Cassandra

Overview

The Veza integration for Apache Cassandra enables discovery of roles, keyspaces, tables, and permissions. Veza connects to your Cassandra deployment to collect authorization metadata, and creates graph entities to model principals and resources within the open source NoSQL distributed database. After enabling the integration, you can use this information to:

• Understand and visualize which roles can interact with specific tables and keyspaces in Cassandra.

• Create rules to trigger downstream actions when Cassandra entities are added, removed, or modified.

• Map external identities within your identity provider to Cassandra roles they can assume via SSO.

This document provides the requirements and steps to configure the integration. See for more details about the metadata collected by Veza.

Configuring Apache Cassandra

Requirements

• To support the roles and permission grants described in this document, the following configurations are required in your cassandra.yaml file:

  • authenticator: PasswordAuthenticator

  • authorizer: CassandraAuthorizer

• An external is recommended for secure communication with the Cassandra host in production environments. You can use the internal Insight Point for testing.

Commands to Create a Role with Minimal Permissions

1. Log in to the Cassandra database as a superuser, or as a user with permission to create roles.

2. Run the following commands to create a new role using password authentication. Replace and with actual values:

CREATE ROLE <ROLENAME> WITH PASSWORD = <PASSWORD> AND LOGIN = true;
GRANT SELECT ON system_schema.keyspaces TO <ROLENAME>;
GRANT SELECT ON system_schema.tables TO <ROLENAME>;
GRANT SELECT ON system_auth.roles TO <ROLENAME>;
GRANT SELECT ON system_auth.role_permissions TO <ROLENAME>;

Configuring Apache Cassandra on the Veza Platform

To configure the integration in Veza:

1. In Veza, go to the Integrations page.

2. Click Add Integration and search for Apache Cassandra. Select it and click Next to open the configuration editor.

3. Enter the required information.

4. Click Create Integration to save the configuration.

Notes and Supported Entities

Cassandra Database

The primary container for all roles and keyspaces. A database serves as the top-level organizational unit within Cassandra, holding the structures necessary for data storage and access control.

Cassandra Role

A role in Cassandra represents a set of permissions that can be granted to perform various operations on the database.

• Unlike traditional user accounts, Cassandra uses roles to define access control, with each role potentially inheriting permissions from other roles.

• Roles are hierarchical; assigning one role to another allows the grantee to inherit the permissions of the granted role.

• Login capabilities are not inherited and must be explicitly assigned.

• Roles can have superuser status, granting them unrestricted access to all operations within Cassandra. This status can be inherited by other roles.

Cassandra Role Effective Permission

Represents the cumulative permissions that a role has, either directly assigned or inherited from other roles. These permissions dictate what actions the role can perform on the Cassandra Database or on other roles.

Cassandra Table Effective Permission

Represents the permissions that govern access to specific tables and keyspaces. These permissions determine what operations a role can perform on data stored within the tables of a keyspace, such as reading or modifying the data.

Cassandra Keyspace

A keyspace is a namespace that contains tables in Cassandra. It is a logical grouping that helps organize data within the database, defining attributes such as replication strategies and the number of replicas for data stored in the tables it contains.

Cassandra Table

A table is a collection of data organized into rows and columns, similar to a table in a relational database. Tables reside within a keyspace and store the actual data within the Cassandra database.