Authentication scheme limitations in LCM

Details about supported and unsupported authentication schemes and configurations when using LCM.

LCM authentication options in Config Profiles

Authentication options are set in the dse.yaml and cassandra.yaml files in LCM Config Profiles.

Lifecycle Manager requires internal as the default scheme in dse.yaml when used in conjunction with DSE Authenticator in cassandra.yaml.

DSE Authentication default scheme options

An alternative fully supported option is using AllowAllAuthenticator in cassandra.yaml.

LCM-supported authenticator options in cassandra.yaml

Adding LDAP or Kerberos as other_schemes in dse.yaml is allowed; however, LCM and OpsCenter ignores the additional schemes and uses the internal cassandra user instead. Kerberos and LDAP other schemes work fine for DSE when appropriate roles are configured outside of OpsCenter and LCM.

Supported authentication other schemes in LCM

When authentication is enabled in a config profile, LCM prompts for credentials after the config profile is selected in the Edit Cluster dialog. See Editing a Cluster for more information.

LCM-compatible authentication schemes

To monitor the cluster and perform ongoing management activities, OpsCenter must be able issue CQL queries against the cluster. LCM automatically configures the required access and is compatible with the following authentication scenarios:
  • Internal authentication only: The Edit Cluster dialog prompts for the information necessary to change the default password of the user named cassandra that is built into the Internal authentication scheme. LCM sets the password for this user as specified, and configures OpsCenter to use the password when accessing the cluster.
  • Internal authentication as the primary scheme with LDAP or Kerberos (or both) as optional schemes: LCM and OpsCenter behave as described above for internal authentication only, which uses the user named cassandra that is built-in to the Internal authentication scheme. LCM is unable to configure OpsCenter to access DSE using a username and password defined in LDAP or Kerberos; that LDAP or Kerberos configuration must be done directly in OpsCenter. Other DSE client applications can be configured externally to LCM and OpsCenter to access DSE using accounts defined in LDAP or Kerberos, and that usage can coexist with LCM and OpsCenter accessing DSE using the user account named 'cassandra' that is built-in to the internal authentication scheme.
  • Authentication disabled: Running DSE with authentication disabled is not recommended without appropriate network access controls in place; however, LCM does support configuring OpsCenter to access a DSE cluster that has authentication disabled (AllowAllAuthenticator authenticator option in cassandra.yaml).
Warning: If any form of authentication is enabled, and the Internal scheme is not set as the primary scheme, then LCM install jobs fail when attempting to change the password for the user named cassandra that is built-in to the internal authentication scheme. As a result, LCM fails to register the cluster with OpsCenter.

Unsupported authentication scenarios

The following configurations are not supported:
  • LDAP authentication in cassandra.yaml instead of DSE authentication, and DSE authentication with LDAP as the default scheme fails.
  • Kerberos in cassandra.yaml instead of DSE authentication, and DSE authentication with Kerberos as the default scheme fails.