Configuring authentication
Steps for configuring authentication.
Procedure
-
Change the authenticator option in the
cassandra.yaml file to
PasswordAuthenticator:authenticator: PasswordAuthenticatorBy default, the authenticator option is set to
AllowAllAuthenticator.The location of the cassandra.yaml file depends on the type of installation:Package installations /etc/cassandra/cassandra.yaml Tarball installations install_location/resources/cassandra/conf/cassandra.yaml - Restart Cassandra.
-
Start
cqlshusing the default superuser name and password:cqlsh -u cassandra -p cassandra
-
To ensure that the keyspace is always available, increase the replication factor for the
system_auth keyspace to 3 to 5 nodes per datacenter
(recommended):
cqlsh> ALTER KEYSPACE "system_auth" WITH REPLICATION = {'class' : 'NetworkTopologyStrategy', 'dc1' : 3, 'dc2' : 2};The
system_authkeyspace uses a QUORUM consistency level when checking authentication for the default cassandra user. For all other users created, superuser or otherwise, a LOCAL_ONE consistency level is used for authenticating.CAUTION: Leaving the default replication factor of 1 set for the system_auth keyspace results in denial of access to the cluster if the single replica of the keyspace goes down. For multiple datacenters, be sure to set the replication class toNetworkTopologyStrategy. -
After increasing the replication factor of a keyspace, run
nodetool repairto make certain the change is propagated:$ nodetool repair system_auth - Restart Cassandra.
-
Start
cqlshusing the superuser name and password:cqlsh -u cassandra -p cassandra
-
To prevent security breaches, replace the default
superuser, cassandra, with another superuser with a different name:
cqlsh> CREATE ROLE <new_super_user> WITH PASSWORD = '<some_secure_password>' AND SUPERUSER = true AND LOGIN = true;The default user
cassandrareads with a consistency level of QUORUM by default, whereas another superuser reads with a consistency level of LOCAL_ONE. -
Log in as the newly created superuser:
cqlsh -u <new_super_user> -p <some_secure_password>
-
The cassandra superuser cannot be deleted from Cassandra. To neutralize
the account, change the password to something long and incomprehensible, and
alter the user's status to
NOSUPERUSER:cqlsh> ALTER ROLE cassandra WITH PASSWORD='SomeNonsenseThatNoOneWillThinkOf' AND SUPERUSER=false; - Once you create some new roles, you are ready to authorize those roles to access database objects.
-
Fetching role authentication can be a costly operation. To decrease the burden,
adjust the validity period for role caching with the roles_validity_in_ms option in the
cassandra.yaml file (default 2000 milliseconds):
roles_validity_in_ms: 2000To disable, set this option to 0. This setting is automatically disabled when the authenticator is set toAllowAllAuthenticator. -
Configure the refresh interval for role caches by setting the roles_update_interval_in_ms option in the
cassandra.yaml file (default 2000 ms):
roles_update_interval_in_ms: 2000Ifroles_validity_in_msis non-zero, this setting must be set.Note: The credentials are cached in their encrypted form.
-
Fetching credentials authentication can be a costly operation. To decrease the
burden, adjust the validity period for credential caching with the credentials_validity_in_ms option in the
cassandra.yaml file (default 2000 ms):
credentials_validity_in_ms: 2000To disable, set this option to 0. This setting is automatically disabled when the authenticator is set toAllowAllAuthenticator. -
To set the refresh interval for credentials caches, use the credentials_update_interval_in_ms option (default 2000 ms):
credentials_update_interval_in_ms: 2000If
credentials_validity_in_msis non-zero, this setting must be set. -
To disable configuration of authentication and authorization caches
(credentials, roles, and permissions) via JMX, uncomment the following line in
the jvm.options file:
#-Dcassandra.disable_auth_caches_remote_configuration=trueAfter setting this option, cache options can only be set in the cassandra.yaml file. To make the new setting take effect, restart Cassandra.