I'm trying to control the access to Cassandra database so it can be accessed from specific hosts only (deny the access from not configured hosts ), I have the following configurations in cassandra.yaml file:-
start_rpc: true
rpc_address: 0.0.0.0
broadcast_rpc_address: x.x.x.x
rpc_port:9160
Are these configurations are correct or there is something missing? AND is there another way to access Cassandra from specific hosts?
CodePudding user response:
Not sure which version of Cassandra you are using, but 9160 is for thrift protocol connections. It's been deprecated in Cassandra 3.0, and removed in Cassandra 4.0.
If it were me, I'd be closing that avenue of access by setting start_rpc: false
.
All client connection requests should be using the CQL native binary protocol on port 9042 (9142 if client-to-node SSL is used in v4.0 ).
control the access to Cassandra database so it can be accessed from specific hosts only
For this, your best option would be to filter with iptables
on each node. Here's a resource which details how to do that. Basically, you'll need to ACCEPT
connections to/from each IP address, on each node in the cluster:
Allow incoming connections from 192.168.0.1, only on port 9042:
iptables -A INPUT -s 192.168.0.1 --dport 9042 -j ACCEPT
Allow outgoing connections back to 192.168.0.1:
iptables -A OUTPUT -d 192.168.0.1 -j ACCEPT
CodePudding user response:
I want to echo Aaron's comments. Thrift was deprecated and replaced by CQL in 2012. Support for Thrift in the Cassandra tools was dropped in 2014 (CASSANDRA-8358) and the Thrift RPC server was disabled by default since Cassandra 2.2 (CASSANDRA-9319).
Development on Thrift clients also ceased nearly 10 years ago. Nate McCall who is the current Chair of the Cassandra project and author of the Hector client closed it down in 2015 in preference for the Java driver so I wouldn't use Thrift anymore.
Instead of the Thrift server, you should configure the CQL native transport server. These are the properties you should focus on in cassandra.yaml
:
listen_address: private_ip
rpc_address: public_ip
native_transport_port: 9042
If your nodes only have a single IP address, you can use it for both listen_address
and rpc_address
. It isn't really necessary to use broadcast_address
unless you have a complicated network topology where nodes can only talk to nodes in a remote DC using public IP addresses, for example with EC2 multi-region deployments.
Your question isn't really about Cassandra but about networking. You need to talk to your network admin to configure the firewalls to only allow connections to port 9042
from the application servers. Cheers!