Configuring authentication with the DSE Unified Authenticator

Steps to configure authentication with the DSE Unified Authenticator.

The DSE Unified Authenticator provides authentication using any combination of internal Cassandra password authentication, LDAP pass-through authentication, and Kerberos authentication.
Authentication is off by default. Configure properties in the cassandra.yaml file and the dse.yaml file to enable and configure authentication.

You can also use OpsCenter for authenticating users with LDAP.

The location of the dse.yaml file depends on the type of installation:
Installer-Services /etc/dse/dse.yaml
Package installations /etc/dse/dse.yaml
Installer-No Services install_location/resources/dse/conf/dse.yaml
Tarball installations install_location/resources/dse/conf/dse.yaml
The location of the cassandra.yaml file depends on the type of installation:
Installer-Services /etc/dse/cassandra/cassandra.yaml
Package installations /etc/dse/cassandra/cassandra.yaml
Installer-No Services install_location/resources/cassandra/conf/cassandra.yaml
Tarball installations install_location/resources/cassandra/conf/cassandra.yaml

Procedure

On each node:

  1. In the cassandra.yaml file, verify that the authenticator and authorizer have the required values to use DSE Unified Authentication:
    1. Change authenticator to DseAuthenticator. By default, the authenticator option is set to AllowAllAuthenticator.
    2. Change authorizer to DseAuthorizer. By default, the authorizer option is set to AllowAllAuthorizer.
    authenticator: com.datastax.bdp.cassandra.auth.DseAuthenticator
    authorizer: com.datastax.bdp.cassandra.auth.DseAuthorizer
  2. In the dse.yaml file, set the DataStax Enterprise authentication options:
    authentication_options:
        enabled: true
        default_scheme: kerberos
        other_schemes:
          - internal
        scheme_permissions: true
        allow_digest_with_kerberos: false
        plain_text_without_ssl: warn
        transitional_mode: disabled
    1. Turn on authentication to use the DSE Unified Authenticator to authenticate users:
      enabled:true
      Controls whether the DSE Unified Authenticator authenticates users. The DSE Unified Authenticator allows multiple authentication schemes to be used at the same time. The driver selects which scheme to use during authentication.
    2. Specify which authentication scheme to use if the driver does not request a specific scheme:
      For default_scheme, select one of these values:
    3. Specify other schemes that can be automatically selected for use by a driver.

      You cannot use other_schemes with DSE components that use Thrift, such as CFS and the CassandraHiveMetastore in Analytics data centers. Only the default_scheme is used when using components that use Thrift drivers. For example, if default_scheme is set to kerberos, and other_schemes is set to internal, only Kerberos authentication will work.

      For other_schemes, specify a list of schemes or select one or more of these authentication schemes:
      other_schemes:
          - kerberos
          - ldap
    4. Specify whether roles require permissions for specific authentication schemes.
      To enforce, set scheme_permissions: true
    5. Specify whether digest-md5 authentication is allowed with Kerberos.
      Important: Required in analytics clusters to use Hadoop inter-node authentication with Hadoop and Spark jobs.
      To allow digest-md5 authentication with Kerberos, set allow_digest_with_kerberos: true
    6. Specify how the DseAuthenticator reacts to plain text authentication requests over unencrypted client connections.
      For plain_text_without_ssl, select one of these values:
      • block - Block the request with an authentication error.
      • warn - Log a warning about the request but allow it to continue.
      • allow - Allow the request without any warning.
    7. During setup of authentication in a cluster, DataStax Enterprise authentication can operate in a transitional mode, a temporary mode that supports enabling authentication without downtime. Specify whether the DseAuthenticator can operate in a transitional mode, and set permissive, normal, or strict authentication.
      For transitional_mode, select one of these values:
      • disabled - Transitional mode is disabled.
      • permissive - Only a superuser is authenticated and logged in. All other authentication attempts are logged in as the anonymous user.
      • normal - If credentials are passed, they are authenticated.
        • If the authentication is successful, the user is logged in.
        • If the authentication fails, the user is logged in as anonymous.
        • If no credentials are passed, the user is logged in as anonymous.
      • strict - If credentials are passed, they are authenticated.
        • If the authentication is successful, the user is logged in.
        • If the authentication fails, then an authentication error is returned.
        • If no credentials are passed, the user is logged in as anonymous.
  3. Configure the system_auth and dse_security keyspaces.
  4. Configure caching. Fetching permissions can be an expensive operation. If necessary, adjust the validity period for permissions caching by setting the permissions_validity_in_ms option in cassandra.yaml. You can also disable permission caching by setting this option to 0.
  5. Restart DataStax Enterprise. See Starting and stopping DataStax Enterprise
  6. Start cqlsh using the same superuser name and password (cassandra) that you use to start the supported client. For example, to start cqlsh on Linux:
    ./cqlsh -u cassandra -p cassandra
    The cassandra user name is provided only as an example.
  7. Change the default superuser.
    Note: Use the default cassandra user only to assist with initial setup of new users and superusers, and then disable it.
    • Logins for the cassandra user are performed with QUORUM consistency.

      Do not use the default cassandra user in production, because QUORUM consistency has significant performance degradation for multiple datacenters.

    • Logins for all other users are performed with LOCAL_ONE consistency. See Configuring consistency levels.
    Best practices for security and performance:
    • Restrict rights of users as appropriate for security. For example, do not allow access to other keyspaces.
    • Follow these steps to change the default superuser.
  8. Restart the node.
  9. Optionally configure authorization and role management.

What's next

To complete the authentication configuration, configure your authentication schemes: