Securing Cassandra

The nodetool utility is a command line tool that is used to manage a Cassandra cluster. It is installed along with Cassandra. It uses a Java technology call Java Management Extensions or JMX for short. Securing nodetool means securing JMX. By default, nodetool only works with the localhost and is not secured.

  1. Make the changes to the authenticator, role_manager, and authorizer options as shown in Authentication and Authorization.

  2. In the cassandra-env.sh file, change:

if [ "x$LOCAL_JMX" = "x" ]; then
    LOCAL_JMX=yes
fi

TO:

if [ "x$LOCAL_JMX" = "x" ]; then
    LOCAL_JMX=no
fi

📘

Do the remaining steps only if you want nodetool to have a password

  1. Add the following lines to cassandra-env.sh file
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.authenticate=true"
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.password.file=/etc/cassandra/jmxremote.password"
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.password.file=/etc/cassandra/jmxremote.access"
  1. Create two files jmxremote.access & jmxremote.password in the same location as the cassandra configuration files. Copy the following lines into each. You should use the passwords you have created for cassandra and the dba user.
  • jmxremote.access file
monitorRole   readonly
dba           readwrite
cassandra readwrite
controlRole   readwrite \
              create javax.management.monitor.*,javax.management.timer.* \
              unregister
  • jmxremote.password file
monitorRole QED
controlRole R&D
cassandra cassandra
dba       super