Providing credentials for authentication

Methods to provide credentials for authenticating with DSE.

Through authentication, the database establishes the identity of the person or system that is attempting an operation. Authentication works with any combination of internal Cassandra password authentication, LDAP pass-through authentication, and Kerberos authentication.

Authentication is supported for use with dse commands and the dsetool utility. To configure external client access to DataStax Enterprise commands, see RPCs over Cassandra native protocol.

Providing credentials 

You can provide authentication credentials in several ways:
Command line 
Provide login credentials on the command line: 
$ dse [connection_options] subcommand
dse client-tool [connection_options] subcommand
dsetool [connection_options] subcommand
where the connection_options include:
  • -f config_file - the path to a configuration file that stores credentials. If not specified, then use ~/.dserc if it exists.
    The configuration file can contain Cassandra and JMX login credentials. For example:
    username=cassandra
password=cassandra
jmx_username=cassandra
jmx_password=jmx
    The credentials in the configuration file are stored in clear text. DataStax recommends restricting access to this file only to the specific user.
  • dse -u username is the user name to authenticate against the configured Cassandra user.
  • dsetool -l username is the user name to authenticate against the configured Cassandra role.
  • -p password is the password to authenticate against the configured Cassandra role. If you do not provide a password on the command line, you are prompted to enter one.
  • -a jmx_username is the user name for authenticating with secure JMX.
  • -b jmx_username is the password for authenticating with secure JMX. If you do not provide a password on the command line, you are prompted to enter one.
  • subcommand is any dse, dse client-tool, or dsetool subcommand.
~/.dserc file 
Create a file named .dserc in your home directory. The ~/.dserc file contains the Cassandra user name and password:
username=username
password=password

When you launch a password-protected tool and authentication is not provided on the command line, the credentials in the ~/.dserc file are used. The ~/.dserc is ignored when a configuration file is specified with -f.

Environment variables for dse client-tool and Spark commands 
To increase security and prevent authentication credentials from appearing in log files, DataStax recommends using environment variables instead of passing credentials on the command line or in the .dserc file. Add the environment variables to your Bash .profile or .bash_profile files.
Use environment variables DSE_USERNAME and DSE_PASSWORD to specify a user name and password:
export DSE_USERNAME=username
export DSE_PASSWORD=password
Use environment variable DSE_TOKEN to specify a delegation token when Kerberos is used:
export DSE_TOKEN=delegation_token