Enable internal security without downtime

TransitionalAuthenticator and TransitionalAuthorizer allow internal authentication and authorization to be enabled without downtime or modification to client code or configuration.

The TransitionalAuthenticator and TransitionalAuthorizer allow internal authentication and authorization to be enabled without downtime or modification to client code or configuration.

Procedure

  1. On each node, in the cassandra.yaml file:
    The location of the cassandra.yaml file depends on the type of installation:
    Package installations /etc/dse/cassandra/cassandra.yaml
    Tarball installations install_location/resources/cassandra/conf/cassandra.yaml
    • Set the authenticator to com.datastax.bdp.cassandra.auth.TransitionalAuthenticator.
    • Set the authorizer to com.datastax.bdp.cassandra.auth.TransitionalAuthorizer.
  2. Perform a rolling restart.
  3. Run a full repair of the system_auth keyspace
  4. After the restarts are complete, use cqlsh with the default superuser login to setup the users, credentials, and permissions.
  5. After the setup is complete, edit the cassandra.yaml file again and perform another rolling restart:
    • Change the authenticator to org.apache.cassandra.auth.PasswordAuthenticator.
    • Change the authorizer to org.apache.cassandra.auth.CassandraAuthorizer.
  6. After the restarts have completed, remove the default superuser and create at least one new superuser.