Add database users

A user account stored in the Hyper-Converged Database (HCD) database is a role that has a login and password or hashed password.

Enable the internal scheme in the authenticator.parameters section of the cassandra.yaml configuration file.

By default, authentication is disabled in HCD. You must enable it by setting enabled: true in the authenticator parameters before creating database users.

Create a role

  1. Create a role with login enabled and an internally stored password:

    CREATE ROLE <role_name>
    WITH LOGIN = true
    AND PASSWORD = '<password_string>';

    where:

    • <role_name>: The user name for authentication. Enclose the role names that include uppercase or special characters in double quotes.

    • LOGIN = true: Allows the role to access the database.

    • PASSWORD = '<default_password>': Stored internally for database managed accounts.

    • (Optional) superuser = true: Gives full access to all database objects to the user. See Add a superuser login.

      This command can also be modified to use a hashed password:

      CREATE ROLE <role_name>
      WITH LOGIN = true
      AND HASHED PASSWORD = '<hashed_password_string>';

      using bcrypt hashing with a log2 factor of 10.

      HCD uses the bcrypt library, Blowfish, and a log2 factor of 10 to generate a random salt added to the password hash.

      To allow the role to be used for authentication when scheme permissions are enabled, bind the role to an authentication scheme:

      GRANT EXECUTE
      ON INTERNAL SCHEME
      TO <role_name>;
  2. To allow another role to manage the new role:

    GRANT AUTHORIZE FOR ALTER, DROP
    ON <new_role_name>
    TO <management_role>;

    All superusers have authorize permissions on all roles. And the role that created the role is granted all permissions on the role.

  3. Each user can change their own password with the ALTER ROLE command.

    1. User logs in with their role name:

      cqlsh -u <role_name> -p <default_password>
    2. Changes the password:

      ALTER ROLE <role_name>
      WITH password = '<newpassword>';

      or if using a hashed password:

      ALTER ROLE <role_name>
      WITH HASHED PASSWORD = '<Hashed_newpassword>';

Next steps

Assign permissions to the role, see Assign permissions.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2025 DataStax | Privacy policy | Terms of use | Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com