Configure HCD Unified Authentication in a new clustser

Use this process to implement HCD Unified Authentication in a new deployment.

Only use this process for new deployments.

For existing HCD deployments, see Configure HCD Unified Authentication in a live cluster. Additional steps and planning are required to avoid downtime when implementing Unified Authentication in a live cluster.

  1. Ensure that required data for logins and permission management are accessible and in all datacenters.

  2. Configure the system settings.

  3. Configuring authentication and authorization schemes:

  4. Configure JMX authentication.

    This requires changes to the cassandra-env.sh for nodetool and hcdtool to run against an authentication-enabled cluster.

    The location of this file depends on your installation type.

    • Package installations: /etc/hcd/cassandra/cassandra-env.sh

    • Tarball installations: INSTALLATION_LOCATION/resources/cassandra/conf/cassandra-env.sh

  5. Restart HCD.

    Nodes are vulnerable to malicious activity following the restart. Anybody can access the system using the default cassandra account with password cassandra. DataStax recommends isolating the cluster until you disable the default cassandra account.

  6. Set up your own root account and disable (or drop) the default cassandra account.

    Nodes are vulnerable to malicious activity following this restart. Anybody can access the system using the default cassandra account with password cassandra. DataStax recommends isolating the cluster until you disable the cassandra account.

    Additionally, using the default cassandra account can impact performance because all requests, including login, execute with consistency level QUORUM. DataStax recommends using the cassandra account only to create a new superuser (root) account.

  7. Create roles that map to users in the configured schemes, and grant permission to allow users access to database resources, such as keyspaces and tables.

  8. After enabling authentication and authorization, you must provide credentials to run HCD tools, such as CQL shell and nodetool.

    Make sure all applications use the latest version of a compatible Cassandra driver. Unsupported drivers and earlier versions don’t support Unified Authentication.

    For Apache Spark™ component connections, HCD provides internal authentication support for connecting Spark to HCD nodes, but it doesn’t handle authentication between Spark components.

Was this helpful?

Give Feedback

How can we improve the documentation?

© Copyright IBM Corporation 2026 | Privacy policy | Terms of use Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: Contact IBM