on these topics, which I wasn't able to > find definitive answer to anywhere else and posted it here: > > https://drive.google.com/open?id=0B2L9nW4Cyj41YWd1UkI4ZXVPYmM > > It is shared with all the members of that list, and any of the members of > this list is welcome to comment on this document (there is a place for > community comments specially reserved near each of the questions and my > take on it). > > I would greatly appreciate Cassandra community help here. > > Thanks, > > Oleg >
Re: Security assessment of Cassandra
Greetings, Matt brought to my attention that I shared the document at "view only" mode. My apologies for that. I corrected permissions and shared the document personally with everybody, who indicated he/she would review it. Thanks, Oleg On Fri, Feb 12, 2016 at 10:33 PM, oleg yusim <olegyu...@gmail.com> wrote: > Greetings, > > Following Jack's and Matt's suggestions, I moved the doc to Google Docs > and added to it all the security gaps in Cassandra I was able to discover > (please, see second table below fist). > > Here is an updated link to my document: > > > https://docs.google.com/document/d/13-yu-1a0MMkBiJFPNkYoTd1Hzed9tgKltWi6hFLZbsk/edit?usp=sharing > > Thanks, > > Oleg > > On Thu, Feb 11, 2016 at 2:29 PM, oleg yusim <olegyu...@gmail.com> wrote: > >> Greetings, >> >> Performing security assessment of Cassandra with the goal of generating >> STIG for Cassandra (iase.disa.mil/stigs/Pages/a-z.aspx) I ran across >> some questions regarding the way certain security features are implemented >> (or not) in Cassandra. >> >> I composed the list of questions on these topics, which I wasn't able to >> find definitive answer to anywhere else and posted it here: >> >> https://drive.google.com/open?id=0B2L9nW4Cyj41YWd1UkI4ZXVPYmM >> >> It is shared with all the members of that list, and any of the members of >> this list is welcome to comment on this document (there is a place for >> community comments specially reserved near each of the questions and my >> take on it). >> >> I would greatly appreciate Cassandra community help here. >> >> Thanks, >> >> Oleg >> > >
Re: Security labels
Jack, I updated my document with all the security gaps I was able to find and posted it there: https://docs.google.com/document/d/13-yu-1a0MMkBiJFPNkYoTd1Hzed9tgKltWi6hFLZbsk/edit?usp=sharing Thanks, Oleg On Thu, Feb 11, 2016 at 4:09 PM, oleg yusim <olegyu...@gmail.com> wrote: > Jack, > > I asked my management, if I can share with community my assessment > spreadsheet (whole thing, with gaps and desired configurations). Let's wait > for their answer. I would definitely update the document I shared with the > rest of gaps, so you, guys, would have it for sure. > > Now, in case if my management would say no: > > 1) Here: http://iase.disa.mil/stigs/Pages/a-z.aspx the document titled > vRealize Operations STIG would be published. As part of it, there would be > Cassandra STIG (Cassadra is part of vRealize Operations VMware product). > This STIG would contain only suggestions on right (from the security point > of view) configuration, where it can be configured. > 2) Community would have a full list of gaps (things which are needed, but > can't be configured) after I would update my document > 3) The rest of the assessment are Not Applicable and Applicable - > Inherently Meet items, which nobody is interested at. > 4) Also, when STIG for vRealize Operations would be published, look at the > VMware site for Security Guidelines for vRealize Operations. They would be > posted open to public and you would be able to download them free of > charge. Those would include mitigation, which VMware implemented for some > of the Cassandra gaps. > > Thanks, > > Oleg > > On Thu, Feb 11, 2016 at 2:55 PM, Jack Krupansky <jack.krupan...@gmail.com> > wrote: > >> Thanks for putting the items together in a list. This allows people to >> see things with more context. Give people in the user community a little >> time to respond. A week, maybe. Hopefully some of the senior Cassandra >> committers will take a look as well. >> >> Will the final assessment become a public document or is it strictly >> internal for your employer? I know there is a database of these >> assessments, but I don't know who controls what becomes public and when. >> >> -- Jack Krupansky >> >> On Thu, Feb 11, 2016 at 3:23 PM, oleg yusim <olegyu...@gmail.com> wrote: >> >>> Hi Dani, >>> >>> As promised, I sort of put all my questions under the "one roof". I >>> would really appreciate you opinion on them. >>> >>> https://drive.google.com/open?id=0B2L9nW4Cyj41YWd1UkI4ZXVPYmM >>> >>> Thanks, >>> >>> Oleg >>> >>> On Fri, Jan 29, 2016 at 3:28 PM, Dani Traphagen < >>> dani.trapha...@datastax.com> wrote: >>> >>>> Hi Oleg, >>>> >>>> Thanks that helped clear things up! This sounds like a daunting task. I >>>> wish you all the best with it. >>>> >>>> Cheers, >>>> Dani >>>> >>>> On Fri, Jan 29, 2016 at 10:03 AM, oleg yusim <olegyu...@gmail.com> >>>> wrote: >>>> >>>>> Dani, >>>>> >>>>> I really appreciate you response. Actually, session timeouts and >>>>> security labels are two different topics (first is about attack when >>>>> somebody opened, say, ssh window to DB, left his machine unattended and >>>>> somebody else stole his session, second - to enable DB to support what >>>>> called MAC access model - stays for mandatory access control. It is widely >>>>> used in the government and military, but not outside of it, we all are >>>>> used >>>>> to DAC access control model). However, I think you are right and I should >>>>> move all my queries under the one big roof and call this thread >>>>> "Security". >>>>> I will do this today. >>>>> >>>>> Now, about what you have said, I just answered the same to Jon, in >>>>> Session Timeout thread, but would quickly re-cap here. I understand that >>>>> Cassandra's architecture was aimed and tailored for completely different >>>>> type of scenario. However, unfortunately, that doesn't mean that Cassandra >>>>> is not vulnerable to the same very set of attacks relational database >>>>> would >>>>> be vulnerable to. It just means Cassandra is not protected against those >>>>> attacks, because protection against them was not thought of, when database >>>>> was created. I already gave the AAA and session's timeout exam
Re: Security assessment of Cassandra
Greetings, Following Jack's and Matt's suggestions, I moved the doc to Google Docs and added to it all the security gaps in Cassandra I was able to discover (please, see second table below fist). Here is an updated link to my document: https://docs.google.com/document/d/13-yu-1a0MMkBiJFPNkYoTd1Hzed9tgKltWi6hFLZbsk/edit?usp=sharing Thanks, Oleg On Thu, Feb 11, 2016 at 2:29 PM, oleg yusim <olegyu...@gmail.com> wrote: > Greetings, > > Performing security assessment of Cassandra with the goal of generating > STIG for Cassandra (iase.disa.mil/stigs/Pages/a-z.aspx) I ran across some > questions regarding the way certain security features are implemented (or > not) in Cassandra. > > I composed the list of questions on these topics, which I wasn't able to > find definitive answer to anywhere else and posted it here: > > https://drive.google.com/open?id=0B2L9nW4Cyj41YWd1UkI4ZXVPYmM > > It is shared with all the members of that list, and any of the members of > this list is welcome to comment on this document (there is a place for > community comments specially reserved near each of the questions and my > take on it). > > I would greatly appreciate Cassandra community help here. > > Thanks, > > Oleg >
Re: Security labels
Hi Dani, As promised, I sort of put all my questions under the "one roof". I would really appreciate you opinion on them. https://drive.google.com/open?id=0B2L9nW4Cyj41YWd1UkI4ZXVPYmM Thanks, Oleg On Fri, Jan 29, 2016 at 3:28 PM, Dani Traphagen <dani.trapha...@datastax.com > wrote: > Hi Oleg, > > Thanks that helped clear things up! This sounds like a daunting task. I > wish you all the best with it. > > Cheers, > Dani > > On Fri, Jan 29, 2016 at 10:03 AM, oleg yusim <olegyu...@gmail.com> wrote: > >> Dani, >> >> I really appreciate you response. Actually, session timeouts and security >> labels are two different topics (first is about attack when somebody >> opened, say, ssh window to DB, left his machine unattended and somebody >> else stole his session, second - to enable DB to support what called MAC >> access model - stays for mandatory access control. It is widely used in the >> government and military, but not outside of it, we all are used to DAC >> access control model). However, I think you are right and I should move all >> my queries under the one big roof and call this thread "Security". I will >> do this today. >> >> Now, about what you have said, I just answered the same to Jon, in >> Session Timeout thread, but would quickly re-cap here. I understand that >> Cassandra's architecture was aimed and tailored for completely different >> type of scenario. However, unfortunately, that doesn't mean that Cassandra >> is not vulnerable to the same very set of attacks relational database would >> be vulnerable to. It just means Cassandra is not protected against those >> attacks, because protection against them was not thought of, when database >> was created. I already gave the AAA and session's timeout example in Jon's >> thread, and those are just one of many. >> >> Now what I'm trying to do, I'm trying to create a STIG - security federal >> compliance document, which will assess Cassandra against SRG concepts >> (security federal compliance recommendations for databases overall) and >> will highlight what is not met, and can't be in current design (i.e. what >> system architects should keep in mind and what they need to compensate for >> with other controls on different layers of system model) and what can be >> met either with configuration or with little enhancement (and how). >> >> That document would be of great help for Cassandra as a product because >> it would allow it to be marketed as a product with existing security >> assessment and guidelines, performed according to DoD standards. It would >> also allow to move product in the general direction of improving its >> security posture. Finally, the document would be posted on DISA site ( >> http://iase.disa.mil/stigs/Pages/a-z.aspx) available for every security >> architect to utilize, which would greatly reduce the risk for Cassandra >> product to be hacked in a field. >> >> To clear things out - what I ask about are not my expectations. I really >> do not expect developers of Cassandra to run and start implementing >> security labels, just because I asked about it. :) My questions are to >> build my internal knowledge of DB current design, so that I can build my >> security assessment based of it, not more, not less. >> >> I guess, summarizing what I said on top, from what I'm doing Cassandra as >> a product would end up benefiting quite a bit. That is why I think it would >> make sense for Cassandra community to help me with my questions even if >> they sound completely of the traditional "grid". >> >> Thanks again, I really appreciate your response and conversation overall. >> >> Oleg >> >> On Fri, Jan 29, 2016 at 11:20 AM, Dani Traphagen < >> dani.trapha...@datastax.com> wrote: >> >>> Also -- it looks like you're really asking questions about session >>> timeouts and security labels as they associate, would be more helpful to >>> keep in one thread. :) >>> >>> >>> On Friday, January 29, 2016, Dani Traphagen <dani.trapha...@datastax.com> >>> wrote: >>> >>>> Hi Oleg, >>>> >>>> I understand your frustration but unfortunately, in the terms of your >>>> security assessment, you have fallen into a mismatch for Cassandra's >>>> utility. >>>> >>>> The eventuality of having multiple sockets open without the query input >>>> for long durations of time isn't something that was >>>> architected...because...Cassnadra was built to take mas
Re: Security labels
Hi Oleg, I'm happy to take a look. Will update after review. Thanks, Dani On Thu, Feb 11, 2016 at 12:23 PM, oleg yusim <olegyu...@gmail.com> wrote: > Hi Dani, > > As promised, I sort of put all my questions under the "one roof". I would > really appreciate you opinion on them. > > https://drive.google.com/open?id=0B2L9nW4Cyj41YWd1UkI4ZXVPYmM > > Thanks, > > Oleg > > On Fri, Jan 29, 2016 at 3:28 PM, Dani Traphagen < > dani.trapha...@datastax.com> wrote: > >> Hi Oleg, >> >> Thanks that helped clear things up! This sounds like a daunting task. I >> wish you all the best with it. >> >> Cheers, >> Dani >> >> On Fri, Jan 29, 2016 at 10:03 AM, oleg yusim <olegyu...@gmail.com> wrote: >> >>> Dani, >>> >>> I really appreciate you response. Actually, session timeouts and >>> security labels are two different topics (first is about attack when >>> somebody opened, say, ssh window to DB, left his machine unattended and >>> somebody else stole his session, second - to enable DB to support what >>> called MAC access model - stays for mandatory access control. It is widely >>> used in the government and military, but not outside of it, we all are used >>> to DAC access control model). However, I think you are right and I should >>> move all my queries under the one big roof and call this thread "Security". >>> I will do this today. >>> >>> Now, about what you have said, I just answered the same to Jon, in >>> Session Timeout thread, but would quickly re-cap here. I understand that >>> Cassandra's architecture was aimed and tailored for completely different >>> type of scenario. However, unfortunately, that doesn't mean that Cassandra >>> is not vulnerable to the same very set of attacks relational database would >>> be vulnerable to. It just means Cassandra is not protected against those >>> attacks, because protection against them was not thought of, when database >>> was created. I already gave the AAA and session's timeout example in Jon's >>> thread, and those are just one of many. >>> >>> Now what I'm trying to do, I'm trying to create a STIG - security >>> federal compliance document, which will assess Cassandra against SRG >>> concepts (security federal compliance recommendations for databases >>> overall) and will highlight what is not met, and can't be in current design >>> (i.e. what system architects should keep in mind and what they need to >>> compensate for with other controls on different layers of system model) and >>> what can be met either with configuration or with little enhancement (and >>> how). >>> >>> That document would be of great help for Cassandra as a product because >>> it would allow it to be marketed as a product with existing security >>> assessment and guidelines, performed according to DoD standards. It would >>> also allow to move product in the general direction of improving its >>> security posture. Finally, the document would be posted on DISA site ( >>> http://iase.disa.mil/stigs/Pages/a-z.aspx) available for every security >>> architect to utilize, which would greatly reduce the risk for Cassandra >>> product to be hacked in a field. >>> >>> To clear things out - what I ask about are not my expectations. I really >>> do not expect developers of Cassandra to run and start implementing >>> security labels, just because I asked about it. :) My questions are to >>> build my internal knowledge of DB current design, so that I can build my >>> security assessment based of it, not more, not less. >>> >>> I guess, summarizing what I said on top, from what I'm doing Cassandra >>> as a product would end up benefiting quite a bit. That is why I think it >>> would make sense for Cassandra community to help me with my questions even >>> if they sound completely of the traditional "grid". >>> >>> Thanks again, I really appreciate your response and conversation overall. >>> >>> Oleg >>> >>> On Fri, Jan 29, 2016 at 11:20 AM, Dani Traphagen < >>> dani.trapha...@datastax.com> wrote: >>> >>>> Also -- it looks like you're really asking questions about session >>>> timeouts and security labels as they associate, would be more helpful to >>>> keep in one thread. :) >>>> >>>> >>>> On Friday, January 29, 2016, Dani Traphagen < >>>> dani.trapha
Security assessment of Cassandra
Greetings, Performing security assessment of Cassandra with the goal of generating STIG for Cassandra (iase.disa.mil/stigs/Pages/a-z.aspx) I ran across some questions regarding the way certain security features are implemented (or not) in Cassandra. I composed the list of questions on these topics, which I wasn't able to find definitive answer to anywhere else and posted it here: https://drive.google.com/open?id=0B2L9nW4Cyj41YWd1UkI4ZXVPYmM It is shared with all the members of that list, and any of the members of this list is welcome to comment on this document (there is a place for community comments specially reserved near each of the questions and my take on it). I would greatly appreciate Cassandra community help here. Thanks, Oleg
Re: Security labels
Thanks Dani. Oleg On Thu, Feb 11, 2016 at 2:27 PM, Dani Traphagen <dani.trapha...@datastax.com > wrote: > Hi Oleg, > > I'm happy to take a look. Will update after review. > > Thanks, > Dani > > On Thu, Feb 11, 2016 at 12:23 PM, oleg yusim <olegyu...@gmail.com> wrote: > >> Hi Dani, >> >> As promised, I sort of put all my questions under the "one roof". I would >> really appreciate you opinion on them. >> >> https://drive.google.com/open?id=0B2L9nW4Cyj41YWd1UkI4ZXVPYmM >> >> Thanks, >> >> Oleg >> >> On Fri, Jan 29, 2016 at 3:28 PM, Dani Traphagen < >> dani.trapha...@datastax.com> wrote: >> >>> Hi Oleg, >>> >>> Thanks that helped clear things up! This sounds like a daunting task. I >>> wish you all the best with it. >>> >>> Cheers, >>> Dani >>> >>> On Fri, Jan 29, 2016 at 10:03 AM, oleg yusim <olegyu...@gmail.com> >>> wrote: >>> >>>> Dani, >>>> >>>> I really appreciate you response. Actually, session timeouts and >>>> security labels are two different topics (first is about attack when >>>> somebody opened, say, ssh window to DB, left his machine unattended and >>>> somebody else stole his session, second - to enable DB to support what >>>> called MAC access model - stays for mandatory access control. It is widely >>>> used in the government and military, but not outside of it, we all are used >>>> to DAC access control model). However, I think you are right and I should >>>> move all my queries under the one big roof and call this thread "Security". >>>> I will do this today. >>>> >>>> Now, about what you have said, I just answered the same to Jon, in >>>> Session Timeout thread, but would quickly re-cap here. I understand that >>>> Cassandra's architecture was aimed and tailored for completely different >>>> type of scenario. However, unfortunately, that doesn't mean that Cassandra >>>> is not vulnerable to the same very set of attacks relational database would >>>> be vulnerable to. It just means Cassandra is not protected against those >>>> attacks, because protection against them was not thought of, when database >>>> was created. I already gave the AAA and session's timeout example in Jon's >>>> thread, and those are just one of many. >>>> >>>> Now what I'm trying to do, I'm trying to create a STIG - security >>>> federal compliance document, which will assess Cassandra against SRG >>>> concepts (security federal compliance recommendations for databases >>>> overall) and will highlight what is not met, and can't be in current design >>>> (i.e. what system architects should keep in mind and what they need to >>>> compensate for with other controls on different layers of system model) and >>>> what can be met either with configuration or with little enhancement (and >>>> how). >>>> >>>> That document would be of great help for Cassandra as a product because >>>> it would allow it to be marketed as a product with existing security >>>> assessment and guidelines, performed according to DoD standards. It would >>>> also allow to move product in the general direction of improving its >>>> security posture. Finally, the document would be posted on DISA site ( >>>> http://iase.disa.mil/stigs/Pages/a-z.aspx) available for every >>>> security architect to utilize, which would greatly reduce the risk for >>>> Cassandra product to be hacked in a field. >>>> >>>> To clear things out - what I ask about are not my expectations. I >>>> really do not expect developers of Cassandra to run and start implementing >>>> security labels, just because I asked about it. :) My questions are to >>>> build my internal knowledge of DB current design, so that I can build my >>>> security assessment based of it, not more, not less. >>>> >>>> I guess, summarizing what I said on top, from what I'm doing Cassandra >>>> as a product would end up benefiting quite a bit. That is why I think it >>>> would make sense for Cassandra community to help me with my questions even >>>> if they sound completely of the traditional "grid". >>>> >>>> Thanks again, I really appreciate your response and conversation >>>> overall. >>>> >>>
Re: Security labels
Thanks for putting the items together in a list. This allows people to see things with more context. Give people in the user community a little time to respond. A week, maybe. Hopefully some of the senior Cassandra committers will take a look as well. Will the final assessment become a public document or is it strictly internal for your employer? I know there is a database of these assessments, but I don't know who controls what becomes public and when. -- Jack Krupansky On Thu, Feb 11, 2016 at 3:23 PM, oleg yusim <olegyu...@gmail.com> wrote: > Hi Dani, > > As promised, I sort of put all my questions under the "one roof". I would > really appreciate you opinion on them. > > https://drive.google.com/open?id=0B2L9nW4Cyj41YWd1UkI4ZXVPYmM > > Thanks, > > Oleg > > On Fri, Jan 29, 2016 at 3:28 PM, Dani Traphagen < > dani.trapha...@datastax.com> wrote: > >> Hi Oleg, >> >> Thanks that helped clear things up! This sounds like a daunting task. I >> wish you all the best with it. >> >> Cheers, >> Dani >> >> On Fri, Jan 29, 2016 at 10:03 AM, oleg yusim <olegyu...@gmail.com> wrote: >> >>> Dani, >>> >>> I really appreciate you response. Actually, session timeouts and >>> security labels are two different topics (first is about attack when >>> somebody opened, say, ssh window to DB, left his machine unattended and >>> somebody else stole his session, second - to enable DB to support what >>> called MAC access model - stays for mandatory access control. It is widely >>> used in the government and military, but not outside of it, we all are used >>> to DAC access control model). However, I think you are right and I should >>> move all my queries under the one big roof and call this thread "Security". >>> I will do this today. >>> >>> Now, about what you have said, I just answered the same to Jon, in >>> Session Timeout thread, but would quickly re-cap here. I understand that >>> Cassandra's architecture was aimed and tailored for completely different >>> type of scenario. However, unfortunately, that doesn't mean that Cassandra >>> is not vulnerable to the same very set of attacks relational database would >>> be vulnerable to. It just means Cassandra is not protected against those >>> attacks, because protection against them was not thought of, when database >>> was created. I already gave the AAA and session's timeout example in Jon's >>> thread, and those are just one of many. >>> >>> Now what I'm trying to do, I'm trying to create a STIG - security >>> federal compliance document, which will assess Cassandra against SRG >>> concepts (security federal compliance recommendations for databases >>> overall) and will highlight what is not met, and can't be in current design >>> (i.e. what system architects should keep in mind and what they need to >>> compensate for with other controls on different layers of system model) and >>> what can be met either with configuration or with little enhancement (and >>> how). >>> >>> That document would be of great help for Cassandra as a product because >>> it would allow it to be marketed as a product with existing security >>> assessment and guidelines, performed according to DoD standards. It would >>> also allow to move product in the general direction of improving its >>> security posture. Finally, the document would be posted on DISA site ( >>> http://iase.disa.mil/stigs/Pages/a-z.aspx) available for every security >>> architect to utilize, which would greatly reduce the risk for Cassandra >>> product to be hacked in a field. >>> >>> To clear things out - what I ask about are not my expectations. I really >>> do not expect developers of Cassandra to run and start implementing >>> security labels, just because I asked about it. :) My questions are to >>> build my internal knowledge of DB current design, so that I can build my >>> security assessment based of it, not more, not less. >>> >>> I guess, summarizing what I said on top, from what I'm doing Cassandra >>> as a product would end up benefiting quite a bit. That is why I think it >>> would make sense for Cassandra community to help me with my questions even >>> if they sound completely of the traditional "grid". >>> >>> Thanks again, I really appreciate your response and conversation overall. >>> >>> Oleg >>> >>> On Fri, Jan 29, 2016 at 11:20 AM, Dani Trapha
