Configuring DataStax Enterprise for Kerberos authentication

Add the options to the DSE configuration files to enable Kerberos authentication.

The cassandra.yaml and dse.yaml files must be edited on each node to enable Kerberos authentication. Add the Kerberos authenticator to cassandra.yaml and add the Kerberos options to dse.yaml.

The location of the dse.yaml file depends on the type of installation:
Installer-Services /etc/dse/dse.yaml
Package installations /etc/dse/dse.yaml
Installer-No Services install_location/resources/dse/conf/dse.yaml
Tarball installations install_location/resources/dse/conf/dse.yaml
The location of the cassandra.yaml file depends on the type of installation:
Package installations /etc/dse/cassandra/cassandra.yaml
Tarball installations install_location/resources/cassandra/conf/cassandra.yaml

Procedure

  1. On each node, edit the cassandra.yaml file to set the authenticator to com.datastax.bdp.cassandra.auth.KerberosAuthenticator.
    authenticator: com.datastax.bdp.cassandra.auth.KerberosAuthenticator
  2. Make sure the rpc_address and listen_address options in cassandra.yaml are set to the IP address or hostname that matches the hostname in DNS, not localhost.
    rpc_address: 1.2.3.4
    listen_address: 1.2.3.4
  3. On each node, edit the dse.yaml file and enter the correct Kerberos options to enable authentication.

    The options are located in the kerberos_options section.

    kerberos_options:
       keytab: /etc/dse/dse.keytab
       service_principal: cassandra/_HOST@EXAMPLE.COM
       http_principal: HTTP/_HOST@EXAMPLE.COM
       qop: auth

    The _HOST variable is used in dse.yaml, and will be replaced correctly by DSE.

What's next

To test your configuration, configure cqlsh to use Kerberos authentication as described in the DataStax Enterprise documentation and connect to your cluster.