Enable HCD unified authentication

HCD Unified Authentication facilitates connectivity to three primary backend authentication and authorization services. HCD Unified Authentication uses the following services:

  • HCD Authenticator: Provides authentication using internal password authentication, LDAP pass-through authentication, and OpenID Connect (OIDC).

  • HCD Role Manager: Assigns roles by mapping user names to role names or looks up the group membership in LDAP and maps the group names to role names.

  • HCD Authorizer: Provides access to control for database objects.

By default, HCD Authenticator and HCD Authorizer are disabled. Authenticators other than AdvancedAuthenticator are not supported.

Prerequisites

Complete the following before enabling authentication:

  • For external authentication methods, such as LDAP, ensure that the service is active and available.

    HCD cannot start if a configured authentication service isn’t available.

  • Configure the system_auth keyspace to use a replication factor of 3-5 for each datacenter, see Configure the security keyspaces replication factors.

  • When enabling authentication in an existing environment, upgrade drivers and configure applications to provide credentials. Consider using the transitional mode to allow connections using the anonymous role, see Steps for production environments for more details.

Configure Unified Authentication

Make the following changes on each node:

  1. Locate the cassandra.yaml configuration file.

    The location of the cassandra.yaml file depends on your installation type.

    • Package installations: /etc/hcd/cassandra/cassandra.yaml

    • Tarball installations: INSTALLATION_LOCATION/resources/cassandra/conf/cassandra.yaml

  2. In the cassandra.yaml file, verify that HCD Unified Authentication and Authorization features are configured:

    1. Verify that authenticator is set to AdvancedAuthenticator:

      authenticator: com.datastax.cassandra.auth.AdvancedAuthenticator
    2. Verify that authorizer is set to AdvancedAuthorizer:

      authorizer: com.datastax.cassandra.auth.AdvancedAuthorizer
    3. Verify that role_manager is set to AdvancedRoleManager:

      role_manager: com.datastax.cassandra.auth.AdvancedRoleManager
  3. In the cassandra.yaml file, uncomment the authenticator.parameters section, and then configure the corresponding settings for your environment.

    Be sure to preserve spacing when uncommenting lines.

    authenticator:
      class_name: com.datastax.cassandra.auth.AdvancedAuthenticator
      parameters:
        enabled: true
        default_scheme: internal
        additional_schemes: oidc, ldap
        plain_text_without_ssl: warn
    authenticator fields
    Field Required or optional Description

    class_name

    Required

    Must be set to com.datastax.cassandra.auth.AdvancedAuthenticator.

    parameters.enabled

    Required

    Must be set to true to enable Unified Authentication.

    When true, allows authentication using the default_scheme and additional_schemes.

    default_scheme

    Required

    Specifies the authentication scheme to use when the scheme isn’t defined in the connection:

    • internal: HTTP basic authentication using internal login roles and passwords. No additional configuration required.

    • ldap: Plain text authentication using pass-through LDAP authentication. Requires additional configuration, as explained in Define an LDAP scheme.

      For HCD to start up, the external service referenced in the ldap_options must be accessible.

    • oidc: OpenID Connect authentication using modern identity providers. Requires additional configuration, as explained in Configure OpenID Connect (OIDC) authentication.

    additional_schemes

    Optional, Recommended

    Additional authentication schemes to support alongside the default scheme.

    If you plan to use only LDAP or OIDC, include the internal scheme in additional_schemes temporarily. This is required to allow access to the default cassandra account and complete the initial setup. Once you create a new superuser role, you can disable the cassandra account and remove internal from additional_schemes.

    plain_text_without_ssl

    Optional

    Handling of plain text connection requests.

  4. If you haven’t created a new superuser (root) account, make sure authorization_options.scheme_permissions is set to false.

    authorization_options.scheme_permissions: true requires EXECUTE permission for the authorized scheme. Don’t enable this option until after configuring a new superuser account. Don’t use the default cassandra account.

  5. Configure JMX authentication to allow authenticated nodetool operations.

  6. Restart the HCD node.

  7. Use cqlsh to do the following:

  8. Repeat for all nodes in the cluster.

Was this helpful?

Give Feedback

How can we improve the documentation?

© Copyright IBM Corporation 2026 | Privacy policy | Terms of use Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: Contact IBM