Configuring internal authentication and authorization

Steps to configure internal authentication and authorization.

You must set internal authentication and authorization at the same time. After setting the Authorizer and the Authenticator in the cassandra.yaml file, you can set object permissions, as described in Managing object permissions using internal authorization.

Procedure

  1. Change the authenticator option in the cassandra.yaml to the native Cassandra PasswordAuthenticator by uncommenting only the PasswordAuthenticator:
    authenticator: org.apache.cassandra.auth.PasswordAuthenticator

    You can use any authenticator except AllowAll.

  2. Change the authorizer option by commenting the AllowAllAuthorizer and adding the CassandraAuthorizer:
    #authorizer: org.apache.cassandra.auth.AllowAllAuthorizer
    authorizer: org.apache.cassandra.auth.CassandraAuthorizer
  3. Restart the node.
  4. Configure the system_auth keyspace replication factor.

    Fetching permissions can be an expensive operation. If necessary, adjust the validity period for permissions caching by setting the permissions_validity_in_ms option in the cassandra.yaml. You can also disable permission caching by setting this option to 0.

  5. Run a full repair of the system_auth keyspace.
  6. Start cqlsh using the same superuser name and password (cassandra) that you use to start the supported client. For example, to start cqlsh in CQL 3 mode on Linux:
    ./cqlsh -u cassandra -p cassandra
    You can now change the superuser's user name and password.