Steps to configure authentication with the DSE Unified Authenticator.
The DSE Unified Authenticator provides
authentication using any combination of internal Cassandra password authentication, LDAP
pass-through authentication, and Kerberos authentication.
Authentication is off by default. Configure properties in the
file and the
file to enable and configure authentication.
You can also use OpsCenter for authenticating users with LDAP.
The location of
the
dse.yaml file depends
on the type of installation:
Installer-Services |
/etc/dse/dse.yaml |
Package installations |
/etc/dse/dse.yaml |
Installer-No Services |
install_location/resources/dse/conf/dse.yaml |
Tarball installations |
install_location/resources/dse/conf/dse.yaml |
The
location of the
cassandra.yaml file
depends on the type of installation:
Installer-Services |
/etc/dse/cassandra/cassandra.yaml |
Package installations |
/etc/dse/cassandra/cassandra.yaml |
Installer-No Services |
install_location/resources/cassandra/conf/cassandra.yaml |
Tarball installations |
install_location/resources/cassandra/conf/cassandra.yaml |
Procedure
On each node:
-
In the file, verify that the
authenticator and authorizer have the required values to use DSE Unified
Authentication:
-
Change authenticator to
DseAuthenticator
. By default, the authenticator
option is set to AllowAllAuthenticator.
-
Change authorizer to
DseAuthorizer
. By default, the authorizer option is
set to AllowAllAuthorizer.
authenticator: com.datastax.bdp.cassandra.auth.DseAuthenticator
authorizer: com.datastax.bdp.cassandra.auth.DseAuthorizer
-
In the file, set the DataStax
Enterprise authentication options:
authentication_options:
enabled: true
default_scheme: kerberos
other_schemes:
- internal
scheme_permissions: true
allow_digest_with_kerberos: false
plain_text_without_ssl: warn
transitional_mode: disabled
-
Turn on authentication to use the DSE Unified Authenticator to
authenticate users:
Controls whether the DSE Unified
Authenticator authenticates users. The DSE Unified Authenticator allows
multiple authentication schemes to be used at the same time. The driver selects which
scheme to use during authentication.
-
Specify which authentication scheme to use if the driver does not
request a specific scheme:
For
default_scheme
, select one of these values:
-
Specify other schemes that can be automatically selected for use by a
driver.
You cannot use other_schemes
with DSE components
that use Thrift, such as CFS and the
CassandraHiveMetastore in Analytics data
centers. Only the default_scheme
is used when using
components that use Thrift drivers. For example, if
default_scheme
is set to
kerberos
, and other_schemes
is
set to internal
, only Kerberos authentication will
work.
For
other_schemes
, specify a list of schemes or
select one or more of these authentication
schemes:
other_schemes:
- kerberos
- ldap
-
Specify whether roles require permissions for specific authentication
schemes.
To enforce, set scheme_permissions: true
-
Specify whether digest-md5 authentication is allowed with Kerberos.
Important: Required in analytics clusters to use Hadoop
inter-node authentication with Hadoop and Spark jobs.
To allow digest-md5 authentication
with Kerberos, set allow_digest_with_kerberos:
true
-
Specify how the DseAuthenticator reacts to plain text authentication
requests over unencrypted client connections.
For
plain_text_without_ssl
, select one of these
values:
- block - Block the request with an authentication error.
- warn - Log a warning about the request but allow it to
continue.
- allow - Allow the request without any warning.
-
During setup of authentication in a cluster, DataStax Enterprise
authentication can operate in a transitional mode, a temporary mode that
supports enabling authentication without downtime. Specify whether the
DseAuthenticator can operate in a transitional mode, and set permissive,
normal, or strict authentication.
For
transitional_mode
, select one of these
values:
- disabled - Transitional mode is disabled.
- permissive - Only a superuser is authenticated and logged in. All
other authentication attempts are logged in as the anonymous user.
- normal - If credentials are passed, they are authenticated.
- If the authentication is successful, the user is logged in.
- If the authentication fails, the user is logged in as anonymous.
- If no credentials are passed, the user is logged in as anonymous.
- strict - If credentials are passed, they are authenticated.
- If the authentication is successful, the user is logged in.
- If the authentication fails, then an authentication error is returned.
- If no credentials are passed, the user is logged in as anonymous.
-
Configure
the system_auth and dse_security keyspaces.
-
Configure caching. Fetching permissions can be an expensive operation. If
necessary, adjust the validity period for permissions caching by setting the
permissions_validity_in_ms option in
cassandra.yaml. You can also disable permission caching
by setting this option to 0.
-
Restart DataStax Enterprise. See Starting and stopping DataStax Enterprise
-
Start cqlsh using the same superuser name and
password (cassandra) that you use to start the supported client. For example, to
start cqlsh on Linux:
./cqlsh -u cassandra -p cassandra
The cassandra user
name is provided only as an example.
-
Change the default
superuser.
Note: Use the default cassandra user only to assist with
initial setup of new users and superusers, and then disable it.
Best practices for security and performance:
- Restrict rights of users as appropriate for security. For example, do not
allow access to other keyspaces.
- Follow these steps to change the default superuser.
-
Restart the node.
-
Optionally configure authorization and role
management.
What's next
To complete the authentication configuration, configure your authentication
schemes: