Configuring internal authorization
Steps for adding the CassandraAuthorizer.
CassandraAuthorizer is one of many possible IAuthorizer implementations. Its
advantage is that it stores permissions in the
system_auth.permissions
table to support all
authorization-related CQL statements. To activate it, change the
authorizer
option in
cassandra.yaml to use the
CassandraAuthorizer
.
Note: To configure authentication, see Internal authentication.
The location of the cassandra.yaml file depends on the type of
installation:
Package installations | /etc/cassandra/cassandra.yaml |
Tarball installations | install_location/resources/cassandra/conf/cassandra.yaml |
Procedure
-
In the cassandra.yaml file, comment out the default
AllowAllAuthorizer
and add theCassandraAuthorizer
.authorizer: CassandraAuthorizer
You can use any authenticator except AllowAll. -
Increase the replication
factor for the
system_auth
keyspace if not already configured. -
Fetching role permissions can be a costly operation. Role permissions can be
cached to decrease the burden. Adjust the validity period for permission caching
by setting the permissions_validity_in_ms option in the
cassandra.yaml file. The default value is 2000
milliseconds. The caching can be disabled by setting the option to 0. This
setting is disabled automatically if the authorizer is set to
AllowAllAuthorizer
permissions_validity_in_ms: 2000
-
A refresh interval for role caches can also be configured by setting the permissions_update_interval_in_ms option in the
cassandra.yaml file. The default value is the same
value as the
permissions_validity_in_ms
setting. Ifpermissions_validity_in_ms
is non-zero, this setting must be set.permissions_update_interval_in_ms: 2000