Configuring authentication
Steps for configuring authentication.
cassandra.yaml
- The cassandra.yaml file is located in the installation_location/conf directory.
-
Change the authenticator option in the cassandra.yaml file to
PasswordAuthenticator
:authenticator: PasswordAuthenticator
Note: By default, the authenticator option is set toAllowAllAuthenticator
. - Restart the database.
-
Start
cqlsh
using the default superuser name and password:cqlsh -u cassandra -p cassandra
-
To ensure that the keyspace is always available, increase the replication factor for the
system_auth keyspace to 3 to 5 nodes per datacenter
(recommended):
ALTER KEYSPACE "system_auth" WITH REPLICATION = {'class' : 'NetworkTopologyStrategy', 'dc1' : 3, 'dc2' : 4};
The
system_auth
keyspace uses a QUORUM consistency level when checking authentication for the defaultcassandra
user. For all other users created, superuser or otherwise, a LOCAL_ONE consistency level is used for authenticating.Note: Datacenter names are case sensitive. Verify the case of the using utility, such asnodetool status
.CAUTION: If the single replica of the keyspace goes down, using the default replication factor of 1 set for thesystem_auth
keyspace results in denial of access to the cluster. For multiple datacenters, be sure to set the replication class toNetworkTopologyStrategy
. -
After increasing the replication factor of a keyspace, run
nodetool repair
to make certain the change is propagated:nodetool repair system_auth
- Restart the database.
-
Start
cqlsh
using the superuser name and password:cqlsh -u cassandra -p cassandra
-
To prevent security breaches, replace the default superuser,
cassandra
, with another superuser with a different name:CREATE ROLE <new_super_user> WITH PASSWORD = '<some_secure_password>' AND SUPERUSER = true AND LOGIN = true;
The default user
cassandra
reads with a consistency level of QUORUM by default, whereas another superuser reads with a consistency level of LOCAL_ONE. -
Log in as the newly created superuser:
cqlsh -u <new_super_user> -p <some_secure_password>
-
To neutralize or delete the default account:
- Neutralize the account by changing the password to something long and
incomprehensible, and alter the user's status to
NOSUPERUSER
:ALTER ROLE cassandra WITH PASSWORD='SomeNonsenseThatNoOneWillThinkOf' AND SUPERUSER=false;
- Delete the account by logging in with the new super account created in
the previous step and then running DROP
ROLE.
DROP ROLE cassandra;
- Neutralize the account by changing the password to something long and
incomprehensible, and alter the user's status to
- Once you create some new roles, you can authorize those roles to access database objects.
-
Fetching role authentication can be a costly operation. To decrease the burden,
adjust the validity period for role caching with the /en/ddac/doc/datastax_enterprise/config/configCassandra_yaml.html#configCassandra_yaml__roles_validity_in_ms option in the
cassandra.yaml file (default 2000
milliseconds):
roles_validity_in_ms: 2000
To disable, set this option to 0. This setting is automatically disabled when the authenticator is set toAllowAllAuthenticator
. -
Configure the refresh interval for role caches by setting the /en/ddac/doc/datastax_enterprise/config/configCassandra_yaml.html#configCassandra_yaml__roles_update_interval_in_ms option in the
cassandra.yaml file (default 2000 ms):
roles_update_interval_in_ms: 2000
Ifroles_validity_in_ms
is non-zero, this setting must be set.Note: The credentials are cached in their encrypted form. -
Fetching credentials authentication can be a costly operation. To decrease the
burden, adjust the validity period for credential caching with the /en/ddac/doc/datastax_enterprise/config/configCassandra_yaml.html#configCassandra_yaml__credentials_update_interval_in_ms option in
the cassandra.yaml file (default 2000
ms):
credentials_validity_in_ms: 2000
To disable, set this option to 0. This setting is automatically disabled when the authenticator is set toAllowAllAuthenticator
. -
To set the refresh interval for credentials caches, use the /en/ddac/doc/datastax_enterprise/config/configCassandra_yaml.html#configCassandra_yaml__credentials_update_interval_in_ms option
(default 2000 ms):
credentials_update_interval_in_ms: 2000
If
credentials_validity_in_ms
is non-zero, this setting must be set. -
To disable configuration of authentication and authorization caches
(credentials, roles, and permissions) via JMX, uncomment the following line in
the jvm.options file:
#-Dcassandra.disable_auth_caches_remote_configuration=true
After setting this option, cache options can only be set in the cassandra.yaml file. To make the new setting take effect, restart the database.