Configuring authentication

Steps for configuring authentication.

Steps for configuring authentication in the DataStax Distribution of Apache Cassandra™ (DDAC).

  1. Change the authenticator option in the cassandra.yaml file to PasswordAuthenticator:
    authenticator: PasswordAuthenticator
    Note: By default, the authenticator option is set to AllowAllAuthenticator.
  2. Restart the database.
  3. Start cqlsh using the default superuser name and password:
    cqlsh -u cassandra -p cassandra
  4. To ensure that the keyspace is always available, increase the replication factor for the system_auth keyspace to 3 to 5 nodes per datacenter (recommended):
    ALTER KEYSPACE "system_auth" 
    WITH REPLICATION = {'class' : 'NetworkTopologyStrategy', 'dc1' : 3, 'dc2' : 4};

    The system_auth keyspace uses a QUORUM consistency level when checking authentication for the default cassandra user. For all other users created, superuser or otherwise, a LOCAL_ONE consistency level is used for authenticating.

    Note: Datacenter names are case sensitive. Verify the case of the using utility, such as nodetool status.
    CAUTION: If the single replica of the keyspace goes down, using the default replication factor of 1 set for the system_auth keyspace results in denial of access to the cluster. For multiple datacenters, be sure to set the replication class to NetworkTopologyStrategy.
  5. After increasing the replication factor of a keyspace, run nodetool repair to make certain the change is propagated:
    nodetool repair system_auth
  6. Restart the database.
  7. Start cqlsh using the superuser name and password:
    cqlsh -u cassandra -p cassandra
  8. To prevent security breaches, replace the default superuser, cassandra, with another superuser with a different name:
    CREATE ROLE <new_super_user> WITH PASSWORD = '<some_secure_password>' 
        AND SUPERUSER = true 
        AND LOGIN = true;

    The default user cassandra reads with a consistency level of QUORUM by default, whereas another superuser reads with a consistency level of LOCAL_ONE.

  9. Log in as the newly created superuser:
    cqlsh -u <new_super_user> -p <some_secure_password>
  10. To neutralize or delete the default account:
    • Neutralize the account by changing the password to something long and incomprehensible, and alter the user's status to NOSUPERUSER:
      ALTER ROLE cassandra WITH PASSWORD='SomeNonsenseThatNoOneWillThinkOf'
          AND SUPERUSER=false;
    • Delete the account by logging in with the new super account created in the previous step and then running DROP ROLE.
      DROP ROLE cassandra;
  11. Once you create some new roles, you can authorize those roles to access database objects.
  12. Fetching role authentication can be a costly operation. To decrease the burden, adjust the validity period for role caching with the ../config/configCassandra_yaml.html#configCassandra_yaml__roles_validity_in_ms option in the cassandra.yaml file (default 2000 milliseconds):
    roles_validity_in_ms: 2000
    To disable, set this option to 0. This setting is automatically disabled when the authenticator is set to AllowAllAuthenticator.
  13. Configure the refresh interval for role caches by setting the roles_update_interval_in_ms option in the cassandra.yaml file (default 2000 ms):
    roles_update_interval_in_ms: 2000
    If roles_validity_in_ms is non-zero, this setting must be set.
    Note: The credentials are cached in their encrypted form.
  14. Fetching credentials authentication can be a costly operation. To decrease the burden, adjust the validity period for credential caching with the credentials_update_interval_in_ms option in the cassandra.yaml file (default 2000 ms):
    credentials_validity_in_ms: 2000
    To disable, set this option to 0. This setting is automatically disabled when the authenticator is set to AllowAllAuthenticator.
  15. To set the refresh interval for credentials caches, use the credentials_update_interval_in_ms option (default 2000 ms):
    credentials_update_interval_in_ms: 2000

    If credentials_validity_in_ms is non-zero, this setting must be set.

  16. To disable configuration of authentication and authorization caches (credentials, roles, and permissions) via JMX, uncomment the following line in the jvm.options file:
    #-Dcassandra.disable_auth_caches_remote_configuration=true

    After setting this option, cache options can only be set in the cassandra.yaml file. To make the new setting take effect, restart the database.

    cassandra.yaml

    • The cassandra.yaml file is located in the installation_location/conf directory.