Skip to content

CQL Security

CQL provides two categories of security features for controlling access to data:

History and Evolution

Cassandra's security model has evolved significantly since its early releases, progressing from basic pluggable authentication to a comprehensive role-based system with fine-grained data protection.

Timeline

Version Year Feature Reference
0.6 2010 Pluggable authentication framework (IAuthenticator) CASSANDRA-547
1.2 2012 CQL-based authentication (CREATE USER, GRANT), system_auth keyspace -
2.2 2015 Role-based access control (RBAC), CREATE ROLE replaces CREATE USER CASSANDRA-7653
2.2 2015 Auth subsystem rework (SASL, caching, UDF permissions) CASSANDRA-8394
4.1 2022 CQLSH authentication plugin support CEP-16
5.0 2024 Dynamic Data Masking (DDM) CEP-20, CASSANDRA-17940
5.0 2024 Mutual TLS authentication (MutualTlsAuthenticator) CEP-34, CASSANDRA-18554

Architecture Evolution

Era Versions Model Key Components
Thrift 0.6 – 1.1 File-based SimpleAuthenticator, properties files
CQL Users 1.2 – 2.1 User-based PasswordAuthenticator, CassandraAuthorizer, system_auth keyspace, CREATE USER
RBAC 2.2 – 4.x Role-based CREATE ROLE, role inheritance, UDF permissions, SASL
Enhanced 5.0+ Role + masking Dynamic Data Masking, mTLS, SPIFFE identities, ADD IDENTITY

Key Design Decisions

The evolution reflects several architectural principles:

  1. Pluggability - All components (authenticator, authorizer, role manager) are pluggable interfaces
  2. CQL Integration - Security management through CQL statements rather than configuration files
  3. Role Unification - Cassandra 2.2 unified users and groups into a single "role" concept
  4. Backward Compatibility - CREATE USER syntax remains functional, internally creating roles
  5. Permission Granularity - Progressive addition of resource types (keyspaces, tables, functions, MBeans)

Features Overview

Feature Description Version Reference
Role-Based Access Control Roles, permissions, and grants 2.2+ CASSANDRA-7653
Dynamic Data Masking Column-level data obfuscation 5.0+ CEP-20

Role-Based Access Control (RBAC)

RBAC controls who can access what resources through roles and permissions.

Key concepts:

  • Roles - Represent users (with login) or permission groups (without login)
  • Permissions - Actions allowed on resources (SELECT, MODIFY, CREATE, etc.)
  • Grants - Associate permissions with roles, or roles with other roles

Commands:

Command Purpose
CREATE ROLE Create user or permission group
ALTER ROLE Modify role properties
DROP ROLE Remove a role
GRANT Assign permissions or role membership
REVOKE Remove permissions or role membership
LIST ROLES Display roles
LIST PERMISSIONS Display permission grants

See Role-Based Access Control for syntax and examples.

Dynamic Data Masking (DDM)

DDM automatically obfuscates sensitive column data at read time based on user permissions.

Key concepts:

  • Masking functions - Transform column values (mask_inner, mask_hash, etc.)
  • UNMASK permission - Allows viewing original unmasked data
  • SELECT_MASKED permission - Allows querying tables with masked columns

Built-in masking functions:

Function Effect
mask_null() Replace with null
mask_default() Replace with type default
mask_replace(value) Replace with constant
mask_inner(prefix, suffix) Mask inner characters
mask_outer(prefix, suffix) Mask outer characters
mask_hash([algorithm]) Replace with hash

See Dynamic Data Masking for syntax and examples.

Configuration

Both RBAC and DDM require configuration in cassandra.yaml:

# RBAC (required for role-based security)
authenticator: PasswordAuthenticator
authorizer: CassandraAuthorizer
role_manager: CassandraRoleManager

# DDM (optional, Cassandra 5.0+)
dynamic_data_masking_enabled: true

For detailed configuration guidance, see Security Configuration.

References

JIRA Tickets

Ticket Description
CASSANDRA-547 Original pluggable authentication framework (0.6)
CASSANDRA-7653 Role-based access control (2.2)
CASSANDRA-8394 Auth subsystem rework (2.2/3.0)
CASSANDRA-17940 Dynamic Data Masking (5.0)
CASSANDRA-18554 mTLS authenticators (5.0)

CEPs

CEP Description
CEP-16 CQLSH authentication plugin support
CEP-20 Dynamic Data Masking
CEP-34 mTLS authenticators
CEP-50 Authentication negotiation (in progress)
Topic Description
Security Overview Security architecture and configuration
Authentication Authenticator setup
Authorization Authorizer setup and RBAC patterns