2.2 Ensure that authorization is enabled for Cassandra databases

Information

Authorization is pluggable in Cassandra and is configured using the authorizer setting in cassandra.yaml. Cassandra ships with two options included in the default distribution, AllowAllAuthenticator and CassandraAuthorizer. The default, AllowAllAuthenticator performs no checking which grants all permissions to all roles. The second option, CassandraAuthorizer, implements full permissions management functionality and stores its data in Cassandra system tables.

Rationale:
Authorizing roles is an important step towards ensuring only authorized access to the Cassandra database tables is permitted. It also provides the requisite means of implementing least privilege best practices. The authorization mechanism should be implemented before anyone accesses the Cassandra database.

Solution

To enable the authorization mechanism:

Stop the Cassandra database.
Modify cassandra.yaml file to modify/add entry for authorization: set it to CassandraAuthorizer
Start the Cassandra database.

Default Value:
authorizer: AllowAllAuthorizer

References:
http://cassandra.apache.org/doc/latest/getting_started/configuring.html
http://cassandra.apache.org/doc/latest/operating/security.html
Notes:
The authorizer must be configured to AllowAllAuthorizer if AllowAllAuthenticator is the configured authenticator.

See Also

https://workbench.cisecurity.org/files/2309