Hanzo
PlatformHanzo KMSPlatformDynamic Secrets

Cassandra

Learn how to dynamically generate Cassandra database user credentials

The Hanzo KMS Cassandra dynamic secret allows you to generate Cassandra database credentials on demand based on configured role.

Prerequisite

Hanzo KMS requires a Cassandra user in your instance with the necessary permissions. This user will facilitate the creation of new accounts as needed. Ensure the user possesses privileges for creating, dropping, and granting permissions to roles for it to be able to create dynamic secrets.

In your Cassandra configuration file cassandra.yaml, make sure you have the following settings:

authenticator: PasswordAuthenticator
authorizer: CassandraAuthorizer

The above configuration allows user creation and granting permissions.

Set up Dynamic Secrets with Cassandra

Open the Secret Overview dashboard and select the environment in which you would like to add a dynamic secret.

Add Dynamic Secret Button

Dynamic Secret Modal

Name by which you want the secret to be referenced

Default time-to-live for a generated secret (it is possible to modify this value after a secret is generated)

Maximum time-to-live for a generated secret

Cassandra Host. You can specify multiple Cassandra hosts by separating them with commas.

Cassandra port

Username that will be used to create dynamic secrets

Password that will be used to create dynamic secrets

Specify the local data center in Cassandra that you want to use. This choice should align with your Cassandra cluster setup.

Keyspace name where you want to create dynamic secrets. This ensures that the user is limited to that keyspace.

A CA may be required if your cassandra requires it for incoming connections.

Dynamic Secret Setup Modal

Modify CQL Statements Modal

If you want to provide specific privileges for the generated dynamic credentials, you can modify the CQL statement to your needs. This is useful if you want to only give access to a specific key-space(s).

After submitting the form, you will see a dynamic secret created in the dashboard.

If this step fails, you may have to add the CA certificate.

Dynamic Secret

Once you've successfully configured the dynamic secret, you're ready to generate on-demand credentials. To do this, simply click on the 'Generate' button which appears when hovering over the dynamic secret item. Alternatively, you can initiate the creation of a new lease by selecting 'New Lease' from the dynamic secret lease list section.

Dynamic Secret Dynamic Secret

When generating these secrets, it's important to specify a Time-to-Live (TTL) duration. This will dictate how long the credentials are valid for.

Provision Lease

Ensure that the TTL for the lease falls within the maximum TTL defined when configuring the dynamic secret in step 4.

Once you click the Submit button, a new secret lease will be generated and the credentials for it will be shown to you.

Provision Lease

Audit or Revoke Leases

Once you have created one or more leases, you will be able to access them by clicking on the respective dynamic secret item on the dashboard. This will allow you to see the lease details and delete the lease ahead of its expiration time.

Provision Lease

Renew Leases

To extend the life of the generated dynamic secret lease past its initial time to live, simply click on the Renew button as illustrated below. Provision Lease

Lease renewals cannot exceed the maximum TTL set when configuring the dynamic secret

How is this guide?

Last updated on

Oracle

Learn how to dynamically generate Oracle Database user credentials.

Redis

Learn how to dynamically generate Redis Database user credentials.

On this page

Prerequisite
Set up Dynamic Secrets with Cassandra
Audit or Revoke Leases
Renew Leases