Is anyone here on the list interested in helping out in working on the next
version of the benchmark?
Would love some assistance and you can potentially get your name on the
document as an author :)
Feel free to reach out, we're always looking for new contributors, you can
check them out here:
h
Hello,
a Blackduck security scan of our product detected a security vulnerability in
the Apache Thrift library 0.9.2, which is shipped in Cassandra up to 3.11
(haven't checked 4.0), also pointed out here:
https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-38295/A
'm working on center for internet security (CIS) security becnhmark for
Cassandra, is there anyone who'd be interested in helping out with it?
Feel free to email me direct at i...@dbsec-it.com and we can discuss,
thanks, Joe
Regarding security releases, nothing currently exists to notify users when
security related patches are released. At the moment I imagine
announcements would only be made in NEWS.txt or on the user mailing list...
but only if you're lucky.
On 31 January 2018 at 19:18, Michael Shuler wrote:
I should also mention the dev@ mailing list - this is where the [VOTE]
emails are sent and you'd get an advanced heads up on upcoming releases,
along with the release emails that are sent to both user@ and dev@. The
dev@ traffic is generally lower than user@, so pretty easy to spot votes
& releases
mitted to JIRA for RSS addition.
--
Michael
On 01/31/2018 12:22 PM, Rob Oxspring wrote:
> Hi,
>
> As a user of Cassandra I'd like to be able to get notified when there are
> security releases so that I can get my installation patched ASAP. For feature
> and patch releases
Hi,
As a user of Cassandra I'd like to be able to get notified when there are
security releases so that I can get my installation patched ASAP. For feature
and patch releases I'm happy to come and look at the web page or trawl through
some mail archives, but I'd like for secur
>
> Here is what I have pieced together. Please let me know if I am on the
> right track.
You're more or less right regarding the built in
authenticator/authorizer/role manager (which are usually referred to as
"internal" as they store their data in Cassandra tables). One important
thing to note
Jacob, seems you are on the right track however my understanding is that
only the user that was auth'd has their permissions/roles/creds cached.
Also. Cassandra will query at QUORUM for the "cassandra" user, and at
LOCAL_ONE for *all* other users. This is the same for creating users/roles.
I have similar question. when we create users or roles what is the
consistency level used?
I know, If NOT EXISTS will use SERIAL consistency. what consistency will be
used if just use CREATE USER ?
On Mon, Mar 13, 2017 at 7:09 PM, Jacob Shadix wrote:
> I'm looking for a deeper understanding of
I'm looking for a deeper understanding of how Cassandra interacts with the
system_auth keyspace to authenticate/authorize users.
Here is what I have pieced together. Please let me know if I am on the
right track.
A user attempts to connect to Cassandra. Cassandra checks against
system_auth for th
Just following up... Oleg, have you gotten a satisfactory level of feedback
from the community on the security assessment issues?
And if there is any sort of final assessment that can be publicly accessed,
that would be great.
-- Jack Krupansky
On Thu, Feb 11, 2016 at 3:29 PM, oleg yusim wrote
sim wrote:
> Greetings,
>
> Following Jack's and Matt's suggestions, I moved the doc to Google Docs
> and added to it all the security gaps in Cassandra I was able to discover
> (please, see second table below fist).
>
> Here is an updated link to my document:
>
Greetings,
Following Jack's and Matt's suggestions, I moved the doc to Google Docs and
added to it all the security gaps in Cassandra I was able to discover
(please, see second table below fist).
Here is an updated link to my document:
https://docs.google.com/docume
Jack,
I updated my document with all the security gaps I was able to find and
posted it there:
https://docs.google.com/document/d/13-yu-1a0MMkBiJFPNkYoTd1Hzed9tgKltWi6hFLZbsk/edit?usp=sharing
Thanks,
Oleg
On Thu, Feb 11, 2016 at 4:09 PM, oleg yusim wrote:
> Jack,
>
> I asked my m
(from the security point
of view) configuration, where it can be configured.
2) Community would have a full list of gaps (things which are needed, but
can't be configured) after I would update my document
3) The rest of the assessment are Not Applicable and Applicable -
Inherently Meet items, wh
ote:
>
>> Hi Oleg,
>>
>> Thanks that helped clear things up! This sounds like a daunting task. I
>> wish you all the best with it.
>>
>> Cheers,
>> Dani
>>
>> On Fri, Jan 29, 2016 at 10:03 AM, oleg yusim wrote:
>>
>>> Dani,
&
3:28 PM, Dani Traphagen <
>> dani.trapha...@datastax.com> wrote:
>>
>>> Hi Oleg,
>>>
>>> Thanks that helped clear things up! This sounds like a daunting task. I
>>> wish you all the best with it.
