Set internal authentication and authorization at the same time, then set object
permissions.
You must set internal authentication and authorization at the same time. After
setting the Authorizer and the Authenticator
in the file, set object permissions,
as described in Managing object permissions using internal authorization.
Procedure
Perform the first three steps on every node.
-
Change the authenticator option in the
to the native Cassandra
PasswordAuthenticator by uncommenting only the
PasswordAuthenticator:
The location of the
cassandra.yaml file depends on
the type of installation:
Package installations |
/etc/dse/cassandra/cassandra.yaml |
Tarball installations |
install_location/resources/cassandra/conf/cassandra.yaml |
authenticator: org.apache.cassandra.auth.PasswordAuthenticator
You can use any authenticator except AllowAll.
-
Change the authorizer option by commenting the
AllowAllAuthorizer and adding the
CassandraAuthorizer:
#authorizer: org.apache.cassandra.auth.AllowAllAuthorizer
authorizer: org.apache.cassandra.auth.CassandraAuthorizer
-
Restart the node.
-
On one node, configure the system_auth
keyspace replication factor.
Fetching permissions can be an expensive operation. If necessary, adjust the
validity period for permissions caching by setting the permissions_validity_in_ms option
in cassandra.yaml. You can also disable permission
caching by setting this option to 0.
-
Run a full repair of the system_auth
keyspace.
-
Start cqlsh using the same superuser name and password (cassandra) that you use
to start the supported client. For example, to start cqlsh on Linux:
./cqlsh -u cassandra -p cassandra
Note: Do not use the default cassandra user in
production. The cassandra user is provided for development and
testing only.
-
Change the superuser's user name and
password.