Internally stored passwords
Hyper-Converged Database (HCD) uses HCD Authenticator to validate user identity against all supported authentication schemes: Internal and LDAP. Specifically, the Internal authentication scheme stores credentials for a role internally. It is plain text authentication.
HCD uses the cassandra.yaml
configuration settings to set up authentication schemes during initialization.
Preconfigure the authenticator.parameters.enabled
settings to true
, toggling from the default of false
. Ensure the authenticator.parameters.default_scheme
is set to internal
, which is the default.
See Enable HCD authentication.
AdvancedAuthenticator
is the default in the cassandra.yaml
configuration file.
Each user account stored in HCD is a role with a login
and password
.
The password is stored as a hash.
See add database users.
For example, the following command shows how a password is stored for a default cassandra
user:
select * from system_auth.roles where role = 'cassandra';
Sample results
role | can_login | is_superuser | member_of | salted_hash
-----------+-----------+--------------+-----------+--------------------------------------------------------------
cassandra | True | True | null | $2x$10$XXXXXxx2XxX6Xx532.8xX.xXxXxXxXX5xxxXXxOX3Xx1XxXX3xXX
The password hash uses a random salt to guarantee the password for each user is different.
For example, create a user with a test2
role using the same password as the cassandra
user.
Run the command and compare the hashed passwords.
select * from system_auth.roles;
Sample results
role | can_login | is_superuser | member_of | salted_hash
-----------+-----------+--------------+-----------+--------------------------------------------------------------
test2 | True | False | null | $2z$10$zzZzZ2zZZZz49zZZZzzZZzz4O/Z8Z4zzzzzzZZZZZzZZZZ22zzzZz
cassandra | True | True | null | $2x$10$XXXXXxx2XxX6Xx532.8xX.xXxXxXxXX5xxxXXxOX3Xx1XxXX3xXX