Configure authentication
What is authentication?
Authentication is the process of verifying the identity of a user or system. Usernames and passwords are the most common authentication factors. If a user enters the correct data, the system assumes the identity is valid and grants access.
Authentication protocols are an important part of database security. Mission Control supports several authentication and encryption features for Hyper-Converged Database (HCD), DataStax Enterprise (DSE), or Apache Cassandra® databases.
Enable authentication
Mission Control enables authentication by default.
| Keep authentication enabled. Turning on authentication for an existing cluster can be challenging and might require downtime. | 
The enabling option is set in the MissionControlCluster YAML specification file.
In its spec section, the auth option is set to true by default. While it can be toggled to false, that is not recommended.
apiVersion: k8ssandra.io/v1beta2
kind: MissionControlCluster
metadata:
  name: cluster1
spec:
  auth: true
  ...With authentication enabled, Mission Control configures a new, default superuser for every Mission Control managed cluster.
From the example spec, the username is cluster1-superuser.
| Mission Control disables and does not use the default superuser,  | 
Unless specified during cluster creation, Mission Control generates a random alphanumeric string, 20 characters long as a default password.
These values are stored under the username and password keys within a secret named metadata.name-superuser.
You can override the default username and password by setting the spec.cassandra.superuserSecretRef property to an existing secret containing both the username and the password.
If your cluster name is cluster1, for example, retrieve the username and password using jq or jsonpath:
The following commands use jq to decode the base64-encoded values. You must have jq installed on your system to run these commands.
kubectl get secret CLUSTER_NAME-superuser -o json | jq -r '.data.username' | base64 --decode; echo
kubectl get secret CLUSTER_NAME-superuser -o json | jq -r '.data.password' | base64 --decode; echoReplace CLUSTER_NAME with the name of your cluster.
If you don’t have jq installed, you can use the following commands:
kubectl get secret CLUSTER_NAME-superuser -o jsonpath='{.data.username}' | base64 --decode; echo
kubectl get secret CLUSTER_NAME-superuser -o jsonpath='{.data.password}' | base64 --decode; echoReplace CLUSTER_NAME with the name of your cluster.
nodetool
When JMX authentication is enabled, you must specify the username and password options with nodetool, as follows:
nodetool -u USERNAME -pw PASSWORD statusReplace the following:
- 
USERNAME: The username value
- 
PASSWORD: The password value
If your cluster has client-to-node encryption enabled, configure nodetool to use TLS.
For more information, see Configure and use nodetool with TLS.
Mission Control UI access
Mission Control uses a connector-based system for authentication. LDAP and OIDC connectors are provided and recommended for production deployments. Static password authentication is supported as a fallback mechanism and for development environments.
DSE unified authentication
DSE Advanced Security provides a unified authentication and role management feature. This feature enables the integration of existing Kerberos, LDAP, and Active Directory users and schemes across DSE resources. For more information, see About DSE Advanced Security.
HCD unified authentication
HCD Advanced Security provides a unified authentication and role management feature. This feature enables the integration of existing LDAP users and schemes across HCD resources. For more information, see HCD security overview.
