Internally stored passwords
DataStax Enterprise (DSE) uses DSE Authenticator to validate user identity against all supported authentication schemes: Internal, LDAP, and Kerberos. Specifically, the Internal authentication scheme stores credentials for a role internally. It is plain text authentication.
DSE uses the dse.yaml configuration settings to set up authentication schemes during initialization. Preconfigure the authentication_options:enabled settings to true, toggling from the default of false. Ensure the authentication_options:default_scheme is set to internal, which is the default. See
authentication_options.
DseAuthenticator is the default in the cassandra.yaml configuration file.
Each user account stored in DSE is a role with a login and password.
The password is stored as a hash.
See adding database users.
For example, the following command shows how a password is stored for a default cassandra user:
select * from system_auth.roles where role = 'cassandra';Sample results
role | can_login | is_superuser | member_of | salted_hash
-----------+-----------+--------------+-----------+--------------------------------------------------------------
cassandra | True | True | null | $2x$10$XXXXXxx2XxX6Xx532.8xX.xXxXxXxXX5xxxXXxOX3Xx1XxXX3xXXThe password hash uses a random salt to guarantee the password for each user is different. For example, create a user with a test2 role using the same password as the cassandra user. Run the command and compare the hashed passwords.
select * from system_auth.roles;Sample results
role | can_login | is_superuser | member_of | salted_hash
-----------+-----------+--------------+-----------+--------------------------------------------------------------
test2 | True | False | null | $2z$10$zzZzZ2zZZZz49zZZZzzZZzz4O/Z8Z4zzzzzzZZZZZzZZZZ22zzzZz
cassandra | True | True | null | $2x$10$XXXXXxx2XxX6Xx532.8xX.xXxXxXxXX5xxxXXxOX3Xx1XxXX3xXX