Enable HCD unified authentication
HCD Unified Authentication facilitates connectivity to three primary backend authentication and authorization services. HCD Unified Authentication uses the following services:
-
HCD Authenticator: Provides authentication using internal password authentication, LDAP pass-through authentication, and OpenID Connect (OIDC).
-
HCD Role Manager: Assigns roles by mapping user names to role names or looks up the group membership in LDAP and maps the group names to role names.
-
HCD Authorizer: Provides access to control for database objects.
By default, HCD Authenticator and HCD Authorizer are disabled. Authenticators other than AdvancedAuthenticator are not supported.
Prerequisites
Complete the following before enabling authentication:
-
When configuring an external authentication method such as Kerberos or LDAP ensure that the service is active and available.
HCD fails to start when an authentication scheme or role management mode is configured but not available.
-
Configure the
system_auth
keyspace to use a replication factor of 3-5 for each datacenter, see Configure the security keyspaces replication factors. -
When enabling authentication in an existing environment, upgrade drivers and configure applications to provide credentials. Consider using the transitional mode to allow connections using the
anonymous
role, see Steps for production environments for more details.
Update configuration files
Apply the following updates to each node:
-
Locate the
cassandra.yaml
configuration file. The location of this file depends on the type of installation:-
Package installations:
/etc/hcd/cassandra/cassandra.yaml
-
Tarball installations:
<installation_location>/resources/cassandra/conf/cassandra.yaml
-
-
In the
cassandra.yaml
file, verify that HCD Unified Authentication and Authorization features are configured:-
Verify that authenticator is set to
AdvancedAuthenticator
.authenticator: com.datastax.cassandra.auth.AdvancedAuthenticator
-
Verify that authorizer is set to
AdvancedAuthorizer
.authorizer: com.datastax.cassandra.auth.AdvancedAuthorizer
-
Verify that role_manager is set to
AdvancedRoleManager
.role_manager: com.datastax.cassandra.auth.AdvancedRoleManager
-
To secure schema information, enable system_keyspaces_filtering. Users are only be able to see schema information for objects they have access permissions on.
system_keyspaces_filtering: true
-
-
Locate the
cassandra.yaml
configuration file. The location of this file depends on the type of installation:-
Package installations:
/etc/hcd/cassandra/cassandra.yaml
-
Tarball installations:
<installation_location>/resources/cassandra/conf/cassandra.yaml
-
-
In the
cassandra.yaml
file, configure the corresponding options:-
Configure the AdvancedAuthenticator by uncommenting the
authenticator.parameters
and changing the settings.# authenticator: # class_name: com.datastax.cassandra.auth.AdvancedAuthenticator # parameters: # enabled: false # default_scheme: internal # additional_schemes: oidc, ldap # plain_text_without_ssl: warn
Remove all pound signs (#) at the beginning of the line while preserving the spacing.
-
Required settings. Enable HCD Authenticator and select a scheme by uncommenting and setting the values:
authenticator: class_name: com.datastax.cassandra.auth.AdvancedAuthenticator parameters: enabled: true default_scheme: internal additional_schemes: oidc, ldap plain_text_without_ssl: warn
If you plan to use only LDAP or OIDC, include the internal scheme in
additional_schemes
to allow access to the default cassandra account and complete the initial set up.
-
-