Cassandra
Configuring the Veza integration for Apache Cassandra
Last updated
Was this helpful?
Configuring the Veza integration for Apache Cassandra
Last updated
Was this helpful?
Was this helpful?
The Veza integration for Apache Cassandra enables discovery of roles, keyspaces, tables, and permissions. Veza connects to your Cassandra deployment to collect authorization metadata, and creates graph entities to model principals and resources within the open source NoSQL distributed database. After enabling the integration, you can use this information to:
Understand and visualize which roles can interact with specific tables and keyspaces in Cassandra.
Create rules to trigger downstream actions when Cassandra entities are added, removed, or modified.
Map external identities within your identity provider to Cassandra roles they can assume via SSO.
This document provides the requirements and steps to configure the integration. See Notes and Supported Entities for more details about the metadata collected by Veza.
To support the roles and permission grants described in this document, the following configurations are required in your cassandra.yaml file:
authenticator: PasswordAuthenticator
authorizer: CassandraAuthorizer
An external Insight Point is recommended for secure communication with the Cassandra host in production environments. You can use the internal Insight Point for testing.
Log in to the Cassandra database as a superuser, or as a user with permission to create roles.
Run the following commands to create a new role using password authentication. Replace and with actual values:
CREATE ROLE <ROLENAME> WITH PASSWORD = <PASSWORD> AND LOGIN = true;
GRANT SELECT ON system_schema.keyspaces TO <ROLENAME>;
GRANT SELECT ON system_schema.tables TO <ROLENAME>;
GRANT SELECT ON system_auth.roles TO <ROLENAME>;
GRANT SELECT ON system_auth.role_permissions TO <ROLENAME>;For more details on creating a role, see Security in the official Cassandra documentation.
To configure the integration in Veza:
In Veza, go to the Integrations page.
Click Add Integration and search for Apache Cassandra. Select it and click Next to open the configuration editor.
Enter the required information.
Click Create Integration to save the configuration.
Name
A friendly name to identify the unique integration.
Insight Point
Choose whether to connect using the default data plane or a deployed Insight Point.
Host
IP address of the Cassandra host.
Port
Port to use for the connection.
Username
Integration role password.
Password
Integration role name.
The primary container for all roles and keyspaces. A database serves as the top-level organizational unit within Cassandra, holding the structures necessary for data storage and access control.
A role in Cassandra represents a set of permissions that can be granted to perform various operations on the database.
Unlike traditional user accounts, Cassandra uses roles to define access control, with each role potentially inheriting permissions from other roles.
Roles are hierarchical; assigning one role to another allows the grantee to inherit the permissions of the granted role.
Login capabilities are not inherited and must be explicitly assigned.
Roles can have superuser status, granting them unrestricted access to all operations within Cassandra. This status can be inherited by other roles.
Can Login
True if the role is allowed to log in.
Is Superuser
True if the role has superuser privileges.
Identity Type
Veza sets this field to "Human" by default. You can add enrichment rules to mark certain roles as "Non-Human."
Is Active
Veza sets this field to "True" by default.
Represents the cumulative permissions that a role has, either directly assigned or inherited from other roles. These permissions dictate what actions the role can perform on the Cassandra Database or on other roles.
Represents the permissions that govern access to specific tables and keyspaces. These permissions determine what operations a role can perform on data stored within the tables of a keyspace, such as reading or modifying the data.
A keyspace is a namespace that contains tables in Cassandra. It is a logical grouping that helps organize data within the database, defining attributes such as replication strategies and the number of replicas for data stored in the tables it contains.
A table is a collection of data organized into rows and columns, similar to a table in a relational database. Tables reside within a keyspace and store the actual data within the Cassandra database.