secure communication between hector and cassandra?
190 views
Skip to first unread message
Yiming Sun
Feb 27, 2012, 3:23:19 PM2/27/12
to hector...@googlegroups.com
Hello,
We are using Cassandra to host some confidential data, and Cassandra does support internode encryption. However, it is not clear to us if the communication between Hector and Cassandra can also be encrypted. A quick search on the subject seems to suggest someone has done this via openVPN. We are just wondering if Hector has (or is planning to support) a more direct support for secure communication. Thanks.
-- Y.
Patricio Echagüe
Feb 27, 2012, 3:26:25 PM2/27/12
to hector...@googlegroups.com
Yiming, I added Kerberos support a while ago. http://rantav.github.com/hector/build/html/content/security.html
I'm not sure if cassandra folks added it to cassandra already. At least it was part of DataStax Enterprise at that point.
Yiming Sun
Feb 27, 2012, 3:36:29 PM2/27/12
to hector...@googlegroups.com
Thanks Patricio. Pardon my ignorance on this, but isn't this just for Authentication only? Or are all subsequent communications on data retrieval secured as well?
Patricio Echagüe
Feb 27, 2012, 3:42:00 PM2/27/12
to hector...@googlegroups.com
We currently don't have any other secure mechanism unfortunately. Just authentication.
Sent from my Android
Yiming Sun
Feb 27, 2012, 3:46:01 PM2/27/12
to hector...@googlegroups.com
Nate McCall
Feb 27, 2012, 4:28:27 PM2/27/12
to hector...@googlegroups.com
SSL is not supported in Cassandra thrift API yet. I took a cursory
glance at this about 2 months ago, and I don't think it would be that
hard to hack in to one of the Cassandra thrift transports.
glance at this about 2 months ago, and I don't think it would be that
hard to hack in to one of the Cassandra thrift transports.
Unfortunately you cant use the SSLThriftTransport in libthrift out of
the box because cassandra has a few customizations on the transports
which will make it incompatible. We already have the actual transport
layer encapsulated on our side due to Patricio's efforts, so adding an
SSL impl (which you could then drive from kerberos) would be minimal
effort on our side.
Patricio Echagüe
Feb 27, 2012, 4:44:10 PM2/27/12
to hector...@googlegroups.com
Yeah. I forgot we isolated the client management in Hector core. Agree on that it will be straightforward to implement on our side.
Is there any ticket in C* JIRa about SSL ?
Yiming Sun
Feb 28, 2012, 9:33:53 AM2/28/12
to hector...@googlegroups.com
This is good to know, Nate. Thank you both for the hard work.
Fatema
Mar 6, 2014, 5:04:37 PM3/6/14
to hector...@googlegroups.com
Yiming Sun <yiming.sun@...> writes:
>
>
> This is good to know, Nate. Thank you both for the hard work.
>
> -- Y.2012/2/27 Patricio Echagüe <patricioe <at> gmail.com>Yeah. I forgot
>
>
> This is good to know, Nate. Thank you both for the hard work.
>
we isolated the client management in Hector core. Agree on that it will be
straightforward to implement on our side.
>
>
>
> Is there any ticket in C* JIRa about SSL ?
>
>
> On Mon, Feb 27, 2012 at 1:28 PM, Nate McCall <zznate.m-
Re5JQEeQqe8...@public.gmane.org> wrote:
>
>
>
> SSL is not supported in Cassandra thrift API yet. I took a cursory
> glance at this about 2 months ago, and I don't think it would be that
> hard to hack in to one of the Cassandra thrift transports.
> Unfortunately you cant use the SSLThriftTransport in libthrift out of
> the box because cassandra has a few customizations on the transports
> which will make it incompatible. We already have the actual transport
> layer encapsulated on our side due to Patricio's efforts, so adding an
> SSL impl (which you could then drive from kerberos) would be minimal
> effort on our side.
>
>
>
> On Mon, Feb 27, 2012 at 8:46 PM, Yiming Sun <yiming.sun-
straightforward to implement on our side.
>
>
>
> Is there any ticket in C* JIRa about SSL ?
>
>
> On Mon, Feb 27, 2012 at 1:28 PM, Nate McCall <zznate.m-
Re5JQEeQqe8...@public.gmane.org> wrote:
>
>
>
> SSL is not supported in Cassandra thrift API yet. I took a cursory
> glance at this about 2 months ago, and I don't think it would be that
> hard to hack in to one of the Cassandra thrift transports.
> Unfortunately you cant use the SSLThriftTransport in libthrift out of
> the box because cassandra has a few customizations on the transports
> which will make it incompatible. We already have the actual transport
> layer encapsulated on our side due to Patricio's efforts, so adding an
> SSL impl (which you could then drive from kerberos) would be minimal
> effort on our side.
>
>
>
Re5JQEeQqe8...@public.gmane.org> wrote:
> > Okay, thanks! No problem.
> >
> >
> > 2012/2/27 Patricio Echagüe <patricioe-
Re5JQEeQqe8...@public.gmane.org>
> >>
> >> We currently don't have any other secure mechanism unfortunately. Just
> >> authentication.
> >>
> >> Sent from my Android
> >>
> >> On Feb 27, 2012 12:36 PM, "Yiming Sun" <yiming.sun-
> >> We currently don't have any other secure mechanism unfortunately. Just
> >> authentication.
> >>
> >> Sent from my Android
> >>
Re5JQEeQqe8...@public.gmane.org> wrote:
> >>>
> >>> Thanks Patricio. Pardon my ignorance on this, but isn't this just for
> >>> Authentication only? Or are all subsequent communications on data
retrieval
> >>> secured as well?
> >>>
> >>> -- Y.
> >>>
> >>> 2012/2/27 Patricio Echagüe <patricioe-
> >>>
> >>> Thanks Patricio. Pardon my ignorance on this, but isn't this just for
> >>> Authentication only? Or are all subsequent communications on data
retrieval
> >>> secured as well?
> >>>
> >>> -- Y.
> >>>
Re5JQEeQqe8...@public.gmane.org>
> >>>>
> >>>> Yiming, I added Kerberos support a while
> >>>> ago. http://rantav.github.com/hector/build/html/content/security.html
> >>>>
> >>>> I'm not sure if cassandra folks added it to cassandra already. At
least
> >>>> it was part of DataStax Enterprise at that point.
> >>>>
> >>>>
> >>>> On Mon, Feb 27, 2012 at 12:23 PM, Yiming Sun <yiming.sun-
> >>>> Yiming, I added Kerberos support a while
> >>>> ago. http://rantav.github.com/hector/build/html/content/security.html
> >>>>
> >>>> I'm not sure if cassandra folks added it to cassandra already. At
least
> >>>> it was part of DataStax Enterprise at that point.
> >>>>
> >>>>
Re5JQEeQqe8...@public.gmane.org>
> >>>> wrote:
> >>>>>
> >>>>> Hello,
> >>>>>
> >>>>> We are using Cassandra to host some confidential data, and Cassandra
> >>>>> does support internode encryption. However, it is not clear to us
if the
> >>>>> communication between Hector and Cassandra can also be encrypted. A
quick
> >>>>> search on the subject seems to suggest someone has done this via
openVPN.
> >>>>> We are just wondering if Hector has (or is planning to support) a
more
> >>>>> direct support for secure communication. Thanks.
> >>>>>
> >>>>> -- Y.
> >>>>
> >>>>
> >>>
> >
>
>
>
>
>
>
>
>
>
>
>
>
Hi,
> >>>>>
> >>>>> Hello,
> >>>>>
> >>>>> We are using Cassandra to host some confidential data, and Cassandra
> >>>>> does support internode encryption. However, it is not clear to us
if the
> >>>>> communication between Hector and Cassandra can also be encrypted. A
quick
> >>>>> search on the subject seems to suggest someone has done this via
openVPN.
> >>>>> We are just wondering if Hector has (or is planning to support) a
more
> >>>>> direct support for secure communication. Thanks.
> >>>>>
> >>>>> -- Y.
> >>>>
> >>>>
> >>>
> >
>
>
>
>
>
>
>
>
>
>
>
>
I am currently using Hector for communication with Cassandra cluster. I have
the same question that is there any way to encrypt Hector- Cassandra
communication using SSL? If yes, then how can I do that?
Any help will be appreciated.
Thanks,
Fatema.
Reply all
Reply to author
Forward
0 new messages