Implementing DSE Unified Authentication

Steps for implementing DSE Unified Authentication in a new deployment.

High-level steps for implementing DSE Unified Authentication in a new deployment.
Warning: To implement authentication and authorization in an already established DSE environment additional precautions and steps are required, see Implementing without downtime in production.

Procedure

To configure DSE Unified Authentication:
  1. Setting security keyspaces replication factors: Ensure that required data for logins and permission management are accessible and in all datacenters.
  2. Enabling DSE Unified Authentication: By default DSE Unified Authentication is disabled.
  3. Configuring authentication and authorization methods (schemes):
  4. Enabling DSE Unified Authentication: Requires changes to the cassandra-env.sh for nodetool and dsetool to run against an authentication enabled cluster.
  5. Restart DSE, see Starting and stopping .
    CAUTION: Nodes are vulnerable to malicious activity following the restart. Anybody can access the system using the default cassandra account with password cassandra. DataStax recommends isolating the cluster until after disabling the cassandra account.
  6. Set up your own root account and disable or drop the default, cassandra account, see Creating superuser accounts.
    Note: Using the default cassandra account may impact performance, all requests including login execute with consistency level QUORUM. DataStax recommends only using this account to create your root account.
  7. Create roles that map to users in the configured schemes and grant permission to allow users access to database resources, such as keyspaces and tables, see Managing roles
    Important:
    • Use the latest DataStax certified drivers in all applications connecting to transactional nodes that have DSE Unified Authentication enabled. DSE drivers support all the features of the Cassandra drivers and provide additional support for multiple authentication methods as well as externally managed roles assignment, see DataStax drivers.
    • Spark component limitations: DataStax Enterprise provides internal authentication support for connecting Spark to DSE transactional nodes, not for authenticating Spark components between each other.

task_postreq

After enabling authentication and authorization, you only run tools by supplying credentials: