Securing Cassandra
The nodetool utility is a command line tool that is used to manage a Cassandra cluster. It is installed along with Cassandra. It uses a Java technology call Java Management Extensions or JMX for short. Securing nodetool means securing JMX. By default, nodetool only works with the localhost and is not secured.
-
Make the changes to the authenticator, role_manager, and authorizer options as shown in Authentication and Authorization.
-
In the
cassandra-env.sh
file, change:
if [ "x$LOCAL_JMX" = "x" ]; then
LOCAL_JMX=yes
fi
TO:
if [ "x$LOCAL_JMX" = "x" ]; then
LOCAL_JMX=no
fi
Do the remaining steps only if you want nodetool to have a password
- Add the following lines to
cassandra-env.sh
file
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.authenticate=true"
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.password.file=/etc/cassandra/jmxremote.password"
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.password.file=/etc/cassandra/jmxremote.access"
- Create two files
jmxremote.access
&jmxremote.password
in the same location as thecassandra configuration
files. Copy the following lines into each. You should use the passwords you have created for cassandra and the dba user.
- jmxremote.access file
monitorRole readonly
dba readwrite
cassandra readwrite
controlRole readwrite \
create javax.management.monitor.*,javax.management.timer.* \
unregister
- jmxremote.password file
monitorRole QED
controlRole R&D
cassandra cassandra
dba super
Updated over 2 years ago