Enabling DSE Unified Authentication

Steps to enable and configure the DSE Unified Authentication.

DSE Unified Authentication facilitates connectivity to three primary backend authentication and authorization services. DSE Unified Authentication uses the following services:
  • DSE Authenticator: Provides authentication using internal password authentication, LDAP pass-through authentication, and Kerberos authentication.
  • DSE Role Manager: Assigns roles by mapping user names to role names or looks up the group membership in LDAP and maps the group names to role names.
  • DSE Authorizer: Provides access to control for database objects.

By default, DSE Authenticator and DSE Authorizer are disabled. Authenticators other than DseAuthenticator are not supported.

OpsCenter also provides support for LDAP configuration, authenticating users.

dse.yaml

The location of the dse.yaml file depends on the type of installation:
Package installations /etc/dse/dse.yaml
Tarball installations installation_location/resources/dse/conf/dse.yaml

cassandra.yaml

The location of the cassandra.yaml file depends on the type of installation:
Package installations /etc/dse/cassandra/cassandra.yaml
Tarball installations installation_location/resources/cassandra/conf/cassandra.yaml

Prerequisites

Complete the following before enabling authentication:
  • When configuring an external authentication method such as Kerberos or LDAP ensure that the service is active and available.
    Warning: DSE fails to start when an authentication scheme or role management mode is configured but not available.
  • Configure the system_auth and dse_security keyspaces to use a replication factor of 3-5 for each datacenter, see Configuring the security keyspaces replication factors.
  • When enabling authentication in an existing environment, upgrade drivers and configure applications to provide credentials. Consider using the transitional mode to allow connections using the anonymous role, see Steps for production environments for more details.

Procedure

Apply the following updates to each node:
  1. In the cassandra.yaml file, verify that DSE Unified Authentication and Authorization features are configured:
    1. Verify that authenticator is set to DseAuthenticator. 
      authenticator: com.datastax.bdp.cassandra.auth.DseAuthenticator
    2. Verify that is set to DseAuthorizer. 
      authorizer: com.datastax.bdp.cassandra.auth.DseAuthorizer
    3. Verify that is set to DseRoleManager. 
      role_manager: com.datastax.bdp.cassandra.auth.DseRoleManager
    4. To secure schema information, enable . Users will only be able to see schema information for objects they have access permissions on. 
      system_keyspaces_filtering: true
  2. In the dse.yaml file, configure the corresponding options:
    1. Configure the DseAuthenticator by uncommenting the authentication_options and changing the settings. 
      # authentication_options:
#     enabled: false
#     default_scheme: internal
#     allow_digest_with_kerberos: true
#     plain_text_without_ssl: warn
#     transitional_mode: disabled
#     other_schemes:
#     scheme_permissions: false

      Remove all pound signs (#) at the beginning of the line while preserving the spacing.

      • Required settings. Enable DSE Authenticator and select a scheme by uncommenting and setting the values:
        authentication_options:
     enabled: true
     default_scheme: internal
#     allow_digest_with_kerberos: true
#     plain_text_without_ssl: warn
#     transitional_mode: disabled
#     other_schemes:
#     scheme_permissions: false
        Note: If you plan to use only LDAP or Kerberos, include the internal scheme in other_schemes to allow access to the default cassandra account and complete the initial set up.
        Table 1. Required authentication_options
        Option Description
        Turns on authentication using the default scheme.
        Specifies the authentication scheme when not defined in the connection:
        • internal - Basic authentication using internal login role with password, supply the role name and password as credentials. No additional configuration required.
        • ldap - Plain text authentication using pass-through LDAP authentication. See Defining an LDAP scheme.
        • kerberos - GSSAPI authentication using the Kerberos authenticator. See Defining a Kerberos scheme.
      • Optional settings:
        authentication_options:
     enabled: true
     default_scheme: internal
     other_schemes:
       - kerberos
       - ldap
     scheme_permissions: false
     allow_digest_with_kerberos: false
     plain_text_without_ssl: warn
     transitional_mode: disabled
        Warning: scheme_permissions require EXECUTE permission for the selected scheme. Do not enable this option until after configuring your own root account.
        Table 2. Optional authentication_options
        Option Description
        Validate that the role mapped to user matches the authentication scheme. Grant the role permission to the scheme.
        Allow Kerberos digest-md5 authentication.
        Handling of plain text connection requests:
        • block - Block the request with an authentication error.
        • warn - Log a warning but allow the request.
        • allow - Allow the request without any warning.
        Allow access to the database using the anonymous role:
        • disabled - Disable transitional mode. All connections must provide valid credentials and map to a login-enabled role.
        • permissive - Only super users are authenticated and logged in. All other authentication attempts are logged in as the anonymous user.
        • normal - Allow all connections that provide credentials. Maps all authenticated users to their role, and maps all other connections to anonymous.
        • strict - Allow only authenticated connections that map to a login-enabled role OR connections that provide a blank username and password as anonymous.
    2. Configure the DSE Role Manager by uncommenting role_management_options and setting the mode: 
      role_management_options:
    mode: internal

      Remove all pound signs (#) at the beginning of the line while preserving the spacing.

      Table 3. Role Management Modes
      scheme Description
      internal Assign the user name supplied by the authenticator a role that matches the user name, 1 to 1 mapping.
      ldap Look up the user name in LDAP using the ldap scheme and get the group membership, assign all roles that match a group name, 1 to many mapping.
      Note: When using Kerberos authentication, identify users by their email address in the LDAP search. The Kerberos Realm must match the domain in the email address.
    3. Configure the DSE Authorizer by uncommenting the authorization_options and changing the settings. 
      authorization_options:
     enabled: true
     transitional_mode: normal
     allow_row_level_security: true

      Remove all pound signs (#) at the beginning of the line while preserving the spacing.

      • Required. Set enabled to true.
        enabled
        Enables the DSE Authorizer for role-based access control (RBAC).
        • true - Enable the DSE Authorizer for RBAC.
        • false - Do not use the DSE Authorizer.

        Default: false

      • Optional settings:
        transitional_mode: normal
  allow_row_level_security: true
        transitional_mode
        Allows the DSE Authorizer to operate in a temporary mode during authorization setup in a cluster.
        • disabled - Transitional mode is disabled.
        • normal - Permissions can be passed to resources, but are not enforced.
        • strict - Permissions can be passed to resources, and are enforced on authenticated users. Permissions are not enforced against anonymous users.

        Default: disabled

        allow_row_level_security
        Enables row-level access control (RLAC) permissions. Use the same setting on all nodes. See Setting up Row Level Access Control (RLAC).
        • true - Use row-level security.
        • false - Do not use row-level security.

        Default: false

  3. Configure selected authentication scheme options:
    Warning: In order for DSE to start up, the external service referenced in the kerberos_options and/or ldap_options must be accessible. If you are not using Kerberos-based authentication, comment out the kerberos_options.
  4. Set up JMX authentication to allow nodetool and dsetool operations, see Configuring JMX authentication.
  5. Restart DSE, see or .

What's next

After restarting DSE, log into CQL shell and complete the set up: