Configure authentication

What is authentication?

Authentication is the process of verifying the identity of a user or system. Usernames and passwords are the most common authentication factors. If a user enters the correct data, the system assumes the identity is valid and grants access.

Authentication protocols are an important part of database security. Mission Control supports several authentication and encryption features for Hyper-Converged Database (HCD), DataStax Enterprise (DSE), or Apache Cassandra® databases.

Enable authentication

Mission Control enables authentication by default.

Keep authentication enabled. Turning on authentication for an existing cluster can be challenging and might require downtime.

The enabling option is set in the MissionControlCluster YAML specification file. In its spec section, the auth option is set to true by default. While it can be toggled to false, that is not recommended.

apiVersion: k8ssandra.io/v1beta2
kind: MissionControlCluster
metadata:
  name: cluster1
spec:
  auth: true
  ...

With authentication enabled, Mission Control configures a new, default superuser for every Mission Control managed cluster.

From the example spec, the username is cluster1-superuser.

Mission Control disables and does not use the default superuser, cassandra.

Unless specified during cluster creation, Mission Control generates a random alphanumeric string, 20 characters long as a default password. These values are stored under the username and password keys within a secret named metadata.name-superuser.

You can override the default username and password by setting the spec.cassandra.superuserSecretRef property to an existing secret containing both the username and the password.

If your cluster name is cluster1, for example, retrieve the username and password using jq or jsonpath:

The following commands use jq to decode the base64-encoded values. You must have jq installed on your system to run these commands.

kubectl get secret CLUSTER_NAME-superuser -o json | jq -r '.data.username' | base64 --decode; echo

kubectl get secret CLUSTER_NAME-superuser -o json | jq -r '.data.password' | base64 --decode; echo

Replace CLUSTER_NAME with the name of your cluster.

If you don’t have jq installed, you can use the following commands:

kubectl get secret CLUSTER_NAME-superuser -o jsonpath='{.data.username}' | base64 --decode; echo

kubectl get secret CLUSTER_NAME-superuser -o jsonpath='{.data.password}' | base64 --decode; echo

Replace CLUSTER_NAME with the name of your cluster.

nodetool

When JMX authentication is enabled, you must specify the username and password options with nodetool, as follows:

nodetool -u USERNAME -pw PASSWORD status

Replace the following:

  • USERNAME: The username value

  • PASSWORD: The password value

Mission Control user interface (UI) access

Mission Control uses a connector-based system for authentication. LDAP and OIDC connectors are provided and recommended for production deployments. Static password authentication is supported as a fallback mechanism and for development environments.

DSE unified authentication

DSE Advanced Security provides a unified authentication and role management feature. This feature enables the integration of existing Kerberos, LDAP, and Active Directory users and schemes across DSE resources. For more information, see About DSE Advanced Security.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com