Configure authentication and authorization
In order to use authentication and authorization with CQL, you must configure the authenticator option in the cassandra.yaml file.
If using DSE, additional configuration is required in the dse.yaml file.
Change the authenticator option in the cassandra.yaml file
The authenticator option specifies the implementation to use for authentication.
The default value is AllowAllAuthenticator, which allows any user to connect without authenticating.
To enable authentication, set the authenticator option to com.datastax.bdp.cassandra.auth.DseAuthenticator.
There are additional configuration options in the dse.yaml file that you can use to configure authentication.
To enable authentication, set the authentication_options to:
authentication_options: enabled: true default_scheme: internal
Another authentication parameter is set in the cassandra.yaml file, but does not require changing.
The role_manager option specifies the implementation to use for role management.
The default value is CassandraRoleManager and should not be changed.
To enable role management, set the role_manager option to com.datastax.bdp.cassandra.auth.DseRoleManager, and should not be changed.
There is an additional configuration option in the dse.yaml file that you can use to configure role management:
role_management_options: mode: internal
This option specifies the role management mode. The default value is internal, which means that roles are managed internally by DSE.
After setting the authenticator option, restart the node for the change to take effect. If you have more than one node in the cluster, you must change the YAML settings on each node and restart.
Optional: Configure the system_auth keyspace
To ensure that the keyspace is always available, increase the replication factor for the system_auth keyspace to 3 to 5 nodes per datacenter (recommended) that running the cluster in a multi-datacenter configuration.
ALTER KEYSPACE "system_auth" WITH REPLICATION =
{'class' : 'NetworkTopologyStrategy', 'dc1' : 3, 'dc2' : 2};The system_auth keyspace uses a QUORUM consistency level when checking authentication for the default cassandra user.
For all other users created, superuser or otherwise, a LOCAL_ONE consistency level is used for authenticating.
Leaving the default replication factor set to 1 for the system_auth keyspace can result in denial of access to the cluster if the single replica of the keyspace goes down.
After increasing the replication factor of a keyspace, run nodetool repair to make certain the change is propagated:
nodetool repair system_authAltering this keyspace requires a cluster restart.
Verify that authentication is enabled
Start cqlsh using the default superuser name and password:
cqlsh -u cassandra -p cassandraTo prevent security breaches, replace the default superuser, cassandra, with another superuser with a different name:
CREATE ROLE <new_super_user> WITH PASSWORD = '<some_secure_password>'
AND SUPERUSER = true
AND LOGIN = true;The default user cassandra reads with a consistency level of QUORUM by default, whereas another superuser reads with a consistency level of LOCAL_ONE.
Verify that the new superuser can log in
Log in as the newly created superuser:
cqlsh -u <new_super_user> -p <some_secure_password>The cassandra superuser cannot be deleted from Cassandra. To neutralize the account, change the password to something long and incomprehensible, and alter the user’s status to non-superuser:
ALTER ROLE cassandra WITH PASSWORD='SomeNonsenseThatNoOneWillThinkOf'
AND SUPERUSER=false;Change the authorizer option in the cassandra.yaml file
The authorizer option specifies the implementation to use for authorization.
The default value is AllowAllAuthorizer, which allows any user to access any database objects without an authorizer.
To enable authorization, set the authorizer option to com.datastax.bdp.cassandra.auth.DseAuthorizer.
There are additional configuration options in the dse.yaml file that you can use to configure authorization.
To enable authorization, set the authorization_options to:
authorization_options:
enabled: true
allow_row_level_security: true
Only set allow_row_level_security to true if you plan to use row-level security (RLAC) in your cluster.
After setting the authorizer option, restart the node for the change to take effect.
If you have more than one node in the cluster, you must change the YAML settings on each node and restart.
Additional configuration options
There are a number of additional configuration options that you can set in the cassandra.yaml file to configure authentication and authorization.
| Option | Description | Default Value |
|---|---|---|
|
The validity period for role caching. Fetching role authentication can be a costly operation. Decrease the burden by adjusting the validity period for role caching. To disable, set this option to 0. |
2000 milliseconds |
|
The refresh interval for role caches.
Must be set to a non-zero value if
|
2000 milliseconds |
|
The validity period for credentials caches. To disable, set this option to 0. |
2000 milliseconds |
|
The refresh interval for credentials caches.
Must be set to a non-zero value if
|
2000 milliseconds |
To disable configuration of authentication and authorization caches (credentials, roles, and permissions) via JMX, uncomment the following line in the jvm.options file:
#-Dcassandra.disable_auth_caches_remote_configuration=trueAfter setting this option, cache options can only be set in the cassandra.yaml file.
To allow the new setting to take effect, restart the cluster.
