Cassandra

Configuring the Veza integration for Apache Cassandra

Overview

The Veza integration for Apache Cassandra enables discovery of roles, keyspaces, tables, and permissions. Veza connects to your Cassandra deployment to collect authorization metadata, and creates graph entities to model principals and resources within the open source NoSQL distributed database. After enabling the integration, you can use this information to:

Understand and visualize which roles can interact with specific tables and keyspaces in Cassandra.
Create rules to trigger downstream actions when Cassandra entities are added, removed, or modified.
Map external identities within your identity provider to Cassandra roles they can assume via SSO.

This document provides the requirements and steps to configure the integration. See Notes and Supported Entities for more details about the metadata collected by Veza.

Configuring Apache Cassandra

Requirements

To support the roles and permission grants described in this document, the following configurations are required in your cassandra.yaml file:
- authenticator: PasswordAuthenticator
- authorizer: CassandraAuthorizer
An external Insight Point is recommended for secure communication with the Cassandra host in production environments. You can use the internal Insight Point for testing.

Commands to Create a Role with Minimal Permissions

Log in to the Cassandra database as a superuser, or as a user with permission to create roles.
Run the following commands to create a new role using password authentication. Replace and with actual values:

CREATE ROLE <ROLENAME> WITH PASSWORD = <PASSWORD> AND LOGIN = true;
GRANT SELECT ON system_schema.keyspaces TO <ROLENAME>;
GRANT SELECT ON system_schema.tables TO <ROLENAME>;
GRANT SELECT ON system_auth.roles TO <ROLENAME>;
GRANT SELECT ON system_auth.role_permissions TO <ROLENAME>;

For more details on creating a role, see Security in the official Cassandra documentation.

Configuring Apache Cassandra on the Veza Platform

To configure the integration in Veza:

In Veza, go to the Integrations page.
Click Add Integration and search for Apache Cassandra. Select it and click Next to open the configuration editor.
Enter the required information.
Click Create Integration to save the configuration.

Field	Notes
Name	A friendly name to identify the unique integration.
Insight Point	Choose whether to connect using the default data plane or a deployed Insight Point.
Host	IP address of the Cassandra host.
Port	Port to use for the connection.
Username	Integration role password.
Password	Integration role name.

Field

Notes

Name

A friendly name to identify the unique integration.

Insight Point

Choose whether to connect using the default data plane or a deployed Insight Point.

Host

IP address of the Cassandra host.

Port

Port to use for the connection.

Username

Integration role password.

Password

Integration role name.

Notes and Supported Entities

Cassandra Database

The primary container for all roles and keyspaces. A database serves as the top-level organizational unit within Cassandra, holding the structures necessary for data storage and access control.

Cassandra Role

A role in Cassandra represents a set of permissions that can be granted to perform various operations on the database.

Unlike traditional user accounts, Cassandra uses roles to define access control, with each role potentially inheriting permissions from other roles.
Roles are hierarchical; assigning one role to another allows the grantee to inherit the permissions of the granted role.
Login capabilities are not inherited and must be explicitly assigned.
Roles can have superuser status, granting them unrestricted access to all operations within Cassandra. This status can be inherited by other roles.

Role Attributes
Can Login	True if the role is allowed to log in.
Is Superuser	True if the role has superuser privileges.
Identity Type	Veza sets this field to "Human" by default. You can add enrichment rules to mark certain roles as "Non-Human."
Is Active	Veza sets this field to "True" by default.

Role Attributes

Can Login

True if the role is allowed to log in.

Is Superuser

True if the role has superuser privileges.

Identity Type

Veza sets this field to "Human" by default. You can add enrichment rules to mark certain roles as "Non-Human."

Is Active

Veza sets this field to "True" by default.

Cassandra Role Effective Permission

Represents the cumulative permissions that a role has, either directly assigned or inherited from other roles. These permissions dictate what actions the role can perform on the Cassandra Database or on other roles.

Cassandra Table Effective Permission

Represents the permissions that govern access to specific tables and keyspaces. These permissions determine what operations a role can perform on data stored within the tables of a keyspace, such as reading or modifying the data.

Cassandra Keyspace

A keyspace is a namespace that contains tables in Cassandra. It is a logical grouping that helps organize data within the database, defining attributes such as replication strategies and the number of replicas for data stored in the tables it contains.

Cassandra Table

A table is a collection of data organized into rows and columns, similar to a table in a relational database. Tables reside within a keyspace and store the actual data within the Cassandra database.

PreviousBox NextCisco Duo

Last updated 2 months ago