Enabling DSE Unified Authentication

Steps to enable and configure the DSE Unified Authentication.

DSE Unified Authentication facilitates connectivity to three primary backend authentication and authorization services. DSE Unified Authentication uses the following services:
  • DSE Authenticator: Provides authentication using internal password authentication, LDAP pass-through authentication, and Kerberos authentication.
  • DSE Role Manager: Assigns roles by mapping user names to role names or looks up the group membership in LDAP and maps the group names to role names.
  • DSE Authorizer: Provides access to control for database objects.

By default, DSE Authenticator and DSE Authorizer are disabled. Authenticators other than DseAuthenticator are not supported.

OpsCenter also provides support for LDAP configuration, authenticating users.

cassandra.yaml

The location of the cassandra.yaml file depends on the type of installation:
Package installations /etc/dse/cassandra/cassandra.yaml
Tarball installations installation_location/resources/cassandra/conf/cassandra.yaml

dse.yaml

The location of the dse.yaml file depends on the type of installation:
Package installations /etc/dse/dse.yaml
Tarball installations installation_location/resources/dse/conf/dse.yaml

Prerequisites

Complete the following before enabling authentication:
  • When configuring an external authentication method such as Kerberos or LDAP ensure that the service is active and available.
    Warning: DSE fails to start when an authentication scheme or role management mode is configured but not available.
  • Configure the system_auth and dse_security keyspaces to use a replication factor of 3-5 for each datacenter, see Configuring the security keyspaces replication factors.
  • When enabling authentication in an existing environment, upgrade drivers and configure applications to provide credentials. Consider using the transitional mode to allow connections using the anonymous role, see Steps for production environments for more details.

Procedure

Apply the following updates to each node:

  1. In the cassandra.yaml file, verify that DSE Unified Authentication and Authorization features are configured:
    1. Verify that authenticator is set to DseAuthenticator.
      authenticator: com.datastax.bdp.cassandra.auth.DseAuthenticator
    2. Verify that authorizer is set to DseAuthorizer.
      authorizer: com.datastax.bdp.cassandra.auth.DseAuthorizer
    3. Verify that role_manager is set to DseRoleManager.
      role_manager: com.datastax.bdp.cassandra.auth.DseRoleManager
    4. To secure schema information, enable system_keyspaces_filtering. Users will only be able to see schema information for objects they have access permissions on.
      system_keyspaces_filtering: true
  2. In the dse.yaml file, configure the corresponding options:
    1. Configure the DseAuthenticator by uncommenting the authentication_options and changing the settings.
      # authentication_options:
      #     enabled: false
      #     default_scheme: internal
      #     allow_digest_with_kerberos: true
      #     plain_text_without_ssl: warn
      #     transitional_mode: disabled
      #     other_schemes:
      #     scheme_permissions: false

      Remove all pound signs (#) at the beginning of the line while preserving the spacing.

      • Required settings. Enable DSE Authenticator and select a scheme by uncommenting and setting the values:
        authentication_options:
             enabled: true
             default_scheme: internal
        #     allow_digest_with_kerberos: true
        #     plain_text_without_ssl: warn
        #     transitional_mode: disabled
        #     other_schemes:
        #     scheme_permissions: false
        Note: If you plan to use only LDAP or Kerberos, include the internal scheme in other_schemes to allow access to the default cassandra account and complete the initial set up.
        Table 1. Required authentication_options
        Option Description
        enabled Turns on authentication using the default scheme.
        default_scheme Specifies the authentication scheme when not defined in the connection:
        • internal - Basic authentication using internal login role with password, supply the role name and password as credentials. No additional configuration required.
        • ldap - Plain text authentication using pass-through LDAP authentication. See Defining an LDAP scheme.
        • kerberos - GSSAPI authentication using the Kerberos authenticator. See Defining a Kerberos scheme.
      • Optional settings:
        authentication_options:
             enabled: true
             default_scheme: internal
             other_schemes:
               - kerberos
               - ldap
             scheme_permissions: false
             allow_digest_with_kerberos: false
             plain_text_without_ssl: warn
             transitional_mode: disabled
        Warning: scheme_permissions require EXECUTE permission for the selected scheme. Do not enable this option until after configuring your own root account.
        Table 2. Optional authentication_options
        Option Description
        other_schemes other_schemes
        scheme_permissions Validate that the role mapped to user matches the authentication scheme. Grant the role permission to the scheme.
        allow_digest_with_kerberos Allow Kerberos digest-md5 authentication.
        plain_text_without_ssl Handling of plain text connection requests:
        • block - Block the request with an authentication error.
        • warn - Log a warning about the request but allow it to continue.
        • allow - Allow the request without any warning.
        transitional_mode Allow access to the database using the anonymous role:
        • disabled - Transitional mode is disabled. All connections must provide valid credentials and map to a login-enabled role.
        • permissive - Only super users are authenticated and logged in. All other authentication attempts are logged in as the anonymous user.
        • normal - Allow all connections that provide credentials. Maps all authenticated users to their role AND maps all other connections to anonymous.
        • strict - Allow only authenticated connections that map to a login-enabled role OR connections that provide a blank username and password as anonymous.
    2. Configure the DSE Role Manager by uncommenting role_management_options and setting the mode:
      role_management_options:
          mode: internal

      Remove all pound signs (#) at the beginning of the line while preserving the spacing.

      Table 3. Role Management Modes
      scheme Description
      internal Assign the user name supplied by the authenticator a role that matches the user name, 1 to 1 mapping.
      ldap Look up the user name in LDAP using the ldap scheme and get the group membership, assign all roles that match a group name, 1 to many mapping.
      Note: When using Kerberos authentication, identify users by their email address in the LDAP search. The Kerberos Realm must match the domain in the email address.
    3. Configure the DSE Authorizer by uncommenting the authorization_options and changing the settings.
      authorization_options:
           enabled: true
           transitional_mode: normal
           allow_row_level_security: true

      Remove all pound signs (#) at the beginning of the line while preserving the spacing.

      • Required. Set enabled to true.
        enabled
        Whether to use the DSE Authorizer for role-based access control (RBAC).
        • true - use the DSE Authorizer for role-based access control (RBAC)
        • false - do not use the Dse Authorizer
        When not set, the default is false.

        Default: commented out (false)

      • Optional settings:
        transitional_mode: normal
          allow_row_level_security: true
        transitional_mode
        Allows the DSE Authorizer to operate in a temporary transitional mode during setup of authorization in a cluster. Set to one of the following values:
        • disabled - Transitional mode is disabled.
        • normal - Permissions can be passed to resources, but are not enforced.
        • strict - Permissions can be passed to resources, and are enforced on authenticated users. Permissions are not enforced against anonymous users.

        Default: commented out (disabled)

        allow_row_level_security
        Whether to enable row-level access control (RLAC) permissions; use the same setting on all nodes.
        • true - use row-level security
        • false - do not use row-level
        When not set, the default is false.

        Default: commented out (false)

  3. Configure selected authentication scheme options:
    Warning: In order for DSE to start up, the external service referenced in the kerberos_options and/or ldap_options must be accessible. If you are not using Kerberos-based authentication, comment out the kerberos_options.
  4. Set up JMX authentication to allow nodetool and dsetool operations, see Configuring JMX authentication.
  5. Restart DSE, see Starting DataStax Enterprise as a service or Starting DataStax Enterprise as a stand-alone process.

What's next

After restarting DSE, log into CQL shell and complete the set up: