DataStax Enterprise fails to start after configuring authentication

DataStax Enterprise fails when authorization and authentications settings do not match or when external authentication services are unreachable.


The location of the dse.yaml file depends on the type of installation:
Package installations /etc/dse/dse.yaml
Tarball installations installation_location/resources/dse/conf/dse.yaml

The DataStax Enterprise Help Center also provides troubleshooting information.

Authorizer requires Authenticator

Problem description

When settings do not match DataStax Enterprise fails to start. For example, dse.yaml with authentication_options.enabled: false and authorization_options.enabled: true, prevents DSE from starting and has the following errors in cassandra/system.log:

Caused by: org.apache.cassandra.exceptions.ConfigurationException: com.datastax.bdp.cassandra.auth.DseAuthenticator does not currently require authentication, so it can't be used with com.datastax.bdp.cassandra.auth.DseAuthorizer which does currently require authorization. You need to either choose new classes or update their configurations so they are compatible.


Set both authentication_options and authorization_options enabled to the same setting in the dse.yaml file.

External authentication services unreachable

Problem description

DataStax Enterprise start up fails when authentication_options.enabled: true and a scheme is not configured or the corresponding service is unavailable that is configured in the dse.yaml:
  • role_manager.mode
  • authentication_options.default_scheme
  • authentication_options.other_scheme

For example, when the default_schema is set to kerberos and the KDS server defined in the kerberos_options is unavailable, the cassandra/system.log shows the following start up error:

1) An exception was caught and reported. Message: The dse service keytab at this location resources/dse/conf/dse.keytab either doesn't exist or cannot be read by the dse service at com.datastax.bdp.DseModule.configure(Unknown Source)


Ensure that the configured KDC or LDAP host is available or remove the scheme setting from the DSE Authenticator or Role Manager options.