使用TLS / SSL保护Cassandra通信

Question

We would like to protect the Cassandra against man-in-the-middle attacks. Is there any way to configure Cassandra in a way that the client-server and server-server (replication) communications are SSL encrypted?

thank you

Answer 1

short answer: no :)

For client - server : THRIFT-151

Edit: You might want to follow this thread on the ML

Answer 2

Encrypted server server communication seems to be available now:

https://issues.apache.org/jira/browse/CASSANDRA-1567
Provide configurable encryption support for internode communication

Resolution: Fixed
Fix Version/s: 0.8 beta 1
Resolved: 19/Jan/11 18:11

Answer 3

The strategy I employ is to have Apache Cassandra nodes communicate through a site to site VPN tunnel.

Specific configurations for the cassandra.yaml file:

 listen_address: 10.x.x.x # vpn network ip
 rpc_address: 172.16.x.x. # non-vpn network for client access although, I leave it blank so that it listens on all interfaces

The benefits to this approach is that you can deploy Apache Cassandra to many different environments and you become provider agnostic. For example, hosting nodes in various Amazon EC2 environments and hosting nodes in your own physical data center and hosting a few others under your desk!

Cost an issue preventing you from looking into this approach? Check out Vyatta ...

As KajMagnus pointed out, there is a JIRA ticket resolved and available in the stable version of Apache Cassandra: https://issues.apache.org/jira/browse/CASSANDRA-1567 which enables you to accomplish what you would like via TLS/SSL .. but there are a few ways to accomplish what you would like.

Finally, if you want to host your instance on Amazon EC2, region to region can be problematic and although there is a patch available in 1.xx, is it really the right approach? I have found the VPN approach reduces latency between nodes in different regions and still maintains the necessary level of security.

• http://cassandra-user-incubator-apache-org.3065146.n2.nabble.com/Running-across-multiple-EC2-regions-td6634995.html

Finally -- part 2 --

If you want to secure client to server communications, have your clients (web servers) communicate through the same VPN .. The configuration I have:

• Front end webservers communicate via internal network to application servers
• Application servers sit on their own internal network and VPN network and communicate to the Data Layer via the VPN tunnel and between each other on the internal network
• Data Layer exists on it's own network per Data Centre / Rack and receives requests via the VPN network

Answer 4

Node to Node (gossip) communication can be secured per the issue above. Client and server will both soon support Kerberos (In Hector master as of commit: https://github.com/rantav/hector/commit/08149a03c81b559cba5680d115943dbf334f58fa should hit Cassandra side shortly).