Steps for new deployment
How to enable DSE Unified Authentication on a new deployment.
Warning: To implement authentication and authorization in an
already established DSE environment, additional precautions and steps are required. See
Steps for production environments.
cassandra-env.sh
The location of the cassandra-env.sh file depends on the type of installation:Package installations | /etc/dse/cassandra/cassandra-env.sh |
Tarball installations | installation_location/resources/cassandra/conf/cassandra-env.sh |
Procedure
To configure DSE Unified Authentication:
- Ensure that required data for logins and permission management are accessible and in all datacenters. See Configuring the security keyspaces replication factors.
- Configure the system settings. See Enabling DSE Unified Authentication.
-
Configuring authentication and authorization methods (schemes):
- Internally stored passwords. No additional configuration is required create roles with passwords as described in Setting up logins and users.
- External LDAP. See Defining an LDAP scheme.
- Kerberos. See Defining a Kerberos scheme.
-
Configuring JMX authentication: Requires changes to the
cassandra-env.sh
fornodetool
anddsetool
to run against an authentication enabled cluster. -
Restart DSE. See .
CAUTION: Nodes are vulnerable to malicious activity following the restart. Anybody can access the system using the default cassandra account with password cassandra. DataStax recommends isolating the cluster until after disabling the cassandra account.
-
Set up your own root account and disable or drop the default, cassandra account. See
Adding a superuser login.
Note: Using the default cassandra account may impact performance, because all requests including login execute with consistency level QUORUM. DataStax recommends only using this account to create your root account.
-
Create roles that map to users in the configured schemes and grant permission to allow
users access to database resources, such as keyspaces and tables. See Setting up logins and users.
Important:
- Use the latest DataStax certified drivers in all applications connecting to DSE Unified Authentication-enabled transactional nodes. DSE drivers support all the features of the Cassandra drivers and provide additional support for multiple authentication methods as well as externally managed roles assignment. See DataStax drivers.
- Spark component limitations: DataStax Enterprise provides internal authentication support for connecting Spark to DSE transactional nodes, not for authenticating between Spark components.
What's next
After enabling authentication and authorization, run tools by supplying credentials: