Return-Path: X-Original-To: apmail-cassandra-user-archive@www.apache.org Delivered-To: apmail-cassandra-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id E4C597CDC for ; Wed, 9 Nov 2011 19:30:12 +0000 (UTC) Received: (qmail 74564 invoked by uid 500); 9 Nov 2011 19:30:10 -0000 Delivered-To: apmail-cassandra-user-archive@cassandra.apache.org Received: (qmail 74504 invoked by uid 500); 9 Nov 2011 19:30:10 -0000 Mailing-List: contact user-help@cassandra.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@cassandra.apache.org Delivered-To: mailing list user@cassandra.apache.org Received: (qmail 74496 invoked by uid 99); 9 Nov 2011 19:30:10 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 09 Nov 2011 19:30:10 +0000 X-ASF-Spam-Status: No, hits=-0.6 required=5.0 tests=FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of dnd1066@gmail.com designates 74.125.82.172 as permitted sender) Received: from [74.125.82.172] (HELO mail-wy0-f172.google.com) (74.125.82.172) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 09 Nov 2011 19:30:02 +0000 Received: by wyf28 with SMTP id 28so72955wyf.31 for ; Wed, 09 Nov 2011 11:29:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=6A/fYUZ85QAOUS9kqE00MvYXt4MbWKfPAR+MLmiRRoA=; b=HJdDP1L7QsqdT9IIHCVWsHNlfFQwv0opQSxs0vpyUceCTj6T0QMu0WkFzj6mUwbyzy eivjFfX+tb2iJJzW8cX3mWcOQlEzoRedHks28eE9kN84Y+NqTtuvNrFVmfsFOTaTLYUI TxvN5aYcHqK9IcQgujj94HfPNJhnoQ+d2pZHA= Received: by 10.180.99.225 with SMTP id et1mr4381451wib.14.1320866981511; Wed, 09 Nov 2011 11:29:41 -0800 (PST) Received: from [192.168.1.2] (93-96-159-41.zone4.bethere.co.uk. [93.96.159.41]) by mx.google.com with ESMTPS id fo3sm3489972wib.21.2011.11.09.11.29.40 (version=SSLv3 cipher=OTHER); Wed, 09 Nov 2011 11:29:40 -0800 (PST) Message-ID: <4EBAD4A6.7080709@gmail.com> Date: Wed, 09 Nov 2011 19:29:42 +0000 From: Guy Incognito User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: user@cassandra.apache.org Subject: Re: security References: <4EB9BBA8.9020902@gmail.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit ok, thx for the input! On 09/11/2011 15:19, Mohit Anchlia wrote: > We lockdown ssh to root from any network. We also provide individual > logins including sysadmin and they go through LDAP authentication. > Anyone who does sudo su as root gets logged and alerted via trapsend. > We use firewalls and also have a separate vlan for datastore servers. > We then open only specific ports from our application servers to > datastore servers. > > You should also look at Cassandra authentication as additional means > of securing your data. > > On Wed, Nov 9, 2011 at 6:39 AM, Sasha Dolgy wrote: >> Firewall with appropriate rules. >> >>> On Tue, Nov 8, 2011 at 6:30 PM, Guy Incognito wrote: >>>> hi, >>>> >>>> is there a standard approach to securing cassandra eg within a corporate >>>> network? at the moment in our dev environment, anybody with network >>>> connectivity to the cluster can connect to it and mess with it. this would >>>> not be acceptable in prod. do people generally write custom authenticators >>>> etc, or just put the cluster behind a firewall with the appropriate rules to >>>> limit access?