Configuring system_auth and dse_security keyspace replication

The system_auth and dse_security keyspaces store security authentication and authorization information.

Cassandra uses the system_auth and dse_security keyspaces for storing security authentication and authorization information.
  • DataStax Enterprise uses the system_auth keyspace when you enable any kind of authentication.
  • DataStax Enterprise uses the dse_security keyspace only on analytics nodes (CFS, Hadoop, Spark) when you enable Kerberos authentication.
Increase the replication factor of these keyspaces depending on your failure tolerance. Data is queried at a consistency level LOCAL_ONE or QUORUM. See About write consistency. The data can be queried frequently. In small clusters, such as those with fewer than 10 nodes, you can set the replication strategy to EverywhereStrategy. However, for larger clusters, choose Simple or Network replication strategy with the replication factor based on your specific requirements.
Attention: To prevent a potential problem logging into a secure cluster, set the replication factor of the system_auth and dse_security keyspaces to a value that is greater than 1. In a multi-node cluster, using the default of 1 prevents logging into any node when the node that stores the user data is down.

Use a keyspace command such as ALTER KEYSPACE to change the replication factor.

Setting the replication factor 

Follow this procedure to increase the default replication factor of 1 of the system_auth and dse_security keyspaces.

Procedure

  1. Set the replication factor based on one of the following examples depending on your environment:
    • SimpleStrategy example:
      ALTER KEYSPACE "system_auth"
         WITH REPLICATION = { 'class' : 'SimpleStrategy', 'replication_factor' : 3 };
      
      ALTER KEYSPACE "dse_security"
         WITH REPLICATION = { 'class' : 'SimpleStrategy', 'replication_factor' : 3 };
    • NetworkTopologyStrategy example:
      ALTER KEYSPACE "system_auth"
         WITH REPLICATION = {'class' : 'NetworkTopologyStrategy', 'dc1' : 3, 'dc2' : 2};
      
      ALTER KEYSPACE "dse_security"
         WITH REPLICATION = {'class' : 'NetworkTopologyStrategy', 'dc1' : 3, 'dc2' : 2};
  2. Run the nodetool repair command on the system_auth and dse_security keyspaces. (nodetool repair system_auth; nodetool repair dse_security)
    $ nodetool repair system_auth
    $ nodetool repair dse_security