How do I limit access to Cassandra from specific hosts?-CodePudding

I'm trying to control the access to Cassandra database so it can be accessed from specific hosts only (deny the access from not configured hosts ), I have the following configurations in cassandra.yaml file:-

start_rpc: true
rpc_address: 0.0.0.0  
broadcast_rpc_address: x.x.x.x  
rpc_port:9160

Are these configurations are correct or there is something missing? AND is there another way to access Cassandra from specific hosts?

CodePudding user response：

Not sure which version of Cassandra you are using, but 9160 is for thrift protocol connections. It's been deprecated in Cassandra 3.0, and removed in Cassandra 4.0.

If it were me, I'd be closing that avenue of access by setting start_rpc: false.

All client connection requests should be using the CQL native binary protocol on port 9042 (9142 if client-to-node SSL is used in v4.0 ).

control the access to Cassandra database so it can be accessed from specific hosts only

For this, your best option would be to filter with iptables on each node. Here's a resource which details how to do that. Basically, you'll need to ACCEPT connections to/from each IP address, on each node in the cluster:

Allow incoming connections from 192.168.0.1, only on port 9042:

iptables -A INPUT -s 192.168.0.1 --dport 9042 -j ACCEPT

Allow outgoing connections back to 192.168.0.1:

iptables -A OUTPUT -d 192.168.0.1 -j ACCEPT

CodePudding user response：

I want to echo Aaron's comments. Thrift was deprecated and replaced by CQL in 2012. Support for Thrift in the Cassandra tools was dropped in 2014 (CASSANDRA-8358) and the Thrift RPC server was disabled by default since Cassandra 2.2 (CASSANDRA-9319).

Development on Thrift clients also ceased nearly 10 years ago. Nate McCall who is the current Chair of the Cassandra project and author of the Hector client closed it down in 2015 in preference for the Java driver so I wouldn't use Thrift anymore.

Instead of the Thrift server, you should configure the CQL native transport server. These are the properties you should focus on in cassandra.yaml:

listen_address: private_ip
rpc_address: public_ip
native_transport_port: 9042

If your nodes only have a single IP address, you can use it for both listen_address and rpc_address. It isn't really necessary to use broadcast_address unless you have a complicated network topology where nodes can only talk to nodes in a remote DC using public IP addresses, for example with EC2 multi-region deployments.

Your question isn't really about Cassandra but about networking. You need to talk to your network admin to configure the firewalls to only allow connections to port 9042 from the application servers. Cheers!