Enable HCD unified authentication

HCD Unified Authentication facilitates connectivity to three primary backend authentication and authorization services. HCD Unified Authentication uses the following services:

  • HCD Authenticator: Provides authentication using internal password authentication, LDAP pass-through authentication, and OpenID Connect (OIDC).

  • HCD Role Manager: Assigns roles by mapping user names to role names or looks up the group membership in LDAP and maps the group names to role names.

  • HCD Authorizer: Provides access to control for database objects.

By default, HCD Authenticator and HCD Authorizer are disabled. Authenticators other than AdvancedAuthenticator are not supported.

Prerequisites

Complete the following before enabling authentication:

  • When configuring an external authentication method such as Kerberos or LDAP ensure that the service is active and available.

    HCD fails to start when an authentication scheme or role management mode is configured but not available.

  • Configure the system_auth keyspace to use a replication factor of 3-5 for each datacenter, see Configure the security keyspaces replication factors.

  • When enabling authentication in an existing environment, upgrade drivers and configure applications to provide credentials. Consider using the transitional mode to allow connections using the anonymous role, see Steps for production environments for more details.

Update configuration files

Apply the following updates to each node:

  1. Locate the cassandra.yaml configuration file.

    The location of the cassandra.yaml file depends on your installation type.

    • Package installations: /etc/hcd/cassandra/cassandra.yaml

    • Tarball installations: INSTALLATION_LOCATION/resources/cassandra/conf/cassandra.yaml

  2. In the cassandra.yaml file, verify that HCD Unified Authentication and Authorization features are configured:

    1. Verify that authenticator is set to AdvancedAuthenticator.

      authenticator: com.datastax.cassandra.auth.AdvancedAuthenticator

    2. Verify that authorizer is set to AdvancedAuthorizer.

      authorizer: com.datastax.cassandra.auth.AdvancedAuthorizer

    3. Verify that role_manager is set to AdvancedRoleManager.

      role_manager: com.datastax.cassandra.auth.AdvancedRoleManager

  3. In the cassandra.yaml file, configure the corresponding options:

    Uncomment the authenticator.parameters section and update the settings as needed. Remove all pound signs (#) at the beginning of each line while preserving the spacing.

    # authenticator:
#   class_name: com.datastax.cassandra.auth.AdvancedAuthenticator
#   parameters:
#     enabled: false
#     default_scheme: internal
#     additional_schemes: oidc, ldap
#     plain_text_without_ssl: warn
    Required settings

    Enable HCD Authenticator and select a scheme by uncommenting and setting the values:

    authenticator:
  class_name: com.datastax.cassandra.auth.AdvancedAuthenticator
  parameters:
    enabled: true
    default_scheme: internal
    additional_schemes: oidc, ldap
    plain_text_without_ssl: warn

    If you plan to use only LDAP or OIDC, include the internal scheme in additional_schemes to allow access to the default cassandra account and complete the initial set up.

Was this helpful?

Give Feedback

How can we improve the documentation?

© Copyright IBM Corporation 2026 | Privacy policy | Terms of use Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: Contact IBM