Configure HCD Unified Authentication in a new clustser
Use this process to implement HCD Unified Authentication in a new deployment.
|
Only use this process for new deployments. For existing HCD deployments, see Configure HCD Unified Authentication in a live cluster. Additional steps and planning are required to avoid downtime when implementing Unified Authentication in a live cluster. |
-
Ensure that required data for logins and permission management are accessible and in all datacenters.
-
Configure the system settings.
-
Configuring authentication and authorization schemes:
-
Internally stored passwords: No additional configuration is required create internal roles with passwords.
-
External LDAP: See Define an LDAP scheme.
-
-
This requires changes to the
cassandra-env.shfornodetoolandhcdtoolto run against an authentication-enabled cluster.The location of this file depends on your installation type.
-
Package installations:
/etc/hcd/cassandra/cassandra-env.sh -
Tarball installations:
INSTALLATION_LOCATION/resources/cassandra/conf/cassandra-env.sh
-
-
Nodes are vulnerable to malicious activity following the restart. Anybody can access the system using the default
cassandraaccount with passwordcassandra. DataStax recommends isolating the cluster until you disable the defaultcassandraaccount. -
Set up your own root account and disable (or drop) the default
cassandraaccount.Nodes are vulnerable to malicious activity following this restart. Anybody can access the system using the default
cassandraaccount with passwordcassandra. DataStax recommends isolating the cluster until you disable thecassandraaccount.Additionally, using the default
cassandraaccount can impact performance because all requests, including login, execute with consistency levelQUORUM. DataStax recommends using thecassandraaccount only to create a new superuser (root) account. -
Create roles that map to users in the configured schemes, and grant permission to allow users access to database resources, such as keyspaces and tables.
-
After enabling authentication and authorization, you must provide credentials to run HCD tools, such as CQL shell and
nodetool.Make sure all applications use the latest version of a compatible Cassandra driver. Unsupported drivers and earlier versions don’t support Unified Authentication.
For Apache Spark™ component connections, HCD provides internal authentication support for connecting Spark to HCD nodes, but it doesn’t handle authentication between Spark components.