Configuring authentication

Steps for configuring authentication.

Steps for configuring authentication.

Procedure

  1. Change the authenticator option in the cassandra.yaml file to PasswordAuthenticator:
    authenticator: PasswordAuthenticator

    By default, the authenticator option is set to AllowAllAuthenticator.

    The location of the cassandra.yaml file depends on the type of installation:
    Package installations /etc/cassandra/cassandra.yaml
    Tarball installations install_location/resources/cassandra/conf/cassandra.yaml
  2. Restart Cassandra.
  3. Start cqlsh using the default superuser name and password:
     cqlsh -u cassandra -p cassandra
  4. To ensure that the keyspace is always available, increase the replication factor for the system_auth keyspace to 3 to 5 nodes per datacenter (recommended):
    cqlsh> ALTER KEYSPACE "system_auth" 
    WITH REPLICATION = {'class' : 'NetworkTopologyStrategy', 'dc1' : 3, 'dc2' : 2};

    The system_auth keyspace uses a QUORUM consistency level when checking authentication for the default cassandra user. For all other users created, superuser or otherwise, a LOCAL_ONE consistency level is used for authenticating.

    CAUTION: Leaving the default replication factor of 1 set for the system_auth keyspace results in denial of access to the cluster if the single replica of the keyspace goes down. For multiple datacenters, be sure to set the replication class to NetworkTopologyStrategy.
  5. After increasing the replication factor of a keyspace, run nodetool repair to make certain the change is propagated:
    $  nodetool repair system_auth
  6. Restart Cassandra.
  7. Start cqlsh using the superuser name and password:
     cqlsh -u cassandra -p cassandra
  8. To prevent security breaches, replace the default superuser, cassandra, with another superuser with a different name:
    cqlsh> CREATE ROLE <new_super_user> WITH PASSWORD = '<some_secure_password>' 
        AND SUPERUSER = true 
        AND LOGIN = true;

    The default user cassandra reads with a consistency level of QUORUM by default, whereas another superuser reads with a consistency level of LOCAL_ONE.

  9. Log in as the newly created superuser:
     cqlsh -u <new_super_user> -p <some_secure_password>
  10. The cassandra superuser cannot be deleted from Cassandra. To neutralize the account, change the password to something long and incomprehensible, and alter the user's status to NOSUPERUSER:
    cqlsh> ALTER ROLE cassandra WITH PASSWORD='SomeNonsenseThatNoOneWillThinkOf'
        AND SUPERUSER=false;
  11. Once you create some new roles, you are ready to authorize those roles to access database objects.
  12. Fetching role authentication can be a costly operation. To decrease the burden, adjust the validity period for role caching with the roles_validity_in_ms option in the cassandra.yaml file (default 2000 milliseconds):
    roles_validity_in_ms: 2000
    To disable, set this option to 0. This setting is automatically disabled when the authenticator is set to AllowAllAuthenticator.
  13. Configure the refresh interval for role caches by setting the roles_update_interval_in_ms option in the cassandra.yaml file (default 2000 ms):
    roles_update_interval_in_ms: 2000
    If roles_validity_in_ms is non-zero, this setting must be set.
    Note: The credentials are cached in their encrypted form.
The following steps apply only to Cassandra 3.4 and later:
  1. Fetching credentials authentication can be a costly operation. To decrease the burden, adjust the validity period for credential caching with the credentials_validity_in_ms option in the cassandra.yaml file (default 2000 ms):
    credentials_validity_in_ms: 2000
    To disable, set this option to 0. This setting is automatically disabled when the authenticator is set to AllowAllAuthenticator.
  2. To set the refresh interval for credentials caches, use the credentials_update_interval_in_ms option (default 2000 ms):
    credentials_update_interval_in_ms: 2000

    If credentials_validity_in_ms is non-zero, this setting must be set.

  3. To disable configuration of authentication and authorization caches (credentials, roles, and permissions) via JMX, uncomment the following line in the jvm.options file:
    #-Dcassandra.disable_auth_caches_remote_configuration=true

    After setting this option, cache options can only be set in the cassandra.yaml file. To make the new setting take effect, restart Cassandra.