dse client-tool connection options

Where is the cassandra.yaml file?

The location of the cassandra.yaml file depends on the type of installation:

Installation Type Location

Package installations + Installer-Services installations

/etc/dse/cassandra/cassandra.yaml

Tarball installations + Installer-No Services installations

<installation_location>/resources/cassandra/conf/cassandra.yaml
Where is the dse.yaml file?

The location of the dse.yaml file depends on the type of installation:

Installation Type Location

Package installations + Installer-Services installations

/etc/dse/dse.yaml

Tarball installations + Installer-No Services installations

<installation_location>/resources/dse/conf/dse.yaml

You must authenticate connections to an external client for dse client-tool commands.

JMX authentication is supported by some dsetool commands. Other dsetool commands authenticate with the user name and password of the configured user. The connection option short form and long form are comma separated.

You can provide authentication credentials in several ways, see Connecting to authentication enabled clusters.

To enable dsetool to use Kerberos authentication, see Using dsetool with Kerberos enabled cluster.

Different sources of configuration properties are used to connect external clients to a DSE node: DSE configuration in dse.yaml and cassandra.yaml.

You can provide authentication credentials in several ways, see Connecting to authentication enabled clusters. Unlike dsetool, the dse client-tool subcommands use DSE Unified Authentication, not JMX authentication. DSE Unified Authentication is also used by the DataStax-compatible drivers for Apache Cassandra®.

RPC permissions over the native protocol leverage DSE authentication and role-based access abilities. To configure external client access to DataStax Enterprise commands, see Authorizing remote procedure calls for CQL execution.

DSE proxy authentication can be used with dse client-tool, and delegation tokens can be generated for the proxy authenticated role. If the role alice is authenticated, and alice uses proxy authorization to the role bob, the delegation token for alice can be used authenticate as alice and authorize as bob. If bob loses login permissions, the token can still be used to login as alice, because the token reflects the authentication of alice. If alice loses authorization permissions for bob, the token cannot be used to login.

Synopsis

dse client-tool
[-a proxy_auth_username] [-u username] [-p password]
[--port port] [--host hostname]
[--sasl-protocol-name dse_service_principal]
[--keystore-path ssl_keystore_path]
[--keystore-password keystore_password]
[--keystore-type ssl_keystore_type]
[--truststore-path ssl_truststore_path]
[--truststore-password ssl_truststore_password]
[--truststore-type ssl_truststore_type]
[--cipher-suites ssl_cipher_suites]
[--kerberos-enabled (true | false)]
[--ssl-enabled (true | false)]
[--use-server-config]
[-t delegation token]
[--ssl-protocol ssl_protocol]
command [options]
Syntax conventions
Syntax conventions Description

UPPERCASE

Literal keyword.

Lowercase

Not literal.

Italics

Variable value. Replace with a valid option or user-defined value.

[ ]

Optional. Square brackets ( [ ] ) surround optional command arguments. Do not type the square brackets.

( )

Group. Parentheses ( ( ) ) identify a group to choose from. Do not type the parentheses.

|

Or. A vertical bar ( | ) separates alternative elements. Type any one of the elements. Do not type the vertical bar.

...

Repeatable. An ellipsis ( ... ) indicates that you can repeat the syntax element as often as required.

'Literal string'

Single quotation ( ' ) marks must surround literal strings in CQL statements. Use single quotation marks to preserve upper case.

{ key:value }

Map collection. Braces ( { } ) enclose map collections or key value pairs. A colon separates the key and the value.

<datatype1,datatype2>

Set, list, map, or tuple. Angle brackets ( < > ) enclose data types in a set, list, map, or tuple. Separate the data types with a comma.

cql_statement;

End CQL statement. A semicolon ( ; ) terminates all CQL statements.

[ -- ]

Separate the command line options from the command arguments with two hyphens ( -- ). This syntax is useful when arguments might be mistaken for command line options.

' <schema> …​ </schema> '

Search CQL only: Single quotation marks ( ' ) surround an entire XML schema declaration.

@xml_entity='xml_entity_type'

Search CQL only: Identify the entity and literal value to overwrite the XML element in the schema and solrconfig files.
--cipher-suites ssl_cipher_suites

Comma-separated list of SSL cipher suites for connection to DSE when SSL is enabled. For example, --cipher-suites c1,c2,c3.

--host hostname

The DSE node hostname or IP address.

--kerberos-enabled true|false

Whether Kerberos authentication is enabled for connections to DSE. For example, --kerberos-enabled true.

--keystore-password keystore_password

Keystore password for connection to DSE when SSL client authentication is enabled.

--keystore-path ssl_keystore_path

Path to the keystore for connection to DSE when SSL client authentication is enabled.

--keystore-type ssl_keystore_type

Keystore type for connection to DSE when SSL client authentication is enabled. JKS is the type for keys generated by the Java keytool binary, but other types are possible, depending on user environment.

-p password

The password to authenticate for database access. Can use the DSE_PASSWORD environment variable.

--port port

The native protocol RPC connection port (Thrift).

--sasl-protocol-name dse_service_principal

SASL protocol name, that is, the DSE service principal name.

--ssl

Whether SSL is enabled for connection to DSE. --ssl-enabled true is the same as --ssl.

--ssl-protocol ssl_protocol

SSL protocol for connection to DSE when SSL is enabled. For example, --ssl-protocol ssl4.

-t delegation_token

The delegation token to use at login. Or alternatively, DSE_TOKEN environment variable can be used.

--truststore-password ssl_truststore_password

Truststore password to use for connection to DSE when SSL is enabled.

--truststore-path ssl_truststore_path

Path to the truststore to use for connection to DSE when SSL is enabled. For example, --truststore-path /path/to/ts.

--truststore-type ssl_truststore_type

Truststore type for connection to DSE when SSL is enabled. JKS is the type for keys generated by the Java keytool binary, but other types are possible, depending on user environment. For example, --truststore-type jks2.

-u username

User name of a DSE authentication account. Can use the DSE_USERNAME environment variable.

-a proxy_auth_username

DSE authorization username if proxy authentication is used.

--use-server-config

Read parameters from server YAML configuration files. Assumes the local DSE node is properly configured.

Was this helpful?

Give Feedback

How can we improve the documentation?

© Copyright IBM Corporation 2025 | Privacy policy | Terms of use Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: Contact IBM