Re: Security labels
Jack, I asked my management, if I can share with community my assessment spreadsheet (whole thing, with gaps and desired configurations). Let's wait for their answer. I would definitely update the document I shared with the rest of gaps, so you, guys, would have it for sure. Now, in case if my management would say no: 1) Here: http://iase.disa.mil/stigs/Pages/a-z.aspx the document titled vRealize Operations STIG would be published. As part of it, there would be Cassandra STIG (Cassadra is part of vRealize Operations VMware product). This STIG would contain only suggestions on right (from the security point of view) configuration, where it can be configured. 2) Community would have a full list of gaps (things which are needed, but can't be configured) after I would update my document 3) The rest of the assessment are Not Applicable and Applicable - Inherently Meet items, which nobody is interested at. 4) Also, when STIG for vRealize Operations would be published, look at the VMware site for Security Guidelines for vRealize Operations. They would be posted open to public and you would be able to download them free of charge. Those would include mitigation, which VMware implemented for some of the Cassandra gaps. Thanks, Oleg On Thu, Feb 11, 2016 at 2:55 PM, Jack Krupansky <jack.krupan...@gmail.com> wrote: > Thanks for putting the items together in a list. This allows people to see > things with more context. Give people in the user community a little time > to respond. A week, maybe. Hopefully some of the senior Cassandra > committers will take a look as well. > > Will the final assessment become a public document or is it strictly > internal for your employer? I know there is a database of these > assessments, but I don't know who controls what becomes public and when. > > -- Jack Krupansky > > On Thu, Feb 11, 2016 at 3:23 PM, oleg yusim <olegyu...@gmail.com> wrote: > >> Hi Dani, >> >> As promised, I sort of put all my questions under the "one roof". I would >> really appreciate you opinion on them. >> >> https://drive.google.com/open?id=0B2L9nW4Cyj41YWd1UkI4ZXVPYmM >> >> Thanks, >> >> Oleg >> >> On Fri, Jan 29, 2016 at 3:28 PM, Dani Traphagen < >> dani.trapha...@datastax.com> wrote: >> >>> Hi Oleg, >>> >>> Thanks that helped clear things up! This sounds like a daunting task. I >>> wish you all the best with it. >>> >>> Cheers, >>> Dani >>> >>> On Fri, Jan 29, 2016 at 10:03 AM, oleg yusim <olegyu...@gmail.com> >>> wrote: >>> >>>> Dani, >>>> >>>> I really appreciate you response. Actually, session timeouts and >>>> security labels are two different topics (first is about attack when >>>> somebody opened, say, ssh window to DB, left his machine unattended and >>>> somebody else stole his session, second - to enable DB to support what >>>> called MAC access model - stays for mandatory access control. It is widely >>>> used in the government and military, but not outside of it, we all are used >>>> to DAC access control model). However, I think you are right and I should >>>> move all my queries under the one big roof and call this thread "Security". >>>> I will do this today. >>>> >>>> Now, about what you have said, I just answered the same to Jon, in >>>> Session Timeout thread, but would quickly re-cap here. I understand that >>>> Cassandra's architecture was aimed and tailored for completely different >>>> type of scenario. However, unfortunately, that doesn't mean that Cassandra >>>> is not vulnerable to the same very set of attacks relational database would >>>> be vulnerable to. It just means Cassandra is not protected against those >>>> attacks, because protection against them was not thought of, when database >>>> was created. I already gave the AAA and session's timeout example in Jon's >>>> thread, and those are just one of many. >>>> >>>> Now what I'm trying to do, I'm trying to create a STIG - security >>>> federal compliance document, which will assess Cassandra against SRG >>>> concepts (security federal compliance recommendations for databases >>>> overall) and will highlight what is not met, and can't be in current design >>>> (i.e. what system architects should keep in mind and what they need to >>>> compensate for with other controls on different layers of system model) and >>>> what can be met either with configuration or with little enhancement (and >>>> how).
Re: Security labels
Jack, Thanks for your suggestion. I'm familiar with Cassandra documentation, and I'm aware of differences between DSE and Cassandra. Questions I ask here are those, I found no mention about in documentation. Let's take security labels for instance. Cassandra documentation is completely silent on this regard and so is Google. I assume, based on it, Cassandra doesn't support it. But I can't create federal compliance security document for Cassandra basing it of my assumptions and lack of information solely. That is where my questions stem from. Thanks, Oleg On Fri, Jan 29, 2016 at 10:17 AM, Jack Krupansky <jack.krupan...@gmail.com> wrote: > To answer any future questions along these same lines, I suggest that you > start by simply searching the doc and search the github repo for the source > code for the relevant keywords. That will give you the definitive answers > quickly. If something is missing, feel free to propose that it be added (if > you really need it). And feel free to confirm here if a quick search > doesn't give you a solid answer. > > Here's the root page for security in the Cassandra doc: > > https://docs.datastax.com/en/cassandra/3.x/cassandra/configuration/secureTOC.html > > Also note that on questions of security, DataStax Enterprise may have > different answers than pure open source Cassandra. > > -- Jack Krupansky > > On Thu, Jan 28, 2016 at 8:37 PM, oleg yusim <olegyu...@gmail.com> wrote: > >> Patrick, >> >> Absolutely. Security label is mechanism of access control, utilized by >> MAC (mandatory access control) model, and not utilized by DAC >> (discretionary access control) model, we all are used to. In database >> content it is illustrated for instance here: >> http://www.postgresql.org/docs/current/static/sql-security-label.html >> >> Now, as per my goals, I'm making a security assessment for Cassandra DB >> with a goal to produce STIG on this product. That is one of the parameters >> in database SRG I have to assess against. >> >> Thanks, >> >> Oleg >> >> >> On Thu, Jan 28, 2016 at 6:32 PM, Patrick McFadin <pmcfa...@gmail.com> >> wrote: >> >>> Cassandra has support for authentication security, but I'm not familiar >>> with a security label. Can you describe what you want to do? >>> >>> Patrick >>> >>> On Thu, Jan 28, 2016 at 2:26 PM, oleg yusim <olegyu...@gmail.com> wrote: >>> >>>> Greetings, >>>> >>>> Does Cassandra support security label concept? If so, where can I read >>>> on how it should be applied? >>>> >>>> Thanks, >>>> >>>> Oleg >>>> >>> >>> >> >
Security labels
Hi Oleg, I understand your frustration but unfortunately, in the terms of your security assessment, you have fallen into a mismatch for Cassandra's utility. The eventuality of having multiple sockets open without the query input for long durations of time isn't something that was architected...because...Cassnadra was built to take massive quantities of queries both in volume and velocity. Your expectation of the database isn't in line with how our why it was designed. Generally, security solutions are architected around Cassandra, baked into the data model, many solutions are home-brewed, written into the application or provided by using another security client. DSE has different security aspects rolling out in the next release as addressed earlier by Jack, like commit log and hint encryptions, as well as, unified authentication...but secuirty labels aren't on anyone's radar as a pressing "need." It's not something I've heard about as a priority before anyway. Hope this helps! Cheers, Dani On Friday, January 29, 2016, oleg yusim <olegyu...@gmail.com <javascript:_e(%7B%7D,'cvml','olegyu...@gmail.com');>> wrote: > Jack, > > Thanks for your suggestion. I'm familiar with Cassandra documentation, and > I'm aware of differences between DSE and Cassandra. > > Questions I ask here are those, I found no mention about in documentation. > Let's take security labels for instance. Cassandra documentation is > completely silent on this regard and so is Google. I assume, based on it, > Cassandra doesn't support it. But I can't create federal compliance > security document for Cassandra basing it of my assumptions and lack of > information solely. That is where my questions stem from. > > Thanks, > > Oleg > > On Fri, Jan 29, 2016 at 10:17 AM, Jack Krupansky <jack.krupan...@gmail.com > > wrote: > >> To answer any future questions along these same lines, I suggest that you >> start by simply searching the doc and search the github repo for the source >> code for the relevant keywords. That will give you the definitive answers >> quickly. If something is missing, feel free to propose that it be added (if >> you really need it). And feel free to confirm here if a quick search >> doesn't give you a solid answer. >> >> Here's the root page for security in the Cassandra doc: >> >> https://docs.datastax.com/en/cassandra/3.x/cassandra/configuration/secureTOC.html >> >> Also note that on questions of security, DataStax Enterprise may have >> different answers than pure open source Cassandra. >> >> -- Jack Krupansky >> >> On Thu, Jan 28, 2016 at 8:37 PM, oleg yusim <olegyu...@gmail.com> wrote: >> >>> Patrick, >>> >>> Absolutely. Security label is mechanism of access control, utilized by >>> MAC (mandatory access control) model, and not utilized by DAC >>> (discretionary access control) model, we all are used to. In database >>> content it is illustrated for instance here: >>> http://www.postgresql.org/docs/current/static/sql-security-label.html >>> >>> Now, as per my goals, I'm making a security assessment for Cassandra DB >>> with a goal to produce STIG on this product. That is one of the parameters >>> in database SRG I have to assess against. >>> >>> Thanks, >>> >>> Oleg >>> >>> >>> On Thu, Jan 28, 2016 at 6:32 PM, Patrick McFadin <pmcfa...@gmail.com> >>> wrote: >>> >>>> Cassandra has support for authentication security, but I'm not familiar >>>> with a security label. Can you describe what you want to do? >>>> >>>> Patrick >>>> >>>> On Thu, Jan 28, 2016 at 2:26 PM, oleg yusim <olegyu...@gmail.com> >>>> wrote: >>>> >>>>> Greetings, >>>>> >>>>> Does Cassandra support security label concept? If so, where can I read >>>>> on how it should be applied? >>>>> >>>>> Thanks, >>>>> >>>>> Oleg >>>>> >>>> >>>> >>> >> > -- Sent from mobile -- apologizes for brevity or errors.
Re: Security labels
To answer any future questions along these same lines, I suggest that you start by simply searching the doc and search the github repo for the source code for the relevant keywords. That will give you the definitive answers quickly. If something is missing, feel free to propose that it be added (if you really need it). And feel free to confirm here if a quick search doesn't give you a solid answer. Here's the root page for security in the Cassandra doc: https://docs.datastax.com/en/cassandra/3.x/cassandra/configuration/secureTOC.html Also note that on questions of security, DataStax Enterprise may have different answers than pure open source Cassandra. -- Jack Krupansky On Thu, Jan 28, 2016 at 8:37 PM, oleg yusim <olegyu...@gmail.com> wrote: > Patrick, > > Absolutely. Security label is mechanism of access control, utilized by MAC > (mandatory access control) model, and not utilized by DAC (discretionary > access control) model, we all are used to. In database content it is > illustrated for instance here: > http://www.postgresql.org/docs/current/static/sql-security-label.html > > Now, as per my goals, I'm making a security assessment for Cassandra DB > with a goal to produce STIG on this product. That is one of the parameters > in database SRG I have to assess against. > > Thanks, > > Oleg > > > On Thu, Jan 28, 2016 at 6:32 PM, Patrick McFadin <pmcfa...@gmail.com> > wrote: > >> Cassandra has support for authentication security, but I'm not familiar >> with a security label. Can you describe what you want to do? >> >> Patrick >> >> On Thu, Jan 28, 2016 at 2:26 PM, oleg yusim <olegyu...@gmail.com> wrote: >> >>> Greetings, >>> >>> Does Cassandra support security label concept? If so, where can I read >>> on how it should be applied? >>> >>> Thanks, >>> >>> Oleg >>> >> >> >
Re: Security labels
Dani, I really appreciate you response. Actually, session timeouts and security labels are two different topics (first is about attack when somebody opened, say, ssh window to DB, left his machine unattended and somebody else stole his session, second - to enable DB to support what called MAC access model - stays for mandatory access control. It is widely used in the government and military, but not outside of it, we all are used to DAC access control model). However, I think you are right and I should move all my queries under the one big roof and call this thread "Security". I will do this today. Now, about what you have said, I just answered the same to Jon, in Session Timeout thread, but would quickly re-cap here. I understand that Cassandra's architecture was aimed and tailored for completely different type of scenario. However, unfortunately, that doesn't mean that Cassandra is not vulnerable to the same very set of attacks relational database would be vulnerable to. It just means Cassandra is not protected against those attacks, because protection against them was not thought of, when database was created. I already gave the AAA and session's timeout example in Jon's thread, and those are just one of many. Now what I'm trying to do, I'm trying to create a STIG - security federal compliance document, which will assess Cassandra against SRG concepts (security federal compliance recommendations for databases overall) and will highlight what is not met, and can't be in current design (i.e. what system architects should keep in mind and what they need to compensate for with other controls on different layers of system model) and what can be met either with configuration or with little enhancement (and how). That document would be of great help for Cassandra as a product because it would allow it to be marketed as a product with existing security assessment and guidelines, performed according to DoD standards. It would also allow to move product in the general direction of improving its security posture. Finally, the document would be posted on DISA site ( http://iase.disa.mil/stigs/Pages/a-z.aspx) available for every security architect to utilize, which would greatly reduce the risk for Cassandra product to be hacked in a field. To clear things out - what I ask about are not my expectations. I really do not expect developers of Cassandra to run and start implementing security labels, just because I asked about it. :) My questions are to build my internal knowledge of DB current design, so that I can build my security assessment based of it, not more, not less. I guess, summarizing what I said on top, from what I'm doing Cassandra as a product would end up benefiting quite a bit. That is why I think it would make sense for Cassandra community to help me with my questions even if they sound completely of the traditional "grid". Thanks again, I really appreciate your response and conversation overall. Oleg On Fri, Jan 29, 2016 at 11:20 AM, Dani Traphagen < dani.trapha...@datastax.com> wrote: > Also -- it looks like you're really asking questions about session > timeouts and security labels as they associate, would be more helpful to > keep in one thread. :) > > > On Friday, January 29, 2016, Dani Traphagen <dani.trapha...@datastax.com> > wrote: > >> Hi Oleg, >> >> I understand your frustration but unfortunately, in the terms of your >> security assessment, you have fallen into a mismatch for Cassandra's >> utility. >> >> The eventuality of having multiple sockets open without the query input >> for long durations of time isn't something that was >> architected...because...Cassnadra was built to take massive quantities >> of queries both in volume and velocity. >> >> Your expectation of the database isn't in line with how our why it was >> designed. Generally, security solutions are architected >> around Cassandra, baked into the data model, many solutions >> are home-brewed, written into the application or provided by using another >> security client. >> >> DSE has different security aspects rolling out in the next release >> as addressed earlier by Jack, like commit log and hint encryptions, as well >> as, unified authentication...but secuirty labels aren't on anyone's radar >> as a pressing "need." It's not something I've heard about as a >> priority before anyway. >> >> Hope this helps! >> >> Cheers, >> Dani >> >> On Friday, January 29, 2016, oleg yusim <olegyu...@gmail.com> wrote: >> >>> Jack, >>> >>> Thanks for your suggestion. I'm familiar with Cassandra documentation, >>> and I'm aware of differences between DSE and Cassandra. >>> >>> Questions I ask here are those, I found no
Re: Security labels
Also -- it looks like you're really asking questions about session timeouts and security labels as they associate, would be more helpful to keep in one thread. :) On Friday, January 29, 2016, Dani Traphagen <dani.trapha...@datastax.com> wrote: > Hi Oleg, > > I understand your frustration but unfortunately, in the terms of your > security assessment, you have fallen into a mismatch for Cassandra's > utility. > > The eventuality of having multiple sockets open without the query input > for long durations of time isn't something that was > architected...because...Cassnadra was built to take massive quantities > of queries both in volume and velocity. > > Your expectation of the database isn't in line with how our why it was > designed. Generally, security solutions are architected > around Cassandra, baked into the data model, many solutions > are home-brewed, written into the application or provided by using another > security client. > > DSE has different security aspects rolling out in the next release > as addressed earlier by Jack, like commit log and hint encryptions, as well > as, unified authentication...but secuirty labels aren't on anyone's radar > as a pressing "need." It's not something I've heard about as a > priority before anyway. > > Hope this helps! > > Cheers, > Dani > > On Friday, January 29, 2016, oleg yusim <olegyu...@gmail.com> wrote: > >> Jack, >> >> Thanks for your suggestion. I'm familiar with Cassandra documentation, >> and I'm aware of differences between DSE and Cassandra. >> >> Questions I ask here are those, I found no mention about in >> documentation. Let's take security labels for instance. Cassandra >> documentation is completely silent on this regard and so is Google. I >> assume, based on it, Cassandra doesn't support it. But I can't create >> federal compliance security document for Cassandra basing it of my >> assumptions and lack of information solely. That is where my questions stem >> from. >> >> Thanks, >> >> Oleg >> >> On Fri, Jan 29, 2016 at 10:17 AM, Jack Krupansky < >> jack.krupan...@gmail.com> wrote: >> >>> To answer any future questions along these same lines, I suggest that >>> you start by simply searching the doc and search the github repo for the >>> source code for the relevant keywords. That will give you the definitive >>> answers quickly. If something is missing, feel free to propose that it be >>> added (if you really need it). And feel free to confirm here if a quick >>> search doesn't give you a solid answer. >>> >>> Here's the root page for security in the Cassandra doc: >>> >>> https://docs.datastax.com/en/cassandra/3.x/cassandra/configuration/secureTOC.html >>> >>> Also note that on questions of security, DataStax Enterprise may have >>> different answers than pure open source Cassandra. >>> >>> -- Jack Krupansky >>> >>> On Thu, Jan 28, 2016 at 8:37 PM, oleg yusim <olegyu...@gmail.com> wrote: >>> >>>> Patrick, >>>> >>>> Absolutely. Security label is mechanism of access control, utilized by >>>> MAC (mandatory access control) model, and not utilized by DAC >>>> (discretionary access control) model, we all are used to. In database >>>> content it is illustrated for instance here: >>>> http://www.postgresql.org/docs/current/static/sql-security-label.html >>>> >>>> Now, as per my goals, I'm making a security assessment for Cassandra DB >>>> with a goal to produce STIG on this product. That is one of the parameters >>>> in database SRG I have to assess against. >>>> >>>> Thanks, >>>> >>>> Oleg >>>> >>>> >>>> On Thu, Jan 28, 2016 at 6:32 PM, Patrick McFadin <pmcfa...@gmail.com> >>>> wrote: >>>> >>>>> Cassandra has support for authentication security, but I'm not >>>>> familiar with a security label. Can you describe what you want to do? >>>>> >>>>> Patrick >>>>> >>>>> On Thu, Jan 28, 2016 at 2:26 PM, oleg yusim <olegyu...@gmail.com> >>>>> wrote: >>>>> >>>>>> Greetings, >>>>>> >>>>>> Does Cassandra support security label concept? If so, where can I >>>>>> read on how it should be applied? >>>>>> >>>>>> Thanks, >>>>>> >>>>>> Oleg >>>>>> >>>>> >>>>> >>>> >>> >> > > -- > Sent from mobile -- apologizes for brevity or errors. > -- Sent from mobile -- apologizes for brevity or errors.
Re: Security labels
Thanks Dani! Oleg On Fri, Jan 29, 2016 at 3:28 PM, Dani Traphagen <dani.trapha...@datastax.com > wrote: > Hi Oleg, > > Thanks that helped clear things up! This sounds like a daunting task. I > wish you all the best with it. > > Cheers, > Dani > > On Fri, Jan 29, 2016 at 10:03 AM, oleg yusim <olegyu...@gmail.com> wrote: > >> Dani, >> >> I really appreciate you response. Actually, session timeouts and security >> labels are two different topics (first is about attack when somebody >> opened, say, ssh window to DB, left his machine unattended and somebody >> else stole his session, second - to enable DB to support what called MAC >> access model - stays for mandatory access control. It is widely used in the >> government and military, but not outside of it, we all are used to DAC >> access control model). However, I think you are right and I should move all >> my queries under the one big roof and call this thread "Security". I will >> do this today. >> >> Now, about what you have said, I just answered the same to Jon, in >> Session Timeout thread, but would quickly re-cap here. I understand that >> Cassandra's architecture was aimed and tailored for completely different >> type of scenario. However, unfortunately, that doesn't mean that Cassandra >> is not vulnerable to the same very set of attacks relational database would >> be vulnerable to. It just means Cassandra is not protected against those >> attacks, because protection against them was not thought of, when database >> was created. I already gave the AAA and session's timeout example in Jon's >> thread, and those are just one of many. >> >> Now what I'm trying to do, I'm trying to create a STIG - security federal >> compliance document, which will assess Cassandra against SRG concepts >> (security federal compliance recommendations for databases overall) and >> will highlight what is not met, and can't be in current design (i.e. what >> system architects should keep in mind and what they need to compensate for >> with other controls on different layers of system model) and what can be >> met either with configuration or with little enhancement (and how). >> >> That document would be of great help for Cassandra as a product because >> it would allow it to be marketed as a product with existing security >> assessment and guidelines, performed according to DoD standards. It would >> also allow to move product in the general direction of improving its >> security posture. Finally, the document would be posted on DISA site ( >> http://iase.disa.mil/stigs/Pages/a-z.aspx) available for every security >> architect to utilize, which would greatly reduce the risk for Cassandra >> product to be hacked in a field. >> >> To clear things out - what I ask about are not my expectations. I really >> do not expect developers of Cassandra to run and start implementing >> security labels, just because I asked about it. :) My questions are to >> build my internal knowledge of DB current design, so that I can build my >> security assessment based of it, not more, not less. >> >> I guess, summarizing what I said on top, from what I'm doing Cassandra as >> a product would end up benefiting quite a bit. That is why I think it would >> make sense for Cassandra community to help me with my questions even if >> they sound completely of the traditional "grid". >> >> Thanks again, I really appreciate your response and conversation overall. >> >> Oleg >> >> On Fri, Jan 29, 2016 at 11:20 AM, Dani Traphagen < >> dani.trapha...@datastax.com> wrote: >> >>> Also -- it looks like you're really asking questions about session >>> timeouts and security labels as they associate, would be more helpful to >>> keep in one thread. :) >>> >>> >>> On Friday, January 29, 2016, Dani Traphagen <dani.trapha...@datastax.com> >>> wrote: >>> >>>> Hi Oleg, >>>> >>>> I understand your frustration but unfortunately, in the terms of your >>>> security assessment, you have fallen into a mismatch for Cassandra's >>>> utility. >>>> >>>> The eventuality of having multiple sockets open without the query input >>>> for long durations of time isn't something that was >>>> architected...because...Cassnadra was built to take massive quantities >>>> of queries both in volume and velocity. >>>> >>>> Your expectation of the database isn't in line with how our why it was >>>>
Re: Security labels
Hi Oleg, Thanks that helped clear things up! This sounds like a daunting task. I wish you all the best with it. Cheers, Dani On Fri, Jan 29, 2016 at 10:03 AM, oleg yusim <olegyu...@gmail.com> wrote: > Dani, > > I really appreciate you response. Actually, session timeouts and security > labels are two different topics (first is about attack when somebody > opened, say, ssh window to DB, left his machine unattended and somebody > else stole his session, second - to enable DB to support what called MAC > access model - stays for mandatory access control. It is widely used in the > government and military, but not outside of it, we all are used to DAC > access control model). However, I think you are right and I should move all > my queries under the one big roof and call this thread "Security". I will > do this today. > > Now, about what you have said, I just answered the same to Jon, in Session > Timeout thread, but would quickly re-cap here. I understand that > Cassandra's architecture was aimed and tailored for completely different > type of scenario. However, unfortunately, that doesn't mean that Cassandra > is not vulnerable to the same very set of attacks relational database would > be vulnerable to. It just means Cassandra is not protected against those > attacks, because protection against them was not thought of, when database > was created. I already gave the AAA and session's timeout example in Jon's > thread, and those are just one of many. > > Now what I'm trying to do, I'm trying to create a STIG - security federal > compliance document, which will assess Cassandra against SRG concepts > (security federal compliance recommendations for databases overall) and > will highlight what is not met, and can't be in current design (i.e. what > system architects should keep in mind and what they need to compensate for > with other controls on different layers of system model) and what can be > met either with configuration or with little enhancement (and how). > > That document would be of great help for Cassandra as a product because it > would allow it to be marketed as a product with existing security > assessment and guidelines, performed according to DoD standards. It would > also allow to move product in the general direction of improving its > security posture. Finally, the document would be posted on DISA site ( > http://iase.disa.mil/stigs/Pages/a-z.aspx) available for every security > architect to utilize, which would greatly reduce the risk for Cassandra > product to be hacked in a field. > > To clear things out - what I ask about are not my expectations. I really > do not expect developers of Cassandra to run and start implementing > security labels, just because I asked about it. :) My questions are to > build my internal knowledge of DB current design, so that I can build my > security assessment based of it, not more, not less. > > I guess, summarizing what I said on top, from what I'm doing Cassandra as > a product would end up benefiting quite a bit. That is why I think it would > make sense for Cassandra community to help me with my questions even if > they sound completely of the traditional "grid". > > Thanks again, I really appreciate your response and conversation overall. > > Oleg > > On Fri, Jan 29, 2016 at 11:20 AM, Dani Traphagen < > dani.trapha...@datastax.com> wrote: > >> Also -- it looks like you're really asking questions about session >> timeouts and security labels as they associate, would be more helpful to >> keep in one thread. :) >> >> >> On Friday, January 29, 2016, Dani Traphagen <dani.trapha...@datastax.com> >> wrote: >> >>> Hi Oleg, >>> >>> I understand your frustration but unfortunately, in the terms of your >>> security assessment, you have fallen into a mismatch for Cassandra's >>> utility. >>> >>> The eventuality of having multiple sockets open without the query input >>> for long durations of time isn't something that was >>> architected...because...Cassnadra was built to take massive quantities >>> of queries both in volume and velocity. >>> >>> Your expectation of the database isn't in line with how our why it was >>> designed. Generally, security solutions are architected >>> around Cassandra, baked into the data model, many solutions >>> are home-brewed, written into the application or provided by using another >>> security client. >>> >>> DSE has different security aspects rolling out in the next release >>> as addressed earlier by Jack, like commit log and hint encryptions, as well >>> as, unified au
Security labels
Greetings, Does Cassandra support security label concept? If so, where can I read on how it should be applied? Thanks, Oleg
Re: Security labels
Cassandra has support for authentication security, but I'm not familiar with a security label. Can you describe what you want to do? Patrick On Thu, Jan 28, 2016 at 2:26 PM, oleg yusim <olegyu...@gmail.com> wrote: > Greetings, > > Does Cassandra support security label concept? If so, where can I read on > how it should be applied? > > Thanks, > > Oleg >
Re: Security labels
Patrick, Absolutely. Security label is mechanism of access control, utilized by MAC (mandatory access control) model, and not utilized by DAC (discretionary access control) model, we all are used to. In database content it is illustrated for instance here: http://www.postgresql.org/docs/current/static/sql-security-label.html Now, as per my goals, I'm making a security assessment for Cassandra DB with a goal to produce STIG on this product. That is one of the parameters in database SRG I have to assess against. Thanks, Oleg On Thu, Jan 28, 2016 at 6:32 PM, Patrick McFadin <pmcfa...@gmail.com> wrote: > Cassandra has support for authentication security, but I'm not familiar > with a security label. Can you describe what you want to do? > > Patrick > > On Thu, Jan 28, 2016 at 2:26 PM, oleg yusim <olegyu...@gmail.com> wrote: > >> Greetings, >> >> Does Cassandra support security label concept? If so, where can I read on >> how it should be applied? >> >> Thanks, >> >> Oleg >> > >
Logging configuration (security)
Greetings, I decided to put together a separate thread with logging configuration questions I have (I'm trying to figure out what from security best practices on logging Cassandra can and can't do): 1) Can Cassandra log IP and hostname of the host, DB resides at? 2) Can Cassandra log IP and hostname of the client? 3) Can Cassandra be configured to be automatically shut down in case if it ran out of space to store logs? 4) Can Cassandra be configured to automatically overwrite audit logs in case if no more space is available (oldest first) ? Thanks, Oleg
Re: Cassandra security using openssl or keytool
On Thu, Oct 29, 2015 at 1:08 AM, Vishwajeet Singh <vishwajeet...@gmail.com> wrote: > But I want to do using OpenSSL because It's my requirement. > > Can somebody please guide me, How I will do Cassandra Client to node > security using SSL and I want to use OpenSSL (Not keytool). > Google words like : " import openssl private key into keytool " Find results like : http://stackoverflow.com/questions/906402/importing-an-existing-x509-certificate-and-private-key-in-java-keystore-to-use-i/8224863#8224863 ? It looks like, as Jason says, "a real pain" but should be doable if you really have a requirement of using OpenSSL to generate the private key? If you want to somehow not use keytool at all in the process, I think you're out of luck. =Rob
Re: Cassandra security using openssl or keytool
On Thu, Oct 29, 2015 at 4:18 PM, Jason J. W. Williams < jasonjwwilli...@gmail.com> wrote: > I wasted 4-5 hours of my life recently importing an OpenSSL key in a PEM >> into a Cassandra keystore using exactly that article as a starting point >> (the server's hostname already had a certificate and key in our ops CA, and >> for various reasons we didn't want to revoke and reissue it.). >> > I certainly don't vouch for the advisability of attempting a task you've described as a "real pain" ... but if OP wants/needs to, it's their funeral? :D =Rob
Re: Cassandra security using openssl or keytool
> > Google words like : > > " > import openssl private key into keytool > " > > Find results like : > > > http://stackoverflow.com/questions/906402/importing-an-existing-x509-certificate-and-private-key-in-java-keystore-to-use-i/8224863#8224863 > > I wasted 4-5 hours of my life recently importing an OpenSSL key in a PEM into a Cassandra keystore using exactly that article as a starting point (the server's hostname already had a certificate and key in our ops CA, and for various reasons we didn't want to revoke and reissue it.). Even when you get the key imported, keytool will then frequently refuse to pair that key entry with the certificate when you import the certificate...and it will instead store the certificate in a new keystore entry. Which won't work because the alias names on the keystore entries for the key and certificate will be different (you need one entry storing both key and certificate). I did _finally_ get it to work but I can't tell you how I did it...it was a lot of manually editing PEM files, converting them to DERs and then trying every possible combination of keytool import flags. -J
Re: Cassandra security using openssl or keytool
> > I certainly don't vouch for the advisability of attempting a task you've > described as a "real pain" ... but if OP wants/needs to, it's their > funeral? :D > Agreed. I just wanted to elaborate what a "real pain" meant so OP would know I wasn't just blowing him off. -J
Re: Cassandra security using openssl or keytool
Because when you use keytool it stores the generated private key in the keystore and tags it waiting for the certificate. Then when you import the issued certificate it is paired in the same record with the key. It's a real pain to get OpenSSL encoded private keys into a keytool keystore. Don't fight it, just use keytool. :) Sent via iPhone > On Oct 29, 2015, at 00:06, Vishwajeet Singh <vishwajeet...@gmail.com> wrote: > > Hi, > > I saw Cassandra documentation. > > http://docs.datastax.com/en/cassandra/2.1/cassandra/security/secureSSLCertificates_t.html > > I found this line "SSL certificates must be generated using keytool". > > Can somebody explain me why SSL certificates must be generated using keytool? > > Can we use OpenSSL for generating certificates? > I am trying using openssl but it's not working. Why? > > Thanks, > Vishwajeet
Re: Cassandra security using openssl or keytool
But I want to do using OpenSSL because It's my requirement. Can somebody please guide me, How I will do Cassandra Client to node security using SSL and I want to use OpenSSL (Not keytool). On Thu, Oct 29, 2015 at 12:40 PM, Jason Williams <jasonjwwilli...@gmail.com> wrote: > Because when you use keytool it stores the generated private key in the > keystore and tags it waiting for the certificate. Then when you import the > issued certificate it is paired in the same record with the key. It's a > real pain to get OpenSSL encoded private keys into a keytool keystore. > Don't fight it, just use keytool. :) > > Sent via iPhone > > On Oct 29, 2015, at 00:06, Vishwajeet Singh <vishwajeet...@gmail.com> > wrote: > > Hi, > > I saw Cassandra documentation. > > > http://docs.datastax.com/en/cassandra/2.1/cassandra/security/secureSSLCertificates_t.html > > I found this line "SSL certificates must be generated using keytool". > > Can somebody explain me why SSL certificates must be generated using > keytool? > > Can we use OpenSSL for generating certificates? > I am trying using openssl but it's not working. Why? > > Thanks, > Vishwajeet > >
Cassandra security using openssl or keytool
Hi, I saw Cassandra documentation. http://docs.datastax.com/en/cassandra/2.1/cassandra/security/secureSSLCertificates_t.html I found this line "SSL certificates must be generated using keytool". Can somebody explain me why SSL certificates must be generated using keytool? Can we use OpenSSL for generating certificates? I am trying using openssl but it's not working. Why? Thanks, Vishwajeet
Issue with Cassandra client to node security using SSL
Hi, I am using cassandra 2.1 . My goal is to do cassandra client to node security using SSL with my self-signed CA. Self-signed CA is giving me following files. 1. ca.crt 2. ca.key 3. client.csr 4. client.crt 5. client.key 6. client.p12 I am creating .jks (client.jks) file from client.p12 using below command so that I can use client.jks as a keystore and truststore in cassandra.yaml file. (We can't use .p12 file as a keystore and truststore because it's not in X.509 format). "keytool -importkeystore -srckeystore client.p12 -srcstoretype pkcs12 -destkeystore client.jks -deststoretype jks -deststorepass " I have to connect cassandra with cql. I am creating cqlshrc file in .cassandra directory and I am putting client.crt as a certfile and usercert. I am putting client.key as a userkey. When I am running "cqlsh --ssl". I am getting error (mentioned below). "Connection error: ('Unable to connect to any servers', {'127.0.0.1': error(1, u"Tried connecting to [('127.0.0.1', 9042)]. Last error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)")})" Second thing is when I am using ca.key and ca.crt and again creating client certificate(node_cer_user1.pem), client key(node_key_user1.pem) and keystore(node.keystore) using below commands then It's working. 1. keytool -importcert -alias -file ca.crt -keystore -storepass 2. keytool -genkeypair -alias -keyalg RSA -keysize 2048 -keypass -keystore -storepass -validity 365 3. keytool -keystore -alias -certreq -file -storepass -keypass 4. openssl x509 -req -CA ca.crt -CAkey ca.key -in -out -days 365 -CAcreateserial 5. keytool -keystore -storepass -alias -import -file ca.crt -noprompt 6. keytool -keystore -storepass -alias -import -file -keypass 7. keytool -importkeystore -srckeystore -destkeystore -deststoretype PKCS12 8. openssl pkcs12 -in -nokeys -out -passin pass: 9. openssl pkcs12 -in -nodes -nocerts -out -passin pass: Self-signed CA is giving me client.crt, client.key and keystore, then Why It's not working? Why I have to create certificates again using ca.crt and ca.key? Thanks, Vishwajeet
Fwd: Issue with Cassandra client to node security using SSL
Hi, I am using cassandra version 2.1 . My goal is to do cassandra client to node security using SSL with my self-signed CA. Self-signed CA is giving me following files. 1. ca.crt 2. ca.key 3. client.csr 4. client.crt 5. client.key 6. client.p12 I am creating .jks (client.jks) file from client.p12 using below command so that I can use client.jks as a keystore and truststore in cassandra.yaml file. (We can't use .p12 file as a keystore and truststore because it's not in X.509 format). "keytool -importkeystore -srckeystore client.p12 -srcstoretype pkcs12 -destkeystore client.jks -deststoretype jks -deststorepass " I have to connect cassandra with cql. I am creating cqlshrc file in .cassandra directory and I am putting client.crt as a certfile and usercert. I am putting client.key as a userkey. When I am running "cqlsh --ssl". I am getting error (mentioned below). "Connection error: ('Unable to connect to any servers', {'127.0.0.1': error(1, u"Tried connecting to [('127.0.0.1', 9042)]. Last error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)")})" Second thing is when I am using ca.key and ca.crt and again creating client certificate(node_cer_user1.pem), client key(node_key_user1.pem) and keystore(node.keystore) using below commands then It's working. 1. keytool -importcert -alias -file ca.crt -keystore -storepass 2. keytool -genkeypair -alias -keyalg RSA -keysize 2048 -keypass -keystore -storepass -validity 365 3. keytool -keystore -alias -certreq -file -storepass -keypass 4. openssl x509 -req -CA ca.crt -CAkey ca.key -in -out -days 365 -CAcreateserial 5. keytool -keystore -storepass -alias -import -file ca.crt -noprompt 6. keytool -keystore -storepass -alias -import -file -keypass 7. keytool -importkeystore -srckeystore -destkeystore -deststoretype PKCS12 8. openssl pkcs12 -in -nokeys -out -passin pass: 9. openssl pkcs12 -in -nodes -nocerts -out -passin pass: Self-signed CA is giving me client.crt, client.key and keystore, then Why It's not working? Why I have to create certificates again using ca.crt and ca.key? Thanks, Vishwajeet
Re: DSE 4.7 security
Cassandra authorization is at the keyspace and table level. Click on the GRANT link on the doc page, to get more info: http://docs.datastax.com/en/cql/3.1/cql/cql_reference/grant_r.html Which says *Permissions to access all keyspaces, a named keyspace, or a table can be granted to a user.* There is no finer-grain authorization at the row, column, or cell level. You might want to open a Jira for this valuable feature. -- Jack Krupansky On Sun, Jun 7, 2015 at 5:19 PM, Moshe Kranc moshekr...@gmail.com wrote: The DSE 4.7 documentation says: You use the familiar relational database GRANT/REVOKE paradigm to grant or revoke permissions to access Cassandra data. Does this mean authorization is per table? What if I need finer grain authorization, e.g., per row or even per cell (e.g., a specific column in a specific row may not be seen by users in a group)? Do I need to implement this in my application, because Cassandra does not support it?
DSE 4.7 security
The DSE 4.7 documentation says: You use the familiar relational database GRANT/REVOKE paradigm to grant or revoke permissions to access Cassandra data. Does this mean authorization is per table? What if I need finer grain authorization, e.g., per row or even per cell (e.g., a specific column in a specific row may not be seen by users in a group)? Do I need to implement this in my application, because Cassandra does not support it?
[SECURITY ANNOUNCEMENT] CVE-2015-0225
CVE-2015-0225: Apache Cassandra remote execution of arbitrary code Severity: Important Vendor: The Apache Software Foundation Versions Affected: Cassandra 1.2.0 to 1.2.19 Cassandra 2.0.0 to 2.0.13 Cassandra 2.1.0 to 2.1.3 Description: Under its default configuration, Cassandra binds an unauthenticated JMX/RMI interface to all network interfaces. As RMI is an API for the transport and remote execution of serialized Java, anyone with access to this interface can execute arbitrary code as the running user. Mitigation: 1.2.x has reached EOL, so users of = 1.2.x are recommended to upgrade to a supported version of Cassandra, or manually configure encryption and authentication of JMX, (seehttps://wiki.apache.org/cassandra/JmxSecurity). 2.0.x users should upgrade to 2.0.14 2.1.x users should upgrade to 2.1.4 Alternately, users of any version not wishing to upgrade can reconfigure JMX/RMI to enable encryption and authentication according to https://wiki.apache.org/cassandra/JmxSecurityor http://docs.oracle.com/javase/7/docs/technotes/guides/management/agent.html Credit: This issue was discovered by Georgi Geshev of MWR InfoSecurity
Re: Turning on internal security with no downtime
If you're able to configure your clients so that they don't send requests to 1 node in the cluster you can enable PasswordAuthenticator CassandraAuthorizer on that node only and use cqlsh to setup all your users permissions. The rest of the cluster will continue to serve client requests as normal. Once you've done configuring, alter the RF on system_auth then run repair on the rest of the nodes (just for the system_auth ks). Finally, do a rolling restart to enable auth on the nodes that don't yet have it. On 25 February 2015 at 22:03, sean_r_dur...@homedepot.com wrote: Cassandra 1.2.19 We would like to turn on Cassandra’s internal security (PasswordAuthenticator and CassandraAuthorizer) on the ring (away from AllowAll). (Clients are already passing credentials in their connections.) However, I know all nodes have to be switched to those before the basic security objects (system_auth) are created. So, an outage would be required to change all the nodes, let system_auth get created, alter system_auth for replication strategy, create all the users/permissions, repair system_auth. For DataStax, there is a TransitionalAuthorizer that allows the system_auth to get created, but doesn’t really require passwords. So, with a double, rolling bounce, you can implement security with no downtime. Anything like that for open source? Any other ways you have activated security without downtime? Sean R. Durity -- The information in this Internet Email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this Email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this Email are subject to the terms and conditions expressed in any applicable governing The Home Depot terms of business or client engagement letter. The Home Depot disclaims all responsibility and liability for the accuracy and content of this attachment and for any damages or losses arising from any inaccuracies, errors, viruses, e.g., worms, trojan horses, etc., or other items of a destructive nature, which may be contained in this attachment and shall not be liable for direct, indirect, consequential or special damages in connection with this e-mail message or its attachment.
Turning on internal security with no downtime
Cassandra 1.2.19 We would like to turn on Cassandra's internal security (PasswordAuthenticator and CassandraAuthorizer) on the ring (away from AllowAll). (Clients are already passing credentials in their connections.) However, I know all nodes have to be switched to those before the basic security objects (system_auth) are created. So, an outage would be required to change all the nodes, let system_auth get created, alter system_auth for replication strategy, create all the users/permissions, repair system_auth. For DataStax, there is a TransitionalAuthorizer that allows the system_auth to get created, but doesn't really require passwords. So, with a double, rolling bounce, you can implement security with no downtime. Anything like that for open source? Any other ways you have activated security without downtime? Sean R. Durity The information in this Internet Email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this Email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this Email are subject to the terms and conditions expressed in any applicable governing The Home Depot terms of business or client engagement letter. The Home Depot disclaims all responsibility and liability for the accuracy and content of this attachment and for any damages or losses arising from any inaccuracies, errors, viruses, e.g., worms, trojan horses, etc., or other items of a destructive nature, which may be contained in this attachment and shall not be liable for direct, indirect, consequential or special damages in connection with this e-mail message or its attachment.
Fw: Security at ApacheCon Denver
Hello Security Enthusiasts, As you are no doubt aware, ApacheCon North America will be held in Denver, Colorado starting on April 7th. Security has 4 talks; check it out here: http://apacheconnorthamerica2014.sched.org/overview/type/security#.UxccIYV9JUE We would love to see you in Denver next month. Register soon, as prices go up on March 14th. http://na.apachecon.com/. Best regards, Melissa ApacheCon Planning Team
cell-level security for cassandra ?
has there been any thought about adding cell-level security to Cassandra ? something similar to: http://accumulo.apache.org/1.5/accumulo_user_manual.html#_security ? -- Frank Hsueh | frank.hs...@gmail.com
Security?
Does Cassandra have any security features to restrict access or does this have to be done at the business tier? Thanks. Les [CONFIDENTIALITY AND PRIVACY NOTICE] Information transmitted by this email is proprietary to Medtronic and is intended for use only by the individual or entity to which it is addressed, and may contain information that is private, privileged, confidential or exempt from disclosure under applicable law. If you are not the intended recipient or it appears that this mail has been forwarded to you without proper authority, you are notified that any use or dissemination of this information in any manner is strictly prohibited. In such cases, please delete this mail from your records. To view this notice in other languages you can either select the following link or manually copy and paste the link into the address bar of a web browser: http://emaildisclaimer.medtronic.com
RE: Security?
Thanks for the info. So open-source Cassandra does not provide for auditing? -Original Message- From: Jeremy Hanna [mailto:jeremy.hanna1...@gmail.com] Sent: Thursday, September 05, 2013 9:47 AM To: user@cassandra.apache.org Subject: Re: Security? For open-source Cassandra, there is a framework for security (see the security book-thing in the sidebar): http://www.datastax.com/documentation/cassandra/1.2/webhelp/index.html For those wanting additional things like auditing and other features, there's DataStax Enterprise: http://www.datastax.com/docs/datastax_enterprise3.1/security/index Disclaimer - I work at DataStax, but hopefully the docs are helpful. On 5 Sep 2013, at 17:36, Hartzman, Leslie leslie.d.hartz...@medtronic.com wrote: Does Cassandra have any security features to restrict access or does this have to be done at the business tier? Thanks. Les [CONFIDENTIALITY AND PRIVACY NOTICE] Information transmitted by this email is proprietary to Medtronic and is intended for use only by the individual or entity to which it is addressed, and may contain information that is private, privileged, confidential or exempt from disclosure under applicable law. If you are not the intended recipient or it appears that this mail has been forwarded to you without proper authority, you are notified that any use or dissemination of this information in any manner is strictly prohibited. In such cases, please delete this mail from your records. To view this notice in other languages you can either select the following link or manually copy and paste the link into the address bar of a web browser: http://emaildisclaimer.medtronic.com
Re: Security?
For open-source Cassandra, there is a framework for security (see the security book-thing in the sidebar): http://www.datastax.com/documentation/cassandra/1.2/webhelp/index.html For those wanting additional things like auditing and other features, there's DataStax Enterprise: http://www.datastax.com/docs/datastax_enterprise3.1/security/index Disclaimer - I work at DataStax, but hopefully the docs are helpful. On 5 Sep 2013, at 17:36, Hartzman, Leslie leslie.d.hartz...@medtronic.com wrote: Does Cassandra have any security features to restrict access or does this have to be done at the business tier? Thanks. Les [CONFIDENTIALITY AND PRIVACY NOTICE] Information transmitted by this email is proprietary to Medtronic and is intended for use only by the individual or entity to which it is addressed, and may contain information that is private, privileged, confidential or exempt from disclosure under applicable law. If you are not the intended recipient or it appears that this mail has been forwarded to you without proper authority, you are notified that any use or dissemination of this information in any manner is strictly prohibited. In such cases, please delete this mail from your records. To view this notice in other languages you can either select the following link or manually copy and paste the link into the address bar of a web browser: http://emaildisclaimer.medtronic.com
Re: Security?
Right so the auditing feature is one that is only in the DataStax Enterprise version. This sub-topic in the DSE documentation describes what's in Apache Cassandra versus what's in DataStax Enterprise with respect to security: http://www.datastax.com/docs/datastax_enterprise3.1/security/security_features On 5 Sep 2013, at 17:51, Hartzman, Leslie leslie.d.hartz...@medtronic.com wrote: Thanks for the info. So open-source Cassandra does not provide for auditing? -Original Message- From: Jeremy Hanna [mailto:jeremy.hanna1...@gmail.com] Sent: Thursday, September 05, 2013 9:47 AM To: user@cassandra.apache.org Subject: Re: Security? For open-source Cassandra, there is a framework for security (see the security book-thing in the sidebar): http://www.datastax.com/documentation/cassandra/1.2/webhelp/index.html For those wanting additional things like auditing and other features, there's DataStax Enterprise: http://www.datastax.com/docs/datastax_enterprise3.1/security/index Disclaimer - I work at DataStax, but hopefully the docs are helpful. On 5 Sep 2013, at 17:36, Hartzman, Leslie leslie.d.hartz...@medtronic.com wrote: Does Cassandra have any security features to restrict access or does this have to be done at the business tier? Thanks. Les [CONFIDENTIALITY AND PRIVACY NOTICE] Information transmitted by this email is proprietary to Medtronic and is intended for use only by the individual or entity to which it is addressed, and may contain information that is private, privileged, confidential or exempt from disclosure under applicable law. If you are not the intended recipient or it appears that this mail has been forwarded to you without proper authority, you are notified that any use or dissemination of this information in any manner is strictly prohibited. In such cases, please delete this mail from your records. To view this notice in other languages you can either select the following link or manually copy and paste the link into the address bar of a web browser: http://emaildisclaimer.medtronic.com
Re: JNA + Cassandra security
On Mon, Apr 30, 2012 at 6:48 PM, Jonathan Ellis jbel...@gmail.com wrote: On Mon, Apr 30, 2012 at 7:49 PM, Cord MacLeod cordmacl...@gmail.com wrote: Hello group, I'm a new Cassandra and Java user so I'm still trying to get my head around a few things. If you've disabled swap on a machine what is the reason to use JNA? Faster snapshots, giving hints to the page cache with fadvise. If you are running in Linux, you really do want this enabled. Otherwise, for example, compaction blows out your page cache. (FWIW, in case it is not immediately apparent what sort of hints Cassandra might give to the page cache with fadvise..) https://issues.apache.org/jira/browse/CASSANDRA-1470 =Rob -- =Robert Coli AIMGTALK - rc...@palominodb.com YAHOO - rcoli.palominob SKYPE - rcoli_palominodb
JNA + Cassandra security
Hello group, I'm a new Cassandra and Java user so I'm still trying to get my head around a few things. If you've disabled swap on a machine what is the reason to use JNA? A second question is doesn't JNA break the Java inherent security mechanisms by allowing access to direct system calls outside of the JVM? Are there any concerns around this?
