About HCD Unified Authentication
HCD Unified Authentication facilitates connectivity to three primary backend authentication and authorization services: HCD Authenticator, HCD Role Manager, and HCD Authorizer.
HCD Authenticator
HCD Authenticator supports validating user identity against any of the following authentication schemes:
-
Internal: Connections provide credentials for a role that has an internally stored password. Ensure the
cassandra.yaml
configuration file enables theinternal_default
setting before HCD initializes. See Setting up logins and users. -
LDAP: Connections provide LDAP credentials. HCD passes the credentials for verification to LDAP. See Defining an LDAP scheme.
A connection request specifies a Simple Authentication and Security Layer (SASL) mechanism such as PLAIN, DIGEST-MD5, GSSAPI, or others. The PLAIN mechanism applies to both LDAP and Internal authentication schemes. HCD Authenticator uses a Kerberos scheme for both DIGEST-MD5 and GSSAPI mechanisms.
When a connection request specifies an authentication mechanism, HCD Authenticator validates the user request against its supported schemes. When no default mechanism is specified, HCD uses the Internal authentication scheme.
Examples
- PLAIN mechanism
-
Configuration file settings are
default_scheme = kerberos
,other_schemes=ldap,internal
. A connection request specifies a PLAIN mechanism (non-Kerberos). HCD Authenticator checks thedefault_scheme
but ignores the Kerberos authentication, despite it being the default setting. The first authentication validation attempt uses LDAP, and then Internal if LDAP fails.During the validation of a PLAIN mechanism, HCD Authenticator ignores any defined scheme that is not Internal or LDAP.
- GSSAPI mechanism
-
Configuration file settings are
default_scheme = internal
,other_schemes=ldap,kerberos
. A connection request specifies a GSSAPI mechanism (Kerberos). HCD Authenticator only uses Kerberos authentication, ignoring all other schemes.
It is possible to authenticate users without implementing access control using the HCD Authenticator; however, authentication is required for authorization and role management. |
HCD Role Manager
HCD Role Manager assigns roles using one of the following modes:
-
Internal: One-to-one mapping using an internally stored password. Requires a role for each account. A HCD tool sets a salted hash password.
-
LDAP: One-to-many mapping. Assigns HCD roles that match the user’s LDAP groups. Passwords are stored in the LDAP server.
For LDAP role management, HCD disables role nesting. You cannot use GRANT to assign a role to another role.
Next steps
- Steps for new deployment
-
Enable HCD Unified Authentication on a new deployment.
- Steps for production environments
-
Enable HCD Unified Authentication without downtime when implementing in a production or otherwise existing HCD environment.