Enable HCD unified authentication
HCD Unified Authentication facilitates connectivity to three primary backend authentication and authorization services. HCD Unified Authentication uses the following services:
-
HCD Authenticator: Provides authentication using internal password authentication, LDAP pass-through authentication, and OpenID Connect (OIDC).
-
HCD Role Manager: Assigns roles by mapping user names to role names or looks up the group membership in LDAP and maps the group names to role names.
-
HCD Authorizer: Provides access to control for database objects.
By default, HCD Authenticator and HCD Authorizer are disabled. Authenticators other than AdvancedAuthenticator are not supported.
Prerequisites
Complete the following before enabling authentication:
-
For external authentication methods, such as LDAP, ensure that the service is active and available.
HCD cannot start if a configured authentication service isn’t available.
-
Configure the
system_authkeyspace to use a replication factor of 3-5 for each datacenter, see Configure the security keyspaces replication factors. -
When enabling authentication in an existing environment, upgrade drivers and configure applications to provide credentials. Consider using the transitional mode to allow connections using the
anonymousrole, see Steps for production environments for more details.
Configure Unified Authentication
Make the following changes on each node:
-
Locate the
cassandra.yamlconfiguration file.The location of the
cassandra.yamlfile depends on your installation type.-
Package installations:
/etc/hcd/cassandra/cassandra.yaml -
Tarball installations:
INSTALLATION_LOCATION/resources/cassandra/conf/cassandra.yaml
-
-
In the
cassandra.yamlfile, verify that HCD Unified Authentication and Authorization features are configured:-
Verify that authenticator is set to
AdvancedAuthenticator:authenticator: com.datastax.cassandra.auth.AdvancedAuthenticator -
Verify that authorizer is set to
AdvancedAuthorizer:authorizer: com.datastax.cassandra.auth.AdvancedAuthorizer -
Verify that role_manager is set to
AdvancedRoleManager:role_manager: com.datastax.cassandra.auth.AdvancedRoleManager
-
-
In the
cassandra.yamlfile, uncomment theauthenticator.parameterssection, and then configure the corresponding settings for your environment.Be sure to preserve spacing when uncommenting lines.
authenticator: class_name: com.datastax.cassandra.auth.AdvancedAuthenticator parameters: enabled: true default_scheme: internal additional_schemes: oidc, ldap plain_text_without_ssl: warnauthenticatorfieldsField Required or optional Description class_nameRequired
Must be set to
com.datastax.cassandra.auth.AdvancedAuthenticator.parameters.enabledRequired
Must be set to
trueto enable Unified Authentication.When
true, allows authentication using thedefault_schemeandadditional_schemes.default_schemeRequired
Specifies the authentication scheme to use when the scheme isn’t defined in the connection:
-
internal: HTTP basic authentication using internal login roles and passwords. No additional configuration required. -
ldap: Plain text authentication using pass-through LDAP authentication. Requires additional configuration, as explained in Define an LDAP scheme.For HCD to start up, the external service referenced in the
ldap_optionsmust be accessible. -
oidc: OpenID Connect authentication using modern identity providers. Requires additional configuration, as explained in Configure OpenID Connect (OIDC) authentication.
additional_schemesOptional, Recommended
Additional authentication schemes to support alongside the default scheme.
If you plan to use only LDAP or OIDC, include the
internalscheme inadditional_schemestemporarily. This is required to allow access to the defaultcassandraaccount and complete the initial setup. Once you create a new superuser role, you can disable thecassandraaccount and removeinternalfromadditional_schemes.plain_text_without_sslOptional
Handling of plain text connection requests.
-
-
If you haven’t created a new superuser (root) account, make sure
authorization_options.scheme_permissionsis set tofalse.authorization_options.scheme_permissions: truerequiresEXECUTEpermission for the authorized scheme. Don’t enable this option until after configuring a new superuser account. Don’t use the defaultcassandraaccount. -
Configure JMX authentication to allow authenticated
nodetooloperations. -
Use
cqlshto do the following:-
Create a superuser account if you haven’t doneso already.
-
Disable the default
cassandraaccount if you haven’t done so already.
-
-
Repeat for all nodes in the cluster.