Re: JNA + Cassandra security
If you've disabled swap on a machine what is the reason to use JNA? JNA will still be used to efficiently make hard links for snapshots. It's not necessary to lock the JVM memory when swap is disabled. A second question is doesn't JNA break the Java inherent security mechanisms by allowing access to direct system calls outside of the JVM? Are there any concerns around this? Anyone else have an answer? Cheers - Aaron Morton Freelance Developer @aaronmorton http://www.thelastpickle.com On 1/05/2012, at 12:49 PM, Cord MacLeod wrote: Hello group, I'm a new Cassandra and Java user so I'm still trying to get my head around a few things. If you've disabled swap on a machine what is the reason to use JNA? A second question is doesn't JNA break the Java inherent security mechanisms by allowing access to direct system calls outside of the JVM? Are there any concerns around this?
Re: JNA + Cassandra security
On Mon, Apr 30, 2012 at 7:49 PM, Cord MacLeod cordmacl...@gmail.com wrote: Hello group, I'm a new Cassandra and Java user so I'm still trying to get my head around a few things. If you've disabled swap on a machine what is the reason to use JNA? Faster snapshots, giving hints to the page cache with fadvise. A second question is doesn't JNA break the Java inherent security mechanisms by allowing access to direct system calls outside of the JVM? Are there any concerns around this? We're not trying to sandbox anything here; there's lots of places where we explicitly allow arbitrary Java code to be injected into Cassandra. You don't need native code to do dangerous things with that! -- Jonathan Ellis Project Chair, Apache Cassandra co-founder of DataStax, the source for professional Cassandra support http://www.datastax.com
Re: security
Not sure this is the standard approach, probably more what we came up with. ;) We plan to deploy Cassandra behind a firewall denying all traffic on all ports other than 8080. Access from applications will be limited to the REST/HTTP layer, which we'll lock down with standard HTTP authentication mechanisms. (using built-in apache or the servlet container) Long term, we'll probably also introduce authorization/access control by URL as well, whereby only certain users/apps will have access to certain keyspaces and/or column families. (again... most likely using built-in apache mechanisms, or the servlet container) -brian On Tue, Nov 8, 2011 at 6:30 PM, Guy Incognito dnd1...@gmail.com wrote: hi, is there a standard approach to securing cassandra eg within a corporate network? at the moment in our dev environment, anybody with network connectivity to the cluster can connect to it and mess with it. this would not be acceptable in prod. do people generally write custom authenticators etc, or just put the cluster behind a firewall with the appropriate rules to limit access? -- Brian ONeill Lead Architect, Health Market Science (http://healthmarketscience.com) mobile:215.588.6024 blog: http://weblogs.java.net/blog/boneill42/ blog: http://brianoneill.blogspot.com/
Re: security
Firewall with appropriate rules. On Tue, Nov 8, 2011 at 6:30 PM, Guy Incognito dnd1...@gmail.com wrote: hi, is there a standard approach to securing cassandra eg within a corporate network? at the moment in our dev environment, anybody with network connectivity to the cluster can connect to it and mess with it. this would not be acceptable in prod. do people generally write custom authenticators etc, or just put the cluster behind a firewall with the appropriate rules to limit access?
Re: security
We lockdown ssh to root from any network. We also provide individual logins including sysadmin and they go through LDAP authentication. Anyone who does sudo su as root gets logged and alerted via trapsend. We use firewalls and also have a separate vlan for datastore servers. We then open only specific ports from our application servers to datastore servers. You should also look at Cassandra authentication as additional means of securing your data. On Wed, Nov 9, 2011 at 6:39 AM, Sasha Dolgy sdo...@gmail.com wrote: Firewall with appropriate rules. On Tue, Nov 8, 2011 at 6:30 PM, Guy Incognito dnd1...@gmail.com wrote: hi, is there a standard approach to securing cassandra eg within a corporate network? at the moment in our dev environment, anybody with network connectivity to the cluster can connect to it and mess with it. this would not be acceptable in prod. do people generally write custom authenticators etc, or just put the cluster behind a firewall with the appropriate rules to limit access?
Re: security
ok, thx for the input! On 09/11/2011 15:19, Mohit Anchlia wrote: We lockdown ssh to root from any network. We also provide individual logins including sysadmin and they go through LDAP authentication. Anyone who does sudo su as root gets logged and alerted via trapsend. We use firewalls and also have a separate vlan for datastore servers. We then open only specific ports from our application servers to datastore servers. You should also look at Cassandra authentication as additional means of securing your data. On Wed, Nov 9, 2011 at 6:39 AM, Sasha Dolgysdo...@gmail.com wrote: Firewall with appropriate rules. On Tue, Nov 8, 2011 at 6:30 PM, Guy Incognitodnd1...@gmail.com wrote: hi, is there a standard approach to securing cassandra eg within a corporate network? at the moment in our dev environment, anybody with network connectivity to the cluster can connect to it and mess with it. this would not be acceptable in prod. do people generally write custom authenticators etc, or just put the cluster behind a firewall with the appropriate rules to limit access?
security
hi, is there a standard approach to securing cassandra eg within a corporate network? at the moment in our dev environment, anybody with network connectivity to the cluster can connect to it and mess with it. this would not be acceptable in prod. do people generally write custom authenticators etc, or just put the cluster behind a firewall with the appropriate rules to limit access?
Data storage security
Are there any options to encrypt the column families when they are stored in the database. Say in a given keyspace some CF has sensitive info and I don't want a 'select *' of that CF to layout the data in plain text. Thanks.
Re: Data storage security
On Wed, Jun 29, 2011 at 12:37 PM, A J s5a...@gmail.com wrote: Are there any options to encrypt the column families when they are stored in the database. Say in a given keyspace some CF has sensitive info and I don't want a 'select *' of that CF to layout the data in plain text. Thanks. I think this is an application layer issue - just encrypt/decrypt there. The data stored within the column value can be any arbitrary bytes, and since column data is not indexed it wont affect how you can access the data with Cassandra in any way. -Eric
Re: Cassandra security model? ( or, authentication docs ?)
Thanks a lot On Mon, Oct 18, 2010 at 11:44 AM, Eric Evans eev...@rackspace.com wrote: On Sun, 2010-10-17 at 21:26 -0700, Yang wrote: I searched around, it seems that this is not clearly documented yet; the closest I found is: http://www.riptano.com/docs/0.6.5/install/auth-config http://cassandra-user-incubator-apache-org.3065146.n2.nabble.com/Authentication-td5285013.html#a5285013 I did start cassandra with the args mentioned above: bin/cassandra -Dpasswd.properties=mypasswd.properties -Daccess.properties=myaccess.properties -f Try http://www.riptano.com/docs/0.6.5/install/storage-config#Authenticator -- Eric Evans eev...@rackspace.com
Re: Cassandra security model? ( or, authentication docs ?)
just as an fyi, I created something in the wiki yesterday - it's just a start though - http://wiki.apache.org/cassandra/ExtensibleAuth there's also a FAQ entry on it now - http://wiki.apache.org/cassandra/FAQ#auth just for going forward - on the wiki itself, just trying to help there. On Oct 19, 2010, at 3:06 AM, Yang wrote: Thanks a lot On Mon, Oct 18, 2010 at 11:44 AM, Eric Evans eev...@rackspace.com wrote: On Sun, 2010-10-17 at 21:26 -0700, Yang wrote: I searched around, it seems that this is not clearly documented yet; the closest I found is: http://www.riptano.com/docs/0.6.5/install/auth-config http://cassandra-user-incubator-apache-org.3065146.n2.nabble.com/Authentication-td5285013.html#a5285013 I did start cassandra with the args mentioned above: bin/cassandra -Dpasswd.properties=mypasswd.properties -Daccess.properties=myaccess.properties -f Try http://www.riptano.com/docs/0.6.5/install/storage-config#Authenticator -- Eric Evans eev...@rackspace.com
Re: Cassandra security model? ( or, authentication docs ?)
On Sun, 2010-10-17 at 21:26 -0700, Yang wrote: I searched around, it seems that this is not clearly documented yet; the closest I found is: http://www.riptano.com/docs/0.6.5/install/auth-config http://cassandra-user-incubator-apache-org.3065146.n2.nabble.com/Authentication-td5285013.html#a5285013 I did start cassandra with the args mentioned above: bin/cassandra -Dpasswd.properties=mypasswd.properties -Daccess.properties=myaccess.properties -f Try http://www.riptano.com/docs/0.6.5/install/storage-config#Authenticator -- Eric Evans eev...@rackspace.com
Cassandra security model? ( or, authentication docs ?)
I see that the raw thrift API has a login() method, but when I setup a one-node cluster, I can simply connect localhost/9160 without any passwd what is the current picture of the security model? how can I enforce authentication? I searched around, it seems that this is not clearly documented yet; the closest I found is: http://www.riptano.com/docs/0.6.5/install/auth-config http://cassandra-user-incubator-apache-org.3065146.n2.nabble.com/Authentication-td5285013.html#a5285013 I did start cassandra with the args mentioned above: bin/cassandra -Dpasswd.properties=mypasswd.properties -Daccess.properties=myaccess.properties -f but then I can still simply use the command line interface to connect localhost/9160 use myKeyspace without any authentication passwd
security, firewall level only?
Is security in terms of remote clients connecting to a cassandra node done purely at the hardware/firewall level? i.e. there is no username/pwd like in mysql/sqlserver correct? Or permissions at the column family level per user ?