>>>
>>> Cheers,
>>> Dani
Greetings,
Performing security assessment of Cassandra with the goal of generating
STIG for Cassandra (iase.disa.mil/stigs/Pages/a-z.aspx) I ran across some
questions regarding the way certain security features are implemented (or
not) in Cassandra.
I composed the list of questions on these
aunting task. I
>> wish you all the best with it.
>>
>> Cheers,
>> Dani
>>
>> On Fri, Jan 29, 2016 at 10:03 AM, oleg yusim wrote:
>>
>>> Dani,
>>>
>>> I really appreciate you response. Actually, session timeouts and
>>>
Thanks that helped clear things up! This sounds like a daunting task. I
> wish you all the best with it.
>
> Cheers,
> Dani
>
> On Fri, Jan 29, 2016 at 10:03 AM, oleg yusim wrote:
>
>> Dani,
>>
>> I really appreciate you response. Actually, session timeouts and s
wrote:
>
>> Dani,
>>
>> I really appreciate you response. Actually, session timeouts and security
>> labels are two different topics (first is about attack when somebody
>> opened, say, ssh window to DB, left his machine unattended and somebody
>> else stole his s
Hi Oleg,
Thanks that helped clear things up! This sounds like a daunting task. I
wish you all the best with it.
Cheers,
Dani
On Fri, Jan 29, 2016 at 10:03 AM, oleg yusim wrote:
> Dani,
>
> I really appreciate you response. Actually, session timeouts and security
> labels are t
Dani,
I really appreciate you response. Actually, session timeouts and security
labels are two different topics (first is about attack when somebody
opened, say, ssh window to DB, left his machine unattended and somebody
else stole his session, second - to enable DB to support what called MAC
Also -- it looks like you're really asking questions about session timeouts
and security labels as they associate, would be more helpful to keep in one
thread. :)
On Friday, January 29, 2016, Dani Traphagen
wrote:
> Hi Oleg,
>
> I understand your frustration but unfortunately, i
Hi Oleg,
I understand your frustration but unfortunately, in the terms of your
security assessment, you have fallen into a mismatch for Cassandra's
utility.
The eventuality of having multiple sockets open without the query input for
long durations of time isn't something that was
a
Jack,
Thanks for your suggestion. I'm familiar with Cassandra documentation, and
I'm aware of differences between DSE and Cassandra.
Questions I ask here are those, I found no mention about in documentation.
Let's take security labels for instance. Cassandra documentation is
compl
(if
you really need it). And feel free to confirm here if a quick search
doesn't give you a solid answer.
Here's the root page for security in the Cassandra doc:
https://docs.datastax.com/en/cassandra/3.x/cassandra/configuration/secureTOC.html
Also note that on questions of security
Patrick,
Absolutely. Security label is mechanism of access control, utilized by MAC
(mandatory access control) model, and not utilized by DAC (discretionary
access control) model, we all are used to. In database content it is
illustrated for instance here:
http://www.postgresql.org/docs/current
Cassandra has support for authentication security, but I'm not familiar
with a security label. Can you describe what you want to do?
Patrick
On Thu, Jan 28, 2016 at 2:26 PM, oleg yusim wrote:
> Greetings,
>
> Does Cassandra support security label concept? If so, where can I re
Greetings,
Does Cassandra support security label concept? If so, where can I read on
how it should be applied?
Thanks,
Oleg
Greetings,
I decided to put together a separate thread with logging configuration
questions I have (I'm trying to figure out what from security best
practices on logging Cassandra can and can't do):
1) Can Cassandra log IP and hostname of the host, DB resides at?
2) Can Cassandra
>
> I certainly don't vouch for the advisability of attempting a task you've
> described as a "real pain" ... but if OP wants/needs to, it's their
> funeral? :D
>
Agreed. I just wanted to elaborate what a "real pain" meant so OP would
know I wasn't just blowing him off.
-J
On Thu, Oct 29, 2015 at 4:18 PM, Jason J. W. Williams <
jasonjwwilli...@gmail.com> wrote:
> I wasted 4-5 hours of my life recently importing an OpenSSL key in a PEM
>> into a Cassandra keystore using exactly that article as a starting point
>> (the server's hostname already had a certificate and k
>
> Google words like :
>
> "
> import openssl private key into keytool
> "
>
> Find results like :
>
>
> http://stackoverflow.com/questions/906402/importing-an-existing-x509-certificate-and-private-key-in-java-keystore-to-use-i/8224863#8224863
>
>
I wasted 4-5 hours of my life recently importing a
On Thu, Oct 29, 2015 at 1:08 AM, Vishwajeet Singh
wrote:
> But I want to do using OpenSSL because It's my requirement.
>
> Can somebody please guide me, How I will do Cassandra Client to node
> security using SSL and I want to use OpenSSL (Not keytool).
>
Google words like
But I want to do using OpenSSL because It's my requirement.
Can somebody please guide me, How I will do Cassandra Client to node
security using SSL and I want to use OpenSSL (Not keytool).
On Thu, Oct 29, 2015 at 12:40 PM, Jason Williams
wrote:
> Because when you use keytool it st
Don't fight
it, just use keytool. :)
Sent via iPhone
> On Oct 29, 2015, at 00:06, Vishwajeet Singh wrote:
>
> Hi,
>
> I saw Cassandra documentation.
>
> http://docs.datastax.com/en/cassandra/2.1/cassandra/security/secureSSLCertificates_t.html
>
> I foun
Hi,
I saw Cassandra documentation.
http://docs.datastax.com/en/cassandra/2.1/cassandra/security/secureSSLCertificates_t.html
I found this line "SSL certificates must be generated using keytool".
Can somebody explain me why SSL certificates must be generated using
keytool?
Can we u
Hi,
I am using cassandra version 2.1 . My goal is to do cassandra client to
node security using SSL with my self-signed CA.
Self-signed CA is giving me following files.
1. ca.crt
2. ca.key
3. client.csr
4. client.crt
5. client.key
6. client.p12
I am creating .jks (client.jks) file from
Hi,
I am using cassandra 2.1 . My goal is to do cassandra client to node
security using SSL with my self-signed CA.
Self-signed CA is giving me following files.
1. ca.crt
2. ca.key
3. client.csr
4. client.crt
5. client.key
6. client.p12
I am creating .jks (client.jks) file from client.p12 using
Cassandra authorization is at the keyspace and table level. Click on the
GRANT link on the doc page, to get more info:
http://docs.datastax.com/en/cql/3.1/cql/cql_reference/grant_r.html
Which says "*Permissions to access all keyspaces, a named keyspace, or a
table can be granted to a user.*"
Ther
The DSE 4.7 documentation says: You use the familiar relational database
GRANT/REVOKE paradigm to grant or revoke permissions to
access Cassandra data.
Does this mean authorization is per table?
What if I need finer grain authorization, e.g., per row or even per cell
(e.g., a specific column in
CVE-2015-0225: Apache Cassandra remote execution of arbitrary code
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Cassandra 1.2.0 to 1.2.19
Cassandra 2.0.0 to 2.0.13
Cassandra 2.1.0 to 2.1.3
Description:
Under its default configuration, Cassandra binds an unauthen
ra 1.2.19
>
>
>
> We would like to turn on Cassandra’s internal security
> (PasswordAuthenticator and CassandraAuthorizer) on the ring (away from
> AllowAll). (Clients are already passing credentials in their connections.)
> However, I know all nodes have to be switched to those b
Cassandra 1.2.19
We would like to turn on Cassandra's internal security (PasswordAuthenticator
and CassandraAuthorizer) on the ring (away from AllowAll). (Clients are already
passing credentials in their connections.) However, I know all nodes have to be
switched to those before the
Hello Security Enthusiasts,
As you are no doubt aware, ApacheCon North America will be held in Denver,
Colorado starting on April 7th. Security has 4 talks; check it out here:
http://apacheconnorthamerica2014.sched.org/overview/type/security#.UxccIYV9JUE
We would love to see you in Denver
has there been any thought about adding cell-level security to Cassandra ?
something similar to:
http://accumulo.apache.org/1.5/accumulo_user_manual.html#_security
?
--
Frank Hsueh | frank.hs...@gmail.com
Right so the auditing feature is one that is only in the DataStax Enterprise
version. This sub-topic in the DSE documentation describes what's in Apache
Cassandra versus what's in DataStax Enterprise with respect to security:
http://www.datastax.com/docs/datastax_enterprise3.
For open-source Cassandra, there is a framework for security (see the security
book-thing in the sidebar):
http://www.datastax.com/documentation/cassandra/1.2/webhelp/index.html
For those wanting additional things like auditing and other features, there's
DataStax Enterprise:
Thanks for the info.
So open-source Cassandra does not provide for auditing?
-Original Message-
From: Jeremy Hanna [mailto:jeremy.hanna1...@gmail.com]
Sent: Thursday, September 05, 2013 9:47 AM
To: user@cassandra.apache.org
Subject: Re: Security?
For open-source Cassandra, there is a
Does Cassandra have any security features to restrict access or does this have
to be done at the business tier?
Thanks.
Les
[CONFIDENTIALITY AND PRIVACY NOTICE]
Information transmitted by this email is proprietary to Medtronic and is
intended for use only by the individual or entity to
On Mon, Apr 30, 2012 at 6:48 PM, Jonathan Ellis wrote:
> On Mon, Apr 30, 2012 at 7:49 PM, Cord MacLeod wrote:
>> Hello group,
>>
>> I'm a new Cassandra and Java user so I'm still trying to get my head around
>> a few things. If you've disabled swap on a machine what is the reason to
>> use JNA
g hints to the page cache with fadvise.
> A second question is doesn't JNA break the Java inherent security mechanisms
> by allowing access to direct system calls outside of the JVM? Are there any
> concerns around this?
We're not trying to sandbox anything here; there's l
> If you've disabled swap on a machine what is the reason to use JNA?
JNA will still be used to efficiently make hard links for snapshots. It's not
necessary to lock the JVM memory when swap is disabled.
> A second question is doesn't JNA break the Java inherent secu
Hello group,
I'm a new Cassandra and Java user so I'm still trying to get my head around a
few things. If you've disabled swap on a machine what is the reason to use
JNA? A second question is doesn't JNA break the Java inherent security
mechanisms by allowing access to
ok, thx for the input!
On 09/11/2011 15:19, Mohit Anchlia wrote:
We lockdown ssh to root from any network. We also provide individual
logins including sysadmin and they go through LDAP authentication.
Anyone who does sudo su as root gets logged and alerted via trapsend.
We use firewalls and also
We lockdown ssh to root from any network. We also provide individual
logins including sysadmin and they go through LDAP authentication.
Anyone who does sudo su as root gets logged and alerted via trapsend.
We use firewalls and also have a separate vlan for datastore servers.
We then open only speci
Firewall with appropriate rules.
> On Tue, Nov 8, 2011 at 6:30 PM, Guy Incognito wrote:
>>
>> hi,
>>
>> is there a standard approach to securing cassandra eg within a corporate
>> network? at the moment in our dev environment, anybody with network
>> connectivity to the cluster can connect to it
Not sure this is the "standard approach", probably more "what we came up
with". ;)
We plan to deploy Cassandra behind a firewall denying all traffic on all
ports other than 8080. Access from applications will be limited to the
REST/HTTP layer, which we'll lock down with standard HTTP authenticati
hi,
is there a standard approach to securing cassandra eg within a corporate
network? at the moment in our dev environment, anybody with network
connectivity to the cluster can connect to it and mess with it. this
would not be acceptable in prod. do people generally write custom
authentica
On Wed, Jun 29, 2011 at 12:37 PM, A J wrote:
> Are there any options to encrypt the column families when they are
> stored in the database. Say in a given keyspace some CF has sensitive
> info and I don't want a 'select *' of that CF to layout the data in
> plain text.
>
> Thanks.
>
I think this
Are there any options to encrypt the column families when they are
stored in the database. Say in a given keyspace some CF has sensitive
info and I don't want a 'select *' of that CF to layout the data in
plain text.
Thanks.
just as an fyi, I created something in the wiki yesterday - it's just a start
though - http://wiki.apache.org/cassandra/ExtensibleAuth
there's also a FAQ entry on it now - http://wiki.apache.org/cassandra/FAQ#auth
just for going forward - on the wiki itself, just trying to help there.
On Oct 19,
Thanks a lot
On Mon, Oct 18, 2010 at 11:44 AM, Eric Evans wrote:
> On Sun, 2010-10-17 at 21:26 -0700, Yang wrote:
>> I searched around, it seems that this is not clearly documented yet;
>> the closest I found is:
>> http://www.riptano.com/docs/0.6.5/install/auth-config
>> http://cassandra-user-in
On Sun, 2010-10-17 at 21:26 -0700, Yang wrote:
> I searched around, it seems that this is not clearly documented yet;
> the closest I found is:
> http://www.riptano.com/docs/0.6.5/install/auth-config
> http://cassandra-user-incubator-apache-org.3065146.n2.nabble.com/Authentication-td5285013.html#a5
I see that the raw thrift API has a login() method,
but when I setup a one-node cluster, I can simply connect
localhost/9160 without any passwd
what is the current picture of the security model? how can I enforce
authentication?
I searched around, it seems that this is not clearly documented
s and passwords, and there is a thrift method 'login' that must
be called before any other operations.
I'll add this to the wiki.
-Original Message-
From: "S Ahmed"
Sent: Wednesday, April 21, 2010 4:19pm
To: user@cassandra.apache.org
Subject: security, firewall lev
Is security in terms of remote clients connecting to a cassandra node done
purely at the hardware/firewall level?
i.e. there is no username/pwd like in mysql/sqlserver correct?
Or permissions at the column family level per user ?
69 matches
Mail list logo
