Changing the default superuser

You can change the default superuser from the default cassandra user.

By default, each installation of Cassandra includes a superuser account named cassandra whose password is also cassandra. Superuser permissions allows creation and deletion of other users and the ability to grant or revoke permissions.

Note: Use the default cassandra user only to assist with initial setup of new users and superusers, and then disable it.
  • Logins for the cassandra user are performed with QUORUM consistency.

    Do not use the default cassandra user in production, because QUORUM consistency has significant performance degradation for multiple data centers.

  • Logins for all other users are performed with LOCAL_ONE consistency.
Best practices for security and performance:
  • Restrict rights of users as appropriate for security. For example, do not allow access to other keyspaces.
  • Follow these steps to change the default superuser.


  1. Configure internal authentication if you have not already done so.
  2. Create another superuser, not named cassandra, using the CREATE USER command.
  3. Log in as that new superuser.
  4. Change the cassandra user password to something long and incomprehensible, and then forget about it. It won't be used again.
  5. Take away the cassandra user's superuser status.
  6. Now, that the superuser password is secure, set up user accounts and authorize users to access the database objects by using CQL to grant them permissions on those objects.

    CQL supports the following authentication statements: