Configuring internal authentication and authorization

Set internal authentication and authorization at the same time, then set object permissions.

You must set internal authentication and authorization at the same time. After setting the Authorizer and the Authenticator in the cassandra.yaml file, set object permissions, as described in Managing object permissions using internal authorization.

Procedure

Perform the first three steps on every node.

  1. Change the authenticator option in the cassandra.yaml to the native Cassandra PasswordAuthenticator by uncommenting only the PasswordAuthenticator:
    The location of the cassandra.yaml file depends on the type of installation:
    Package installations /etc/dse/cassandra/cassandra.yaml
    Tarball installations install_location/resources/cassandra/conf/cassandra.yaml
    authenticator: org.apache.cassandra.auth.PasswordAuthenticator

    You can use any authenticator except AllowAll.

  2. Change the authorizer option by commenting the AllowAllAuthorizer and adding the CassandraAuthorizer:
    #authorizer: org.apache.cassandra.auth.AllowAllAuthorizer
    authorizer: org.apache.cassandra.auth.CassandraAuthorizer
  3. Restart the node.
  4. On one node, configure the system_auth keyspace replication factor.

    Fetching permissions can be an expensive operation. If necessary, adjust the validity period for permissions caching by setting the permissions_validity_in_ms option in cassandra.yaml. You can also disable permission caching by setting this option to 0.

  5. Run a full repair of the system_auth keyspace.
  6. Start cqlsh using the same superuser name and password (cassandra) that you use to start the supported client. For example, to start cqlsh on Linux:
    ./cqlsh -u cassandra -p cassandra
    Note: Do not use the default cassandra user in production. The cassandra user is provided for development and testing only.
  7. Change the superuser's user name and password.