Configure authentication and authorization
In order to use authentication and authorization with CQL, you must configure the authenticator option in the cassandra.yaml
file.
Change the authenticator
option in the cassandra.yaml
file
The authenticator
option specifies the implementation to use for authentication.
The default value is AllowAllAuthenticator
, which allows any user to connect without authenticating.
To enable authentication, set the authenticator option to PasswordAuthenticator
.
Another authentication parameter is set in the cassandra.yaml
file, but does not require changing.
The role_manager
option specifies the implementation to use for role management.
The default value is CassandraRoleManager
and should not be changed.
After setting the authenticator option, restart the node for the change to take effect. If you have more than one node in the cluster, you must change the YAML settings on each node and restart.
Optional: Configure the system_auth
keyspace
To ensure that the keyspace is always available, increase the replication factor for the system_auth
keyspace to 3 to 5 nodes per datacenter (recommended) that running the cluster in a multi-datacenter configuration.
ALTER KEYSPACE "system_auth" WITH REPLICATION =
{'class' : 'NetworkTopologyStrategy', 'dc1' : 3, 'dc2' : 2};
The system_auth
keyspace uses a QUORUM consistency level when checking authentication for the default cassandra user.
For all other users created, superuser or otherwise, a LOCAL_ONE consistency level is used for authenticating.
Leaving the default replication factor set to 1 for the system_auth
keyspace can result in denial of access to the cluster if the single replica of the keyspace goes down.
After increasing the replication factor of a keyspace, run nodetool repair
to make certain the change is propagated:
nodetool repair system_auth
Altering this keyspace requires a cluster restart.
Verify that authentication is enabled
Start cqlsh
using the default superuser name and password:
cqlsh -u cassandra -p cassandra
To prevent security breaches, replace the default superuser, cassandra
, with another superuser with a different name:
CREATE ROLE <new_super_user> WITH PASSWORD = '<some_secure_password>'
AND SUPERUSER = true
AND LOGIN = true;
The default user cassandra
reads with a consistency level of QUORUM by default, whereas another superuser reads with a consistency level of LOCAL_ONE.
Verify that the new superuser can log in
Log in as the newly created superuser:
cqlsh -u <new_super_user> -p <some_secure_password>
The cassandra superuser cannot be deleted from Cassandra. To neutralize the account, change the password to something long and incomprehensible, and alter the user’s status to non-superuser:
ALTER ROLE cassandra WITH PASSWORD='SomeNonsenseThatNoOneWillThinkOf'
AND SUPERUSER=false;
Change the authorizer
option in the cassandra.yaml
file
The authorizer
option specifies the implementation to use for authorization.
The default value is AllowAllAuthorizer
, which allows any user to access any database objects without an authorizer.
To enable authorization, set the authorizer option to CassandraAuthorizer
.
After setting the authorizer
option, restart the node for the change to take effect.
If you have more than one node in the cluster, you must change the YAML settings on each node and restart.
Additional configuration options
There are a number of additional configuration options that you can set in the cassandra.yaml
file to configure authentication and authorization.
Option | Description | Default Value |
---|---|---|
|
The validity period for role caching. Fetching role authentication can be a costly operation. Decrease the burden by adjusting the validity period for role caching. To disable, set this option to 0. |
2000 milliseconds |
|
The refresh interval for role caches.
Must be set to a non-zero value if
|
2000 milliseconds |
|
The validity period for credentials caches. To disable, set this option to 0. |
2000 milliseconds |
|
The refresh interval for credentials caches.
Must be set to a non-zero value if
|
2000 milliseconds |
To disable configuration of authentication and authorization caches (credentials, roles, and permissions) via JMX, uncomment the following line in the jvm.options
file:
#-Dcassandra.disable_auth_caches_remote_configuration=true
After setting this option, cache options can only be set in the cassandra.yaml
file.
To allow the new setting to take effect, restart the cluster.