Configuring internal authorization
Steps for adding the CassandraAuthorizer.
CassandraAuthorizer is one of many possible IAuthorizer implementations. Its
advantage is that it stores permissions in the
system_auth.permissions table to support all
authorization-related CQL statements. To activate it, change the
authorizer option in
cassandra.yaml to use the
CassandraAuthorizer.
Note: To configure authentication, see Internal authentication.
The location of the cassandra.yaml file depends on the type of installation:
| Cassandra package installations | /etc/cassandra/cassandra.yaml |
| Cassandra tarball installations | install_location/cassandra/conf/cassandra.yaml |
Procedure
-
In the cassandra.yaml file, comment out the default
AllowAllAuthorizerand add theCassandraAuthorizer.authorizer: CassandraAuthorizerYou can use any authenticator except AllowAll. -
Increase the replication
factor for the
system_authkeyspace if not already configured. -
Fetching role permissions can be a costly operation. Role permissions can be
cached to decrease the burden. Adjust the validity period for permission caching
by setting the permissions_validity_in_ms option in the
cassandra.yaml file. The default value is 2000
milliseconds. The caching can be disabled by setting the option to 0. This
setting is disabled automatically if the authorizer is set to
AllowAllAuthorizerpermissions_validity_in_ms: 2000 -
A refresh interval for role caches can also be configured by setting the permissions_update_interval_in_ms option in the
cassandra.yaml file. The default value is the same
value as the
permissions_validity_in_mssetting. Ifpermissions_validity_in_msis non-zero, this setting must be set.permissions_update_interval_in_ms: 2000