Add a superuser login

After enabling role-based access control, create your own superuser account and disable or drop the default cassandra account. Roles created with the superuser option have full access to the database; users with the superuser role can run any CQL commands on all database resources.

Prerequisites

Isolate the HCD cluster and enable RBAC, see Set up logins and users.

Procedure

  1. Log in to CQL shell (cqlsh) with the cassandra user:

    cqlsh -u cassandra -p cassandra

  2. Create a new superuser account with password stored in the CQL database:

    CREATE ROLE <root_user_name>
  WITH SUPERUSER = true
  AND LOGIN = true
  AND PASSWORD = '<password>';

    or create the new superuser account with a hashed password:

    CREATE ROLE <root_user_name>
  WITH SUPERUSER = true
  AND LOGIN = true
  AND HASHED PASSWORD = '<hashed_password>';

  3. Exit cqlsh:

    EXIT;

  4. To disable or drop the cassandra role, log in with the new role created in the previous step:

    cqlsh -u <root_user>

    Enter the password at the prompt.

  5. Verify that the role was created as a superuser using LIST ROLES:

    LIST ROLES;
     role                | super | login | options
---------------------+-------+-------+---------
           root_user |  True |  True |        {}
           cassandra |  True |  True |        {}
(2 rows)

  6. Drop or update the cassandra account:

    • Drop the cassandra account:

      DROP ROLE cassandra;

    • Update the cassandra role by disabling superuser and changing the password:

      ALTER ROLE cassandra
  WITH SUPERUSER = false
  AND LOGIN = false
  AND PASSWORD='new_secret_pw';

      or with a hashed password:

      ALTER ROLE cassandra
WITH SUPERUSER = false
AND LOGIN = false
AND HASHED PASSWORD='$2a$10$4N5j5py12OySiSy9L2RHduOjFFetJ1d9hqCoZYtQC3kJOwdg3hbOC';

    DataStax recommends dropping the account to secure the database in production environments. When using an external authentication method, such as LDAP, this prevents accidentally assignment with elevated privileges.

  7. Verify that the cassandra role was deleted:

    LIST ROLES;

    Only the roles created in these steps display:

     role                | super | login | options
---------------------+-------+-------+---------
           root_user |  True |  True |        {}

(1 rows)

  8. Reopen the firewall to support production CQL traffic.

Next steps

Set up roles that map to the user or group names for the configured authentication schemes:

Add database users

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2025 DataStax, an IBM Company | Privacy policy | Terms of use | Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com