About DSE Unified Authentication

DSE Unified Authentication facilitates connectivity to three primary backend authentication and authorization services.

DSE Unified Authentication enables multiple authentication schemes to be used on the same DataStax Enterprise cluster. DataStax recommends using DSE Unified Authentication for all authentication in DataStax Enterprise.


DSE Unified Authentication facilitates connectivity to these primary backend authentication and authorization services:
  • DSE Authenticator supports validating user identity against any of the following authentication schemes:
    • Internal: Connections provide credentials for a role that has an internally stored password, no additional configuration is required, see Role-based access.
    • LDAP: Connections provide LDAP credentials and DSE passes the credentials for verification to LDAP, see About authentication with LDAP.
    • Kerberos: Connections provide a Kerberos ticket, DSE is configured as a Service Principal (see Setting up Kerberos) and passes the tickets to KDS for verification.

    When a connection request specifies an authentication scheme, DSE Authenticator validates the user against the selected scheme first. If no scheme is specified in the connection request or the validation fails, DSE Authenticator first tries the default_scheme and then each scheme defined in other_schemes in order.

    Important: It is possible to authenticate users without implementing access control using the DSE Authenticator, however authentication is required for authorization and role management.
  • DSE Role Manager process used to assign roles to a user:
    • Internal: One to one mapping. Matches the user name to a Cassandra role. Requires a role for each user.
    • LDAP: One to many mapping. Matches the user LDAP group names to DSE roles. Users can have more than one role.
      Note: For LDAP role management, DSE disables role nesting; you cannot use GRANT to assign a role to another role.
    See Configuring DSE Role management.
  • DSE Authorizer analyzes the request against the role permissions on each affected resource before allowing the request to be executed. The DSE Authorizer extends permissions to applications, client tools, and authentication schemes.

    Set and remove permissions on database resources with the CQL commands GRANT and REVOKE.

    Role-based access authenticates users based on the user association with LDAP groups or Cassandra roles.