Creating Kerberos users
You can use password authentication or the cassandra@REALM Kerberos principal to create Kerberos users.
DataStax Enterprise automatically creates a cassandra
superuser,
which you can authenticate as and use cqlsh to create other
users. Two methods are available:
-
Use password authentication:
- In the cassandra.yaml file, set the authenticator
to
org.apache.cassandra.auth.PasswordAuthenticator
:authenticator: org.apache.cassandra.auth.PasswordAuthenticator
- Start cqlsh and login using the superuser name and
password:
$ ./cqlsh -u cassandra -p cassandra
- Create the other Kerberos users, such as
user@REALM
. Be sure to create at least one with superuser privileges. - Remove the
cassandra
user. See DROP USER. This step is optional but highly recommended. - Re-enable Kerberos authorization in the
cassandra.yaml
file:
authenticator: com.datastax.bdp.cassandra.auth.KerberosAuthenticator
- In the cassandra.yaml file, set the authenticator
to
- Use the
cassandra@REALM
Kerberos principal:- As shown in step 6
in Authenticating a DataStax Enterprise cluster with Kerberos,
create a
cassandra@REALM
Kerberos principal and turn on Kerberos authorization. - Log in and create the other Kerberos users. Be sure to create at least one with superuser privileges.
- Remove the cassandra user. See DROP USER. This step is optional but highly recommended.
- As shown in step 6
in Authenticating a DataStax Enterprise cluster with Kerberos,
create a