About HCD Unified Authentication

HCD Unified Authentication facilitates connectivity to three primary backend authentication and authorization services: HCD Authenticator, HCD Role Manager, and HCD Authorizer.

HCD Authenticator

AdvancedAuthenticator supports validating user identity against any of the following authentication schemes:

When a connection request specifies a PLAIN mechanism, HCD Authenticator first tries to validate using the authentication scheme defined in the default_scheme field of the cassandra.yaml configuration file. If the validation fails, then HCD Authenticator attempts to authenticate against schemes defined in the additional_schemes field in the order they are defined.

Examples

PLAIN mechanism

Configuration file settings are default_scheme = kerberos, other_schemes=ldap,internal. A connection request specifies a PLAIN mechanism (non-Kerberos). HCD Authenticator checks the default_scheme but ignores the Kerberos authentication, despite it being the default setting. The first authentication validation attempt uses LDAP, and then Internal if LDAP fails.

During the validation of a PLAIN mechanism, HCD Authenticator ignores any defined scheme that is not Internal or LDAP.
GSSAPI mechanism

Configuration file settings are default_scheme = internal, other_schemes=ldap,kerberos. A connection request specifies a GSSAPI mechanism (Kerberos). HCD Authenticator only uses Kerberos authentication, ignoring all other schemes.

It is possible to authenticate users without implementing access control using the HCD Authenticator; however, authentication is required for authorization and role management.

HCD Role Manager

HCD Role Manager assigns roles using one of the following modes:

  • Internal: One-to-one mapping using an internally stored password. Requires a role for each account. A HCD tool sets a salted hash password.

  • LDAP: One-to-many mapping. Assigns HCD roles that match the user’s LDAP groups. Passwords are stored in the LDAP server.

    For LDAP role management, HCD disables role nesting. You cannot use GRANT to assign a role to another role.

HCD Authorizer

HCD Authorizer analyzes the request against the role permissions on each affected resource before allowing the request to be executed.

Set and remove permissions on database resources with GRANT and REVOKE.

Next steps

Steps for new deployment

Enable HCD Unified Authentication on a new deployment.

Steps for production environments

Enable HCD Unified Authentication without downtime when implementing in a production or otherwise existing HCD environment.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2025 DataStax, an IBM Company | Privacy policy | Terms of use | Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com