I wanted to know the commit log thats written to the disk is it easily accessible or is it secured and cannot be read easily ? Also is it encrypted ?
Bringing together the Apache Cassandra experts from the community and DataStax.
Want to learn? Have a question? Want to share your expertise? You are in the right place!
Not sure where to begin? Getting Started
The contents of the
commitlog/ directory (commitlog segments) are not easily accessible to users. You can't just read the contents of the files since they are in binary format and there are no out-of-the-box tools available to parse them.
You can however write a Java app to read the contents similar to the way the
CommitLogReplayer.java does since the code for the reader and for the replayer are open-source. Cheers!
Later versions of Cassandra provide transparent data encryption for commitlog and hints out of the box. To enable, see the following section in the cassandra.yaml (here from Cassandra 3.11.6)
# Enables encrypting data at-rest (on disk). Different key providers can be plugged in, but the default reads from # a JCE-style keystore. A single keystore can hold multiple keys, but the one referenced by # the "key_alias" is the only key that will be used for encrypt opertaions; previously used keys # can still (and should!) be in the keystore and will be used on decrypt operations # (to handle the case of key rotation). # # It is strongly recommended to download and install Java Cryptography Extension (JCE) # Unlimited Strength Jurisdiction Policy Files for your version of the JDK. # (current link: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html) # # Currently, only the following file types are supported for transparent data encryption, although # more are coming in future cassandra releases: commitlog, hints transparent_data_encryption_options: enabled: false chunk_length_kb: 64 cipher: AES/CBC/PKCS5Padding key_alias: testing:1 # CBC IV length for AES needs to be 16 bytes (which is also the default size) # iv_length: 16 key_provider: - class_name: org.apache.cassandra.security.JKSKeyProvider parameters: - keystore: conf/.keystore keystore_password: cassandra store_type: JCEKS key_password: cassandra
Here is the jira that asked for the option to encrypt the commitlog:
Hope this helps!
6 People are following this question.