About HCD Unified Authentication

HCD Unified Authentication facilitates connectivity to three primary backend authentication and authorization services: HCD Authenticator, HCD Role Manager, and HCD Authorizer.

HCD Authenticator

HCD Authenticator supports validating user identity against any of the following authentication schemes:

  • Internal: Connections provide credentials for a role that has an internally stored password. Ensure the cassandra.yaml configuration file enables the internal_default setting before HCD initializes. See Setting up logins and users.

  • LDAP: Connections provide LDAP credentials. HCD passes the credentials for verification to LDAP. See Defining an LDAP scheme.

A connection request specifies a Simple Authentication and Security Layer (SASL) mechanism such as PLAIN, DIGEST-MD5, GSSAPI, or others. The PLAIN mechanism applies to both LDAP and Internal authentication schemes. HCD Authenticator uses a Kerberos scheme for both DIGEST-MD5 and GSSAPI mechanisms.

When a connection request specifies an authentication mechanism, HCD Authenticator validates the user request against its supported schemes. When no default mechanism is specified, HCD uses the Internal authentication scheme.

Examples

PLAIN mechanism

Configuration file settings are default_scheme = kerberos, other_schemes=ldap,internal. A connection request specifies a PLAIN mechanism (non-Kerberos). HCD Authenticator checks the default_scheme but ignores the Kerberos authentication, despite it being the default setting. The first authentication validation attempt uses LDAP, and then Internal if LDAP fails.

During the validation of a PLAIN mechanism, HCD Authenticator ignores any defined scheme that is not Internal or LDAP.
GSSAPI mechanism

Configuration file settings are default_scheme = internal, other_schemes=ldap,kerberos. A connection request specifies a GSSAPI mechanism (Kerberos). HCD Authenticator only uses Kerberos authentication, ignoring all other schemes.

It is possible to authenticate users without implementing access control using the HCD Authenticator; however, authentication is required for authorization and role management.

HCD Role Manager

HCD Role Manager assigns roles using one of the following modes:

  • Internal: One-to-one mapping using an internally stored password. Requires a role for each account. A HCD tool sets a salted hash password.

  • LDAP: One-to-many mapping. Assigns HCD roles that match the user’s LDAP groups. Passwords are stored in the LDAP server.

    For LDAP role management, HCD disables role nesting. You cannot use GRANT to assign a role to another role.

HCD Authorizer

HCD Authorizer analyzes the request against the role permissions on each affected resource before allowing the request to be executed.

Set and remove permissions on database resources with GRANT and REVOKE.

Next steps

Steps for new deployment

Enable HCD Unified Authentication on a new deployment.

Steps for production environments

Enable HCD Unified Authentication without downtime when implementing in a production or otherwise existing HCD environment.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2025 DataStax, an IBM Company | Privacy policy | Terms of use | Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com