Configuring authentication

Steps for configuring authentication.

Steps for configuring authentication in the DataStax Distribution of Apache Cassandra™ (DDAC).

cassandra.yaml

The cassandra.yaml file is located in the installation_location/conf directory.

Change the authenticator option in the cassandra.yaml file to PasswordAuthenticator:
```
authenticator: PasswordAuthenticator
```
Note: By default, the authenticator option is set to AllowAllAuthenticator.
Restart the database.
Start cqlsh using the default superuser name and password:
```
cqlsh -u cassandra -p cassandra
```
To ensure that the keyspace is always available, increase the replication factor for the system_auth keyspace to 3 to 5 nodes per datacenter (recommended):
```
ALTER KEYSPACE "system_auth" 
WITH REPLICATION = {'class' : 'NetworkTopologyStrategy', 'dc1' : 3, 'dc2' : 4};
```
The system_auth keyspace uses a QUORUM consistency level when checking authentication for the default cassandra user. For all other users created, superuser or otherwise, a LOCAL_ONE consistency level is used for authenticating.

Note: Datacenter names are case sensitive. Verify the case of the using utility, such as nodetool status.
CAUTION: If the single replica of the keyspace goes down, using the default replication factor of 1 set for the system_auth keyspace results in denial of access to the cluster. For multiple datacenters, be sure to set the replication class to NetworkTopologyStrategy.
After increasing the replication factor of a keyspace, run nodetool repair to make certain the change is propagated:
```
nodetool repair system_auth
```
Restart the database.
Start cqlsh using the superuser name and password:
```
cqlsh -u cassandra -p cassandra
```
To prevent security breaches, replace the default superuser, cassandra, with another superuser with a different name:
```
CREATE ROLE <new_super_user> WITH PASSWORD = '<some_secure_password>' 
    AND SUPERUSER = true 
    AND LOGIN = true;
```
The default user cassandra reads with a consistency level of QUORUM by default, whereas another superuser reads with a consistency level of LOCAL_ONE.

cqlsh -u <new_super_user> -p <some_secure_password>

To neutralize or delete the default account:
- Neutralize the account by changing the password to something long and incomprehensible, and alter the user's status to NOSUPERUSER:
```
ALTER ROLE cassandra WITH PASSWORD='SomeNonsenseThatNoOneWillThinkOf'
    AND SUPERUSER=false;
```
- Delete the account by logging in with the new super account created in the previous step and then running DROP ROLE.
```
DROP ROLE cassandra;
```
Once you create some new roles, you can authorize those roles to access database objects.
Fetching role authentication can be a costly operation. To decrease the burden, adjust the validity period for role caching with the /en/ddac/doc/datastax_enterprise/config/configCassandra_yaml.html#configCassandra_yaml__roles_validity_in_ms option in the cassandra.yaml file (default 2000 milliseconds):
```
roles_validity_in_ms: 2000
```
To disable, set this option to 0. This setting is automatically disabled when the authenticator is set to AllowAllAuthenticator.
Configure the refresh interval for role caches by setting the /en/ddac/doc/datastax_enterprise/config/configCassandra_yaml.html#configCassandra_yaml__roles_update_interval_in_ms option in the cassandra.yaml file (default 2000 ms):
```
roles_update_interval_in_ms: 2000
```
If roles_validity_in_ms is non-zero, this setting must be set.
Note: The credentials are cached in their encrypted form.
Fetching credentials authentication can be a costly operation. To decrease the burden, adjust the validity period for credential caching with the /en/ddac/doc/datastax_enterprise/config/configCassandra_yaml.html#configCassandra_yaml__credentials_update_interval_in_ms option in the cassandra.yaml file (default 2000 ms):
```
credentials_validity_in_ms: 2000
```
To disable, set this option to 0. This setting is automatically disabled when the authenticator is set to AllowAllAuthenticator.
To set the refresh interval for credentials caches, use the /en/ddac/doc/datastax_enterprise/config/configCassandra_yaml.html#configCassandra_yaml__credentials_update_interval_in_ms option (default 2000 ms):
```
credentials_update_interval_in_ms: 2000
```
If credentials_validity_in_ms is non-zero, this setting must be set.
To disable configuration of authentication and authorization caches (credentials, roles, and permissions) via JMX, uncomment the following line in the jvm.options file:
```
#-Dcassandra.disable_auth_caches_remote_configuration=true
```
After setting this option, cache options can only be set in the cassandra.yaml file. To make the new setting take effect, restart the database.