Configuring system_auth and dse_security keyspace replication

The system_auth and dse_security keyspaces store security authentication and authorization information.

The system_auth and dse_security keyspaces store security authentication and authorization information.
  • DataStax Enterprise uses the system_auth keyspace when you enable any kind of authentication.
  • DataStax Enterprise uses the dse_security keyspace on all nodes.
Increase the replication factor of these keyspaces depending on your failure tolerance. Data is queried at a consistency level LOCAL_ONE or QUORUM. See About write consistency. The data can be queried frequently. In small clusters, such as those with fewer than 10 nodes, you can set the replication strategy to EverywhereStrategy. However, for larger clusters, choose Simple or Network replication strategy with the replication factor based on your specific requirements.
Attention: To prevent a potential problem logging into a secure cluster, set the replication factor of the system_auth and dse_security keyspaces to a value that is greater than 1. In a multi-node cluster, using the default of 1 prevents logging into any node when the node that stores the user data is down.

Use a keyspace command such as ALTER KEYSPACE to change the replication factor.

Setting the replication factor 

Follow this procedure to increase the replication factor of the system_auth and dse_security keyspaces.

Procedure

  1. Set the replication factor based on one of the following examples depending on your environment:
    • SimpleStrategy example:
      ALTER KEYSPACE "system_auth"
         WITH REPLICATION = { 'class' : 'SimpleStrategy', 'replication_factor' : 3 };
      
      ALTER KEYSPACE "dse_security"
         WITH REPLICATION = { 'class' : 'SimpleStrategy', 'replication_factor' : 3 };
    • NetworkTopologyStrategy example:
      ALTER KEYSPACE "system_auth"
         WITH REPLICATION = {'class' : 'NetworkTopologyStrategy', 'dc1' : 3, 'dc2' : 2};
      
      ALTER KEYSPACE "dse_security"
         WITH REPLICATION = {'class' : 'NetworkTopologyStrategy', 'dc1' : 3, 'dc2' : 2};
  2. Run nodetool repair on the system_auth and dse_security keyspaces.
    nodetool repair system_auth
    $ nodetool repair dse_security
    Note: When changing the replication strategy, you must run nodetool repair with the --full option. (Starting with Cassandra 3.0 incremental repair is the default.)