Internally stored passwords

Hyper-Converged Database (HCD) uses HCD Authenticator to validate user identity against all supported authentication schemes: Internal and LDAP. Specifically, the Internal authentication scheme stores credentials for a role internally. It is plain text authentication.

HCD uses the cassandra.yaml configuration settings to set up authentication schemes during initialization. Preconfigure the authenticator.parameters.enabled settings to true, toggling from the default of false. Ensure the authenticator.parameters.default_scheme is set to internal, which is the default. See Enable HCD authentication.

AdvancedAuthenticator is the default in the cassandra.yaml configuration file.

Each user account stored in HCD is a role with a login and password. The password is stored as a hash. See add database users.

For example, the following command shows how a password is stored for a default cassandra user:

select * from system_auth.roles where role = 'cassandra';
Sample results
 role      | can_login | is_superuser | member_of | salted_hash
-----------+-----------+--------------+-----------+--------------------------------------------------------------
 cassandra |      True |         True |      null | $2x$10$XXXXXxx2XxX6Xx532.8xX.xXxXxXxXX5xxxXXxOX3Xx1XxXX3xXX

The password hash uses a random salt to guarantee the password for each user is different. For example, create a user with a test2 role using the same password as the cassandra user. Run the command and compare the hashed passwords.

select * from system_auth.roles;
Sample results
 role      | can_login | is_superuser | member_of | salted_hash
-----------+-----------+--------------+-----------+--------------------------------------------------------------
test2      |      True |        False |      null | $2z$10$zzZzZ2zZZZz49zZZZzzZZzz4O/Z8Z4zzzzzzZZZZZzZZZZ22zzzZz
 cassandra |      True |         True |      null | $2x$10$XXXXXxx2XxX6Xx532.8xX.xXxXxXxXX5xxxXXxOX3Xx1XxXX3xXX

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2025 DataStax | Privacy policy | Terms of use | Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com