Configure authentication and authorization

In order to use authentication and authorization with CQL, you must configure the authenticator option in the cassandra.yaml file.

Change the authenticator option in the cassandra.yaml file

The authenticator option specifies the implementation to use for authentication. The default value is AllowAllAuthenticator, which allows any user to connect without authenticating. To enable authentication, set the authenticator option to PasswordAuthenticator.

Another authentication parameter is set in the cassandra.yaml file, but does not require changing. The role_manager option specifies the implementation to use for role management. The default value is CassandraRoleManager and should not be changed.

After setting the authenticator option, restart the node for the change to take effect. If you have more than one node in the cluster, you must change the YAML settings on each node and restart.

Optional: Configure the system_auth keyspace

To ensure that the keyspace is always available, increase the replication factor for the system_auth keyspace to 3 to 5 nodes per datacenter (recommended) that running the cluster in a multi-datacenter configuration.

ALTER KEYSPACE "system_auth" WITH REPLICATION =
    {'class' : 'NetworkTopologyStrategy', 'dc1' : 3, 'dc2' : 2};

The system_auth keyspace uses a QUORUM consistency level when checking authentication for the default cassandra user. For all other users created, superuser or otherwise, a LOCAL_ONE consistency level is used for authenticating.

Leaving the default replication factor set to 1 for the system_auth keyspace can result in denial of access to the cluster if the single replica of the keyspace goes down.

After increasing the replication factor of a keyspace, run nodetool repair to make certain the change is propagated:

nodetool repair system_auth

Altering this keyspace requires a cluster restart.

Verify that authentication is enabled

Start cqlsh using the default superuser name and password:

cqlsh -u cassandra -p cassandra

To prevent security breaches, replace the default superuser, cassandra, with another superuser with a different name:

CREATE ROLE <new_super_user> WITH PASSWORD = '<some_secure_password>'
    AND SUPERUSER = true
    AND LOGIN = true;

The default user cassandra reads with a consistency level of QUORUM by default, whereas another superuser reads with a consistency level of LOCAL_ONE.

Verify that the new superuser can log in

Log in as the newly created superuser:

cqlsh -u <new_super_user> -p <some_secure_password>

The cassandra superuser cannot be deleted from Cassandra. To neutralize the account, change the password to something long and incomprehensible, and alter the user’s status to non-superuser:

ALTER ROLE cassandra WITH PASSWORD='SomeNonsenseThatNoOneWillThinkOf'
    AND SUPERUSER=false;

Change the authorizer option in the cassandra.yaml file

The authorizer option specifies the implementation to use for authorization. The default value is AllowAllAuthorizer, which allows any user to access any database objects without an authorizer. To enable authorization, set the authorizer option to CassandraAuthorizer.

After setting the authorizer option, restart the node for the change to take effect. If you have more than one node in the cluster, you must change the YAML settings on each node and restart.

Additional configuration options

There are a number of additional configuration options that you can set in the cassandra.yaml file to configure authentication and authorization.

Option Description Default Value

roles_validity_in_ms

The validity period for role caching. Fetching role authentication can be a costly operation. Decrease the burden by adjusting the validity period for role caching. To disable, set this option to 0.

2000 milliseconds

roles_update_interval_in_ms

The refresh interval for role caches. Must be set to a non-zero value if role_validity_in_ms is non-zero.

2000 milliseconds

credentials_validity_in_ms

The validity period for credentials caches. To disable, set this option to 0.

2000 milliseconds

credentials_update_interval_in_ms

The refresh interval for credentials caches. Must be set to a non-zero value if credentials_validity_in_ms is non-zero.

2000 milliseconds

To disable configuration of authentication and authorization caches (credentials, roles, and permissions) via JMX, uncomment the following line in the jvm.options file:

#-Dcassandra.disable_auth_caches_remote_configuration=true

After setting this option, cache options can only be set in the cassandra.yaml file. To allow the new setting to take effect, restart the cluster.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com