Enabling DSE Unified Authentication

DSE Unified Authentication facilitates connectivity to three primary backend authentication and authorization services. DSE Unified Authentication uses the following services:

  • DSE Authenticator: Provides authentication using internal password authentication, LDAP pass-through authentication, and Kerberos authentication.

  • DSE Role Manager: Assigns roles by mapping user names to role names or looks up the group membership in LDAP and maps the group names to role names.

  • DSE Authorizer: Provides access to control for database objects.

By default, DSE Authenticator and DSE Authorizer are disabled. Authenticators other than DseAuthenticator are not supported.

OpsCenter also provides support for LDAP configuration, authenticating users.

Prerequisites

Complete the following before enabling authentication:

  • When configuring an external authentication method such as Kerberos or LDAP ensure that the service is active and available.

    DSE fails to start when an authentication scheme or role management mode is configured but not available.

  • Configure the system_auth and dse_security keyspaces to use a replication factor of 3-5 for each datacenter, see Configuring the security keyspaces replication factors.

  • When enabling authentication in an existing environment, upgrade drivers and configure applications to provide credentials. Consider using the transitional mode to allow connections using the anonymous role, see Steps for production environments for more details.

Procedure

Apply the following updates to each node:

  1. Locate the cassandra.yaml configuration file. The location of this file depends on the type of installation:

    • Package installations: /etc/dse/cassandra/cassandra.yaml

    • Tarball installations: <installation_location>/resources/cassandra/conf/cassandra.yaml

  2. In the cassandra.yaml file, verify that DSE Unified Authentication and Authorization features are configured:

    1. Verify that authenticator is set to DseAuthenticator.

      authenticator: com.datastax.bdp.cassandra.auth.DseAuthenticator
    2. Verify that authorizer is set to DseAuthorizer.

      authorizer: com.datastax.bdp.cassandra.auth.DseAuthorizer
    3. Verify that role_manager is set to DseRoleManager.

      role_manager: com.datastax.bdp.cassandra.auth.DseRoleManager
    4. To secure schema information, enable system_keyspaces_filtering. Users are only be able to see schema information for objects they have access permissions on.

      system_keyspaces_filtering: true
  3. Locate the dse.yaml configuration file. The location of this file depends on the type of installation:

    • Package installations: /etc/dse/dse.yaml

    • Tarball installations: <installation_location>/resources/dse/conf/dse.yaml

  4. In the dse.yaml file, configure the corresponding options:

    1. Configure the DseAuthenticator by uncommenting the authentication_options and changing the settings.

      # authentication_options:
      #     enabled: false
      #     default_scheme: internal
      #     allow_digest_with_kerberos: true
      #     plain_text_without_ssl: warn
      #     transitional_mode: disabled
      #     other_schemes:
      #     scheme_permissions: false

      Remove all pound signs (#) at the beginning of the line while preserving the spacing.

      • Required settings. Enable DSE Authenticator and select a scheme by uncommenting and setting the values:

        authentication_options:
             enabled: true
             default_scheme: internal
        #     allow_digest_with_kerberos: true
        #     plain_text_without_ssl: warn
        #     transitional_mode: disabled
        #     other_schemes:
        #     scheme_permissions: false

        If you plan to use only LDAP or Kerberos, include the internal scheme in other_schemes to allow access to the default cassandra account and complete the initial set up.

        Required authentication_options
        Option Description

        auth_enabled

        Turns on authentication using the default scheme.

        default_scheme

        Specifies the authentication scheme when not defined in the connection:

        • internal - Basic authentication using internal login role with password, supply the role name and password as credentials. No additional configuration required.

        • ldap - Plain text authentication using pass-through LDAP authentication. See Defining an LDAP scheme.

        • kerberos - GSSAPI authentication using the Kerberos authenticator. See Defining a Kerberos scheme.

      • Optional settings:

        authentication_options:
             enabled: true
             default_scheme: internal
             other_schemes:
               - kerberos
               - ldap
             scheme_permissions: false
             allow_digest_with_kerberos: false
             plain_text_without_ssl: warn
             transitional_mode: disabled

        scheme_permissions require EXECUTE permission for the selected scheme. Do not enable this option until after configuring your own root account.

      Optional authentication_options
      Option Description

      other_schemes

      scheme_permissions

      Validate that the role mapped to user matches the authentication scheme. Grant the role permission to the scheme.

      allow_digest_with_kerberos

      Allow Kerberos digest-md5 authentication.

      plain_text_without_ssl

      Handling of plain text connection requests:

      • block - Block the request with an authentication error.

      • warn - Log a warning but allow the request.

      • allow - Allow the request without any warning.

      transitional_mode

      Allow access to the database using the anonymous role:

      • disabled - Disable transitional mode. All connections must provide valid credentials and map to a login-enabled role.

      • permissive - Only super users are authenticated and logged in. All other authentication attempts are logged in as the anonymous user.

      • normal - Allow all connections that provide credentials. Maps all authenticated users to their role and maps all other connections to anonymous.

      • strict - Allow only authenticated connections that map to a login-enabled role OR connections that provide a blank username and password as anonymous.

    2. Configure the DSE Role Manager by uncommenting role_management_options and setting the mode:

      role_management_options:
          mode: internal

      Remove all pound signs (#) at the beginning of the line while preserving the spacing.

      Role Management Modes
      scheme Description

      internal

      Assign the user name supplied by the authenticator a role that matches the user name, 1 to 1 mapping.

      ldap

      Look up the user name in LDAP using the ldap scheme and get the group membership, assign all roles that match a group name, 1 to many mapping.

      When using Kerberos authentication, identify users by their email address in the LDAP search. The Kerberos Realm must match the domain in the email address.

    3. Configure the DSE Authorizer by uncommenting the authorization_options and changing the settings.

      authorization_options:
           enabled: true
           transitional_mode: normal
           allow_row_level_security: true

      Remove all pound signs (#) at the beginning of the line while preserving the spacing.

      • Required. Set enabled to true.

        Enabled

        Enables the use of DSE Authorizer for role-based access control (RBAC).

        • true - Enable the DSE Authorizer for RBAC.

        • false - Do not use the DSE Authorizer.

        Default: false

      • Optional settings:

        transitional_mode: normal
        allow_row_level_security: true
        transitional_mode

        Allows the DSE Authorizer to operate in a temporary mode during authorization setup in a cluster. Set to one of the following values:

        • disabled - Transitional mode is disabled.

        • normal - Permissions can be passed to resources, but are not enforced.

        • strict - Permissions can be passed to resources, and are enforced on authenticated users. Permissions are not enforced against anonymous users.

        Default: disabled

        allow_row_level_security

        Enables row-level access control (RLAC) permissions. Use the same setting on all nodes. See xref:row-level-access-control-setup.adoc[Setting up Row Level Access Control (RLAC).

        • true - Use row-level security.

        • false - Do not use row-level security.

        Default: false

  5. Configure selected authentication scheme options:

    • Defining an LDAP scheme

    • Defining a Kerberos scheme

      For DSE to start up, the external service referenced in the kerberos_options and/or ldap_options must be accessible. If you are not using Kerberos-based authentication, comment out the kerberos_options.

  6. Set up JMX authentication to allow nodetool and dsetool operations, see Configuring JMX authentication.

  7. Restart DSE, see Starting DataStax Enterprise as a service or Starting DataStax Enterprise as a stand-alone process.

What is Next

After restarting DSE, log into CQL shell and complete the set up:

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com