cassandra-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ajay Garg <ajaygargn...@gmail.com>
Subject Re: Basic query in setting up secure inter-dc cluster
Date Mon, 18 Apr 2016 04:21:41 GMT
Ok, trying to wake up this thread again.

I went through the following links ::

https://docs.datastax.com/en/cassandra/1.2/cassandra/security/secureSSLNodeToNode_t.html
https://docs.datastax.com/en/cassandra/1.2/cassandra/security/secureSSLCertificates_t.html


and I am wondering *if it is possible to setup secure inter-communication
only between some nodes*.

In particular, if I have a 2*2 cluster, is it possible to setup secure
communication ONLY between the nodes of DC2?
Once it works well, we would then setup secure-communication everywhere.

We are wanting this, because DC2 is the backup centre, while DC1 is the
primary-centre connected directly to the application-server. We don't want
to screw things if something goes bad in DC1.


Will be grateful for pointers.


Thanks and Regards,
Ajay

On Sun, Jan 17, 2016 at 9:09 PM, Ajay Garg <ajaygargnsit@gmail.com> wrote:

> Hi All.
>
> A gentle query-reminder.
>
> I will be grateful if I could be given a brief technical overview, as to
> how secure-communication occurs between two nodes in a cluster.
>
> Please note that I wish for some information on the "how it works below
> the hood", and NOT "how to set it up".
>
>
>
> Thanks and Regards,
> Ajay
>
> On Wed, Jan 6, 2016 at 4:16 PM, Ajay Garg <ajaygargnsit@gmail.com> wrote:
>
>> Thanks everyone for the reply.
>>
>> I actually have a fair bit of questions, but it will be nice if someone
>> could please tell me the flow (implementation-wise), as to how node-to-node
>> encryption works in a cluster.
>>
>> Let's say node1 from DC1, wishes to talk securely to node 2 from DC2
>> (with *"require_client_auth: false*").
>> I presume it would be like below (please correct me if am wrong) ::
>>
>> a)
>> node1 tries to connect to node2, using the certificate *as defined on
>> node1* in cassandra.yaml.
>>
>> b)
>> node2 will confirm if the certificate being offered by node1 is in the
>> truststore *as defined on node2* in cassandra.yaml.
>> if it is, secure-communication is allowed.
>>
>>
>> Is my thinking right?
>> I
>>
>> On Wed, Jan 6, 2016 at 1:55 PM, Neha Dave <nehajtrivedi@gmail.com> wrote:
>>
>>> Hi Ajay,
>>> Have a look here :
>>> https://docs.datastax.com/en/cassandra/1.2/cassandra/security/secureSSLNodeToNode_t.html
>>>
>>> You can configure for DC level Security:
>>>
>>> Procedure
>>>
>>> On each node under sever_encryption_options:
>>>
>>>    - Enable internode_encryption.
>>>    The available options are:
>>>       - all
>>>       - none
>>>       - dc: Cassandra encrypts the traffic between the data centers.
>>>       - rack: Cassandra encrypts the traffic between the racks.
>>>
>>> regards
>>>
>>> Neha
>>>
>>>
>>>
>>> On Wed, Jan 6, 2016 at 12:48 PM, Singh, Abhijeet <
>>> absingh@informatica.com> wrote:
>>>
>>>> Security is a very wide concept. What exactly do you want to achieve ?
>>>>
>>>>
>>>>
>>>> *From:* Ajay Garg [mailto:ajaygargnsit@gmail.com]
>>>> *Sent:* Wednesday, January 06, 2016 11:27 AM
>>>> *To:* user@cassandra.apache.org
>>>> *Subject:* Basic query in setting up secure inter-dc cluster
>>>>
>>>>
>>>>
>>>> Hi All.
>>>>
>>>> We have a 2*2 cluster deployed, but no security as of now.
>>>>
>>>> As a first stage, we wish to implement inter-dc security.
>>>>
>>>> Is it possible to enable security one machine at a time?
>>>>
>>>> For example, let's say the machines are DC1M1, DC1M2, DC2M1, DC2M2.
>>>>
>>>> If I make the changes JUST IN DC2M2 and restart it, will the traffic
>>>> between DC1M1/DC1M2 and DC2M2 be secure? Or security will kick in ONLY
>>>> AFTER the changes are made in all the 4 machines?
>>>>
>>>> Asking here, because I don't want to screw up a live cluster due to my
>>>> lack of experience.
>>>>
>>>> Looking forward to some pointers.
>>>>
>>>>
>>>> --
>>>>
>>>> Regards,
>>>> Ajay
>>>>
>>>
>>>
>>
>>
>> --
>> Regards,
>> Ajay
>>
>
>
>
> --
> Regards,
> Ajay
>



-- 
Regards,
Ajay

Mime
View raw message