Mailing-List: contact user-help@cassandra.apache.org; run by ezmlm
Precedence: bulk
Reply-To: user@cassandra.apache.org
Received-SPF: pass (athena.apache.org: domain of boneill42@gmail.com
 designates 209.85.161.44 as permitted sender)
MIME-Version: 1.0
Sender: boneill42@gmail.com
In-Reply-To: <4EB9BBA8.9020902@gmail.com>
References: <4EB9BBA8.9020902@gmail.com>
Date: Wed, 9 Nov 2011 09:31:55 -0500
Message-ID: 
 <CAJHHpg10vSA0L_VLQWXZRMVEt95i2XcRqGB4zsi+th8YWDYtVw@mail.gmail.com>
Subject: Re: security
From: "Brian O'Neill" <bone@alumni.brown.edu>
To: user@cassandra.apache.org
Content-Type: multipart/alternative; boundary=001517447eee5149dc04b14e269a

--001517447eee5149dc04b14e269a
Content-Type: text/plain; charset=ISO-8859-1

Not sure this is the "standard approach", probably more "what we came up
with". ;)

We plan to deploy Cassandra behind a firewall denying all traffic on all
ports other than 8080.  Access from applications will be limited to the
REST/HTTP layer, which we'll lock down with standard HTTP authentication
mechanisms. (using built-in apache or the servlet container)

Long term, we'll probably also introduce authorization/access control by
URL as well, whereby only certain users/apps will have access to certain
keyspaces and/or column families. (again... most likely using built-in
apache mechanisms, or the servlet container)

-brian


On Tue, Nov 8, 2011 at 6:30 PM, Guy Incognito <dnd1066@gmail.com> wrote:

> hi,
>
> is there a standard approach to securing cassandra eg within a corporate
> network?  at the moment in our dev environment, anybody with network
> connectivity to the cluster can connect to it and mess with it.  this would
> not be acceptable in prod.  do people generally write custom authenticators
> etc, or just put the cluster behind a firewall with the appropriate rules
> to limit access?
>


-- 
Brian ONeill
Lead Architect, Health Market Science (http://healthmarketscience.com)
mobile:215.588.6024
blog: http://weblogs.java.net/blog/boneill42/
blog: http://brianoneill.blogspot.com/

--001517447eee5149dc04b14e269a
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Not sure this is the &quot;standard approach&quot;, probably more &quot;wha=
t we came up with&quot;. ;)<br><br>We plan to deploy Cassandra behind a fir=
ewall denying all traffic on all ports other than 8080.=A0 Access from appl=
ications will be limited to the REST/HTTP layer, which we&#39;ll lock down =
with standard HTTP authentication mechanisms. (using built-in apache or the=
 servlet container)<br>
<br>Long term, we&#39;ll probably also introduce authorization/access contr=
ol by URL as well, whereby only certain users/apps will have access to cert=
ain keyspaces and/or column families. (again... most likely using built-in =
apache mechanisms, or the servlet container)<br>
<br>-brian<br><br><br><div class=3D"gmail_quote">On Tue, Nov 8, 2011 at 6:3=
0 PM, Guy Incognito <span dir=3D"ltr">&lt;<a href=3D"mailto:dnd1066@gmail.c=
om">dnd1066@gmail.com</a>&gt;</span> wrote:<br><blockquote class=3D"gmail_q=
uote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1e=
x;">
hi,<br>
<br>
is there a standard approach to securing cassandra eg within a corporate ne=
twork? =A0at the moment in our dev environment, anybody with network connec=
tivity to the cluster can connect to it and mess with it. =A0this would not=
 be acceptable in prod. =A0do people generally write custom authenticators =
etc, or just put the cluster behind a firewall with the appropriate rules t=
o limit access?<br>

</blockquote></div><br><br clear=3D"all"><br>-- <br>Brian ONeill<br>Lead Ar=
chitect, Health Market Science (<a href=3D"http://healthmarketscience.com" =
target=3D"_blank">http://healthmarketscience.com</a>)<br>mobile:215.588.602=
4<br>
blog: <a href=3D"http://weblogs.java.net/blog/boneill42/" target=3D"_blank"=
>http://weblogs.java.net/blog/boneill42/</a><br>blog: <a href=3D"http://bri=
anoneill.blogspot.com/" target=3D"_blank">http://brianoneill.blogspot.com/<=
/a><br>
<br>

--001517447eee5149dc04b14e269a--