Enabling DSE Unified Authentication
Steps to enable and configure the DSE Unified Authentication.
DSE Unified Authentication facilitates connectivity to three primary backend
authentication and authorization services. DSE Unified Authentication uses the
following services:
- DSE Authenticator: Provides authentication using internal password authentication, LDAP pass-through authentication, and Kerberos authentication.
- DSE Role Manager: Assigns roles by mapping user names to role names or looks up the group membership in LDAP and maps the group names to role names.
- DSE Authorizer: Provides access to control for database objects.
By default, DSE Authenticator and DSE Authorizer are disabled. Authenticators other than DseAuthenticator are not supported.
cassandra.yaml
The location of the cassandra.yaml file depends on the type of installation:Package installations | /etc/dse/cassandra/cassandra.yaml |
Tarball installations | installation_location/resources/cassandra/conf/cassandra.yaml |
dse.yaml
The location of the dse.yaml file depends on the type of installation:Package installations | /etc/dse/dse.yaml |
Tarball installations | installation_location/resources/dse/conf/dse.yaml |
Prerequisites
Complete the following before enabling authentication:
- When configuring an external authentication method such as Kerberos or LDAP
ensure that the service is active and available.Warning: DSE fails to start when an authentication scheme or role management mode is configured but not available.
- Configure the
system_auth
anddse_security
keyspaces to use a replication factor of 3-5 for each datacenter, see Configuring the security keyspaces replication factors. - When enabling authentication in an existing environment, upgrade drivers and
configure applications to provide credentials. Consider using the
transitional mode to allow connections using the
anonymous
role, see Steps for production environments for more details.
Procedure
Apply the following updates to each node:
-
In the cassandra.yaml file, verify that DSE
Unified Authentication and Authorization features are configured:
-
In the dse.yaml file, configure the
corresponding options:
-
Configure selected authentication scheme options:
Warning: In order for DSE to start up, the external service referenced in the kerberos_options and/or ldap_options must be accessible. If you are not using Kerberos-based authentication, comment out the kerberos_options.
-
Set up JMX authentication to allow
nodetool
anddsetool
operations, see Configuring JMX authentication. - Restart DSE, see or .
What's next
- Adding a superuser login
- Create roles and set up permissions, see Setting up logins and users