Configure authentication

What is authentication?

Authentication is the act of validating that a user is who they claim to be. Usernames and passwords are the most common authentication factors. If a user enters the correct data, the system assumes the identity is valid and grants access.

Authentication protocols are an important part of database security. Mission Control supports several authentication and encryption features for Hyper-Converged Database (HCD), DataStax Enterprise (DSE), or Apache Cassandra® databases.

Enable authentication

Mission Control enables authentication by default.

Keep authentication enabled. Turning on authentication for an existing cluster can be challenging and might require downtime.

The enabling option is set in the MissionControlCluster YAML specification file. In its spec section, the auth option is set to true by default. While it can be toggled to false, that is not recommended.

apiVersion: k8ssandra.io/betaV010
kind: MissionControlCluster
metadata:
  name: cluster1
spec:
  auth: true
  ...

With authentication enabled, Mission Control configures a new, default superuser for every Mission Control managed cluster.

From the example spec, the username is cluster1-superuser.

Mission Control disables and does not use the default superuser, cassandra.

Unless specified during cluster creation, Mission Control generates a random alphanumeric string, 20 characters long as a default password. These values are stored under the username and password keys within a secret named metadata.name-superuser.

You can override the default username and password by setting the spec.cassandra.superuserSecretRef property to an existing secret containing both the username and the password.

If your cluster name is cluster1, for example, retrieve the username and password as follows:

kubectl get secret <CLUSTER_NAME>-superuser -o json | jq -r '.data.username' | base64 --decode; echo

kubectl get secret <CLUSTER_NAME>-superuser -o json | jq -r '.data.password' | base64 --decode; echo

Parameter

Default

Description

CLUSTER_NAME

cluster1

The cluster name value, set in the metadata section of the MissionControlCluster YAML specification file.

nodetool

When JMX authentication is enabled, you must specify the username and password options with nodetool, as follows:

nodetool -u <username> -pw <password> status

Mission Control user interface (UI) access

Mission Control uses a connector-based system for authentication. LDAP and OIDC connectors are provided and recommended for production deployments. Static password authentication is supported as a fallback mechanism and for development environments.

DSE unified authentication

DSE Advanced Security provides a unified authentication and role management feature. This feature enables the integration of existing Kerberos, LDAP, and Active Directory users and schemes across DSE resources. For more information, see About DSE Advanced Security.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com