Configuring and using internal authentication
Internal authentication is based on Cassandra-controlled login accounts and passwords.
Like object permission management that uses internal authorization, internal authentication is based on Cassandra-controlled login accounts and passwords. Internal authentication is supported on the following clients when you provide a user name and password to start up the client:
- Astyanax
- cassandra-cli
- cqlsh
- DataStax Java and C# drivers
- Hector
- pycassa
Internal authentication stores user names and bcrypt-hashed passwords in the system_auth.credentials table.
Limitations
DataStax Enterprise 4.0 - 4.0.2 does not support internal authentication in Solr, the dsetool, and Hadoop utilities. DataStax Enterprise 4.0.3 and later provides internal authentication support for some Hadoop tools.
Authentication for Hadoop tools
After configuring authentication in DataStax Enterprise 4.0.3, starting Hadoop requires a user name and password. These login credentials can be provided using a file or a command line option as follows:
Using a file
username=<username>
password=<password>
Using the command line
dse hadoop <command> -Dcassandra.username=<username> -Dcassandra.password=<password> <other options>
dse hive <hive options> -hiveconf cassandra.username=<username> -hiveconf cassandra.password=<password>
dse pig -Dcassandra.username=<username> -Dcassandra.password=<password> <pig options>
dse sqoop <sqoop options> --cassandra-username=<username> --cassandra-password=<password>
The dse command reference covers other
options.Hadoop tool authentication limitations
- Internal authentication is not supported for Mahout.
- Using internal authentication to run the hadoop jar
command is not supported.
The hadoop jar command accepts only the jar file name as an option, and rejects other options such as username and password. The main class in the jar is responsible for making sure that the credentials are applied to the job configuration.
-
In Pig scripts that use the custom storage handlers CqlStorage and CassandraStorage storage handlers, provide credentials in the URL of the URL-encoded prepared statement:
cql://<username>:<password>@<keyspace>/<columnfamily> cassandra://<username>:<password>@<keyspace>/<columnfamily>
Use this method of providing authentication for Pig commands regardless of the mechanism you use for passing credentials to Pig.