Enabling DSE Unified Authentication

Steps to enable and configure the DSE Unified Authentication.

DSE Unified Authentication facilitates connectivity to three primary backend authentication and authorization services. DSE Unified Authentication uses the following services:
  • DSE Authenticator: Provides authentication using internal password authentication, LDAP pass-through authentication, and Kerberos authentication.
  • DSE Role Manager: Assigns roles by mapping user names to role names or looks up the group membership in LDAP and maps the group names to role names.
  • DSE Authorizer: Provides access to control for database objects.

By default, DSE Authenticator and DSE Authorizer are disabled. Authenticators other than DSE Authenticator are not supported.

OpsCenter also provides support for LDAP configuration, authenticating users.

cassandra.yaml

The location of the cassandra.yaml file depends on the type of installation:

Package installations
Installer-Services installations

/etc/dse/cassandra/cassandra.yaml

Tarball installations
Installer-No Services installations

installation_location/resources/cassandra/conf/cassandra.yaml

dse.yaml

The location of the dse.yaml file depends on the type of installation:

Package installations
Installer-Services installations

/etc/dse/dse.yaml

Tarball installations
Installer-No Services installations

installation_location/resources/dse/conf/dse.yaml

Prerequisites

Complete the following procedures before enabling authentication:

Procedure

Apply the following updates to each node:

  1. In the cassandra.yaml file, verify that DSE Unified Authentication and Authorization features are configured:
    1. Verify that authenticator is set to DseAuthenticator.
      authenticator: com.datastax.bdp.cassandra.auth.DseAuthenticator
    2. Verify that authorizer is set to DseAuthorizer.
      authorizer: com.datastax.bdp.cassandra.auth.DseAuthorizer
    3. Verify that role_manager is set to DseRoleManager.
      role_manager: com.datastax.bdp.cassandra.auth.DseRoleManager
    4. If you are Setting row-level permissions with RLAC, tune these Security-related cache settings:
      permissions_validity_in_ms: 2000
      permissions_update_interval_in_ms: 2000
      permissions_cache_max_entries: 1000
  2. In the dse.yaml file, configure the corresponding options:
    1. Configure the DSE Authenticator by uncommenting the authentication_options and changing the settings.
      # authentication_options:
      #     enabled: false
      #     default_scheme: internal
      #     allow_digest_with_kerberos: true
      #     plain_text_without_ssl: warn
      #     transitional_mode: disabled
      #     other_schemes:
      #     scheme_permissions: false

      Remove all pound signs (#) at the beginning of the line while preserving the spacing.

      • Required settings. Enable DSE Authenticator and select a scheme:
            enabled: true
            default_scheme: internal
        Note: If you plan to use only LDAP or Kerberos, include the internal scheme in other_schemes to allow access to the default cassandra account and complete the initial set up.
        Table 1. Required authentication_options
        Option Description
        /en/dse/5.1/dse-admin/datastax_enterprise/config/configDseYaml.html#configDseYaml__auth_enabled Turns on authentication using the default scheme.
        default_scheme Specifies the authentication scheme when not defined in the connection:
        • internal - Basic authentication using internal login role with password, supply the role name and password as credentials. No additional configuration required.
        • ldap - Plain text authentication using pass-through LDAP authentication. See Defining an LDAP scheme.
        • kerberos - GSSAPI authentication using the Kerberos authenticator. See Defining a Kerberos scheme.
      • Optional settings:
            other_schemes:
              - kerberos
              - ldap
            scheme_permissions: false
            allow_digest_with_kerberos: false
            plain_text_without_ssl: warn
            transitional_mode: disabled
        Warning: scheme_permissions require EXECUTE permission for the selected scheme. Do not enable this option until after configuring your own root account.
        Table 2. Optional authentication_options
        Option Description
        other_schemes
        Important:

        You cannot use other_schemes with DSE components that use Thrift, such as CFS and the CassandraHiveMetastore in Analytics datacenters. Only the default_scheme is used when using components that use Thrift drivers.

        scheme_permissions Validate that the role mapped to user matches the authentication scheme. Grant the role permission to the scheme.
        allow_digest_with_kerberos Allow Kerberos digest-md5 authentication.
        plain_text_without_ssl Handling of plain text connection requests:
        • block - Block the request with an authentication error.
        • warn - Log a warning about the request but allow it to continue. Default.
        • allow - Allow the request without any warning.
        transitional_mode Allow access to the database using the anonymous role:
        • permissive - Allow all connections that provide credentials. Maps authenticated superusers to their role AND maps all other users to anonymous.
        • normal - Allow all connections that provide credentials. Maps all authenticated users to their role AND maps all other connections to anonymous.
        • strict - Allow only authenticated connections that map to a login enabled role OR connections that provide a blank username and password as anonymous.
    2. Configure the DSE Role Manager by uncommenting role_management_options and setting the mode:
      # role_management_options:
      #    mode: internal

      Remove all pound signs (#) at the beginning of the line while preserving the spacing.

      Table 3. Role Management Modes
      scheme Description
      internal Assign the user name supplied by the authenticator a role that matches the user name, 1 to 1 mapping.
      ldap Look up the user name in LDAP using the ldap scheme and get the group membership, assign all roles that match a group name, 1 to many mapping.
      Note: When using Kerberos authentication, identify users by their email address in the LDAP search. The Kerberos Realm must match the domain in the email address.
    3. Configure the DSE Authorizer by uncommenting the authorization_options and changing the settings.
      # authorization_options:
      #     enabled: false
      #     transitional_mode: disabled
      #     allow_row_level_security: false
      

      Remove all pound signs (#) at the beginning of the line while preserving the spacing.

      • Required settings: Enable authorizer:
        enabled: true
      • Optional settings:
        transitional_mode: normal
          allow_row_level_security: true
      Table 4. authorization_options
      Option Description
      enabled
      enabled
      Enables the use of DSE Authorizer for role-based access control (RBAC).
      transitional_mode
      transitional_mode
      Allows the DSE Authorizer to operate in a temporary transitional mode during setup of authorization in a cluster. Set to one of the following values:
      • disabled - Transitional mode is disabled.
      • normal - Permissions can be passed to resources, but are not enforced.
      • strict - Permissions can be passed to resources, and are enforced on authenticated users. Permissions are not enforced against anonymous users.
      allow_row_level_security
      allow_row_level_security
      Default: false. True enables row-level access control (RLAC) permissions; use the same setting on all nodes.
  3. Configure selected authentication scheme options:
    Warning: For DSE to start, the external service referenced in the kerberos_options and/or ldap_options must be accessible. If you are not using Kerberos-based authentication, comment out the kerberos_options.
  4. Set up JMX authentication to allow nodetool and dsetool operations, see Enabling DSE Unified Authentication.
  5. Restart DSE, see Starting DataStax Enterprise as a service or Starting DataStax Enterprise as a stand-alone process.

What's next

After restarting DSE, log into CQL shell and complete the set up: