Changing the default superuser

You can change the default superuser from the default cassandra user.

By default, each installation of Cassandra includes a superuser account named cassandra whose password is also cassandra. Superuser permissions allow creation and deletion of other users and the ability to grant or revoke permissions.

Note: Use the default cassandra user only to assist with initial setup of new users and superusers, and then disable it.
  • Logins for the cassandra user are performed with QUORUM consistency.

    Do not use the default cassandra user in production, because QUORUM consistency has significant performance degradation for multiple datacenters.

  • Logins for all other users are performed with LOCAL_ONE consistency. See Configuring consistency levels.
Best practices for security and performance:
  • Restrict rights of users as appropriate for security. For example, do not allow access to other keyspaces.
  • Follow these steps to change the default superuser.

At installation, OpsCenter Lifecycle Manager prompts you to change the default superuser password.

Procedure

  1. Configure authentication if you have not already done so.
  2. Create another superuser, not named cassandra, using the CREATE ROLE command.
  3. Log in as that new superuser.
  4. Change the cassandra user password to something long and incomprehensible, and then forget about it. It won't be used again.
  5. Take away the cassandra user's superuser status.
  6. Now that the superuser password is secure, set up user accounts and roles, and then authorize roles to access the database objects by using CQL to grant them permissions on those objects.

    CQL supports the following authentication